The Cyber Kill Chain

Reconnaissance

The act of discovering and collecting information on a target.

The attacker can collect information on a system and victim using Open-Source intelligence (OSINT). The following information can be collected using OSINT:

• Company’s size.

  • Tools: Social Media & company website.

• Email addresses - Via email harvesting.

  • Tools: theHarvester and hunter.io.

• Phone numbers.

OSINT techniques can also reveal information about a company's infrastructure, technologies used, and potential vulnerabilities.

Weaponization

Weaponization involves preparing the malware and exploit to be used in deploying the payload on a target. Key components include:

• Malware - a malicious piece of software (thus (Mal)icious+soft(ware) = Malware or softicious lol).

• Exploit - vulnerability or flaw in a system or software.

• Payload - a malicious code that is ran after the malware exploits a vulnerability.

Malware can be custom-written by the attacker or purchased from dark web marketplaces. Sophisticated attackers often create tailored malware to evade detection by standard security tools.

Delivery

The attackers’ method of transmitting the malware/payload into a victims’ system.

Example of common methods:

• Phishing emails - Please donate some money to this Nigerian prince..

• Infected USBs - Free UBSs everyone ! >:^)

• Watering Hole Attacks - the redirection of a targets commonly used site to a malicious twin.

• Drive-by downloads - Exploiting vulnerabilities in web browsers or plugins when a user visits a compromised website.

Exploitation

Exploitation involves using vulnerabilities to escalate privileges and infect the victim's system with malware or a payload. An example of exploitation in action is when a user opens a phishing email attachment that runs a macro, exploiting a vulnerability in Excel.

Installation

During the installation phase, the attacker sets up a persistent backdoor to maintain access to the system, even after security patches are applied. Techniques like timestomping are used to avoid detection by making malicious programs appear as legitimate system files.

Command & Control

This stage is crucial for the attacker as it establishes ongoing control over the compromised system, allowing for further exploitation and data exfiltration. The attacker sets up a command and control method of communication. The command is the attacker’s C2 server which is used to remotely control the infected host. The control in this case is the infected host. This form of communication is also known as C&C or C2 Beaconing and can operate using HTTP and HTTPS as well as through DNS requests to the attacker’s own DNS server (aka DNS Tunneling).

Exfiltration

Exfiltration is the final stage of the cyber kill chain, where the attacker achieves their goal. Common examples of successful exfiltration include:

• Collection of credentials.

• Ransomware.

• Reconnaissance of internal systems.

• Deletion and manipulation of data.

• Creation of a botnet.

Conclusion

Understanding the Cyber Kill Chain is crucial for organizations to better protect their networks and systems. By recognizing the steps and methods used by attackers, security teams can implement more effective defensive measures at each stage of a potential attack.

Sources

• https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

• https://www.crowdstrike.com/cybersecurity-101/cyber-kill-chain/