Cyber Kill Chain

What is Cyber Kill Chain?

The CKC is the classical model developed by Lockheed Martin. The purpose of this model is to better understand the stages an attacker must go through to conduct an attack, and also helps the security teams to stop an attack at each stage. It also helps to identify to what extent the organization is compromised. It also helps to understand the strategies used by cybercriminals and how to defend against them.
Phases of Kill Chain:
There are seven phases of CKC model which are described below:
  • Reconnaissance
  • Weaponization
  • Delivery
  • Exploitation
  • Installation
  • Command and Control
  • Action on objective
Reconnaissance:
In this phase the attacker tries to find out as much information as possible about the target like contact information and IT infrastructure of the target. There are two types of reconnaissance:
Passive: Looking for publicly available information on the internet like using google, social media, whois, NSlookup, Shodan and dumpster diving.
Active: gather information by interacting with the target. Active scanning can be technical and non- technical.
Technichal: In technical we mostly use scanning techniques like vulnerability scanning, fingerprinting, port scanning and web application scanning. 
Non-Technichal: In non-technical we mostly talk directly like physical interaction or using social media.
Defend against passive scanning:
  • Limit Public information (Job Posting, LinkedIn etc)
  • Social Media Acceptable Use
  • Modify Server error messages
Defend against active scanning:
  • Disable unused ports
  • Configure honeypots
  • Implement Firewalls
  • IPS
Weaponization:
After getting the information about the target now the attacker can create the exploit using the known information. Tools used for the weaponization are Metasploit, exploit-db, veil framework, social engineering toolkit(set) and many others depending upon the use case. We can not control this but we can minimize the from happening.

Defend:
  • Patch Management
  • Disable browser plugins
  • Deploy AV to end points
  • Email Security like anti spam
  • Audit Logs
  • Multi factor authentication

Delivery:
When the attacker is done with creating the payload then he/she will send the payload to the target. Attackers can use the websites, social media, emails, USB and other means depending upon the use case to deliver the weapon.

Defend:
  • User awareness trainings
  • Email Security like DKIM and SPF
  • IPS/IDS
  • Website filtering (prevent from accessing bad websites)
  • Disable USB
Exploitation:
After successful delivery of the payload. Attackers will execute the payload to gain access to teh target using different techniques like SQL injection, buffer overflow etc.

Defend:
  • Data Execution Prevention.
  • Least privileges.
  • Application Whitelisting.
  • OS & Application Hardening.
Installation:
After the successful exploiting the vulnerabilities attacker would gain persistent access by modifying configuration like installs additional tools for privilege escalation.

Defend:
  • Configure EDR
Command and Control:
After attempting the above steps successfully the target system is now completely under control of the attacker. Attacker controls the target remotely. There are many different approaches that attackers may use to establish an outbound connection. Attackers may use HTTP, HTTPS or even DNS to send and receive data to the victim machine.

Defend:
  • Network segmentation
  • NGFW (have the feature no C&C feature)
  • Apply ACLs to the services like SSH and FTP ,netcat ,RDP
Action on Objective:
At last the attacker would execute the desired action or goal. Goal may be identity theft, intellectual property theft. Once the attacker reaches this phase, they have succeeded in their attack.

Defend:
  • Implement DLP (Data Loss Prevention)
  • UBA (User Behavior Analysis)

Comments

Post a Comment

Popular posts from this blog

Analyzing Spear Phishing Email

Image
Phishing is the technique of fraudulent attempt by the attacker to obtain sensitive and confidential information i.e. Credentials, PII information, credit card, bank details. It can also be targeted attack to focus on the specific organization of individual. The attacker often tailors an email to speak directory to targeted user. There are many types of phishing as follow. I wouldn't explain the types. You can read Here . In this article you'll learn how to analyze the sophisticated phishing email. So, Let's start the case study to explain.  Spearphising :  Spearphising is the technique in which attacker aims at one person and lures him/her into providing confidential data. Attacker compile the email according to the specific user. The email would consist some of the target's email, username, designation.  Case Study: User receive the spearphising email containing the PDF attachment with double extension. Email body contains the unprofessional statement "Kindly m
Read more

Cyber Threat Intel

Image
What is Cyber Threat Intel? Threat intel is the information about the threats. Cyber threat intel is used to better understand, predict and adopt to the behavior of malicious actors. It plays an important role in preventing the zero-day attacks. " Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes " (NIST). Threat Intel life Cycle: Intelligence lifecycle is the process of developing raw information into finished intelligence for policymaker to use in decision making and action. CTI Life Cycle Planning and Direction Planning and direction helps in setting up the goals for the threat intel program. Priorities and requirements are defined in this phase. Collection: Collection means gathering of data to produce the finished intelligence. Data includes logs(Firewall, IPS/IDS, Endpoints), threat feeds and OSINT(reports, social media, public forums). Collection Types of Collectio
Read more

Practical Malware Analysis (Introductory)

Hi folks, just started the series on PMA (Practical Malware Analysis) . Being an analyst i would recommend to gain expertise on "Malware Analysis". This blog help us to quick recap the concepts of malware as well as from analysis perspective. We'll start from basic and proceed towards advance level. Introduction: Malware refers to "Malicious Binary" which is instructive by the threat actors (called as "Hackers" ) to achieve their motives. Motives can be vary like it could be data stealing, damage/destroy organization systems. Viruses Worms Trojan Spyware Adware Ransomware Aforementioned names are the malware types which is collectively called "Malware". Let's jump into the main topic of this blog without going into the details. Malware Analysis: Malware analysis is the process of understanding the working flow/behavior/malicious activity of malware. The results of the malware analysis help the analysts to detect and prevent the threats.
Read more