It is a basic statement: the better security gets, the fancier the cyber attack processes become. Applied to cyber criminality, it means attackers follow advanced process to reach their objectives.
The analysis of the attack process enables the defender to anticipate the behavior of the attacker and to possibly get one step ahead from him. Hence, several models have been developed by security companies to illustrate the lifecycle of an attack, with prevention and detection purposes. By acknowledging such models, analysts and responders can gather intelligence throughout the process and identify the Tactics, Techniques and Procedures in order to limit the attack to early stages.
The Cyber Kill Chain (TM)
The cyber kill chain is a model representing the different stages of a cyber attack from its planification to the deliverable proof of success. It has been developed by Lockheed Martin.
Phase 1: Reconnaissance
The word reconnaissance comes from the military vocabulary and defines the process of conducting strategic observations on a target territory. Attackers will identify and select their target(s). Reconnaissance can be either passive or active. Passive reconnaissance consist in gathering information through open sources like social media, for instance, or through phishing mails. Active reconnaissance implies the attacker directly interacts with the organization’s resources.
Phase 2: Weaponization
The weaponization phase is the one when the attacker will choose his modus operandi and will build the ‘package’, which contains malicious code or malicious files. The main weapons are DDoS, botnets and malware.
Phase 3: Delivery
Delivery is the phase of the infection. The intrusion will start by attacker-controlled delivery (hacking) or attacker-released delivery (i.e. phishing)
Example: Cloud Storage Services may be used for this stage of the attack; synchronisation helps to achieve instant multiple deliveries.
Phase 4: Exploitation
A successful delivery does not assure a successful attack. Once the weapon is delivered, the attacker still needs to get control of code execution. This is the stage of exploitation. The attacker exploits technical or human vulnerabilities.
Phase 5: Installation
This stage is specific to malware attacks. The attacker will install a remote access trojan or backdoor and establish system or network persistence.
Phase 6: Command and Control (C2)
At this point the attacker can take full control of the system and operate on it.
Some malware can operate independently. We can also expect AI-powered malware in the near future.
Example: Cloud Storage Services may be used for this stage of the attack
Phase 7: Actions on objectives
Attacks can carry many different objectives whether financial, ideological, data-oriented motives or espionnage for instance. During the final stage, the attacker will complete what is needed to achieve his goals: i.e. crypolocking for ransomware, login data, damages etc.
The extended Cyber Kill Chain
The model presented above, a reference in the field of incident response and threat intelligence fails to address advanced cyber attacks methods. It assumes a traditional perimeter of defence and does not fully detail what happens once the attacker has managed to infiltrate a system or a network and remain hidden in a node.
The following model has been brought by several security companies to complete the initial one. It adds two additional chains and reconsider the chain as a circular process: the internal and target manipulation chains.
The internal Cyber Kill Chain occurs after the completion of the main Cyber Kill Chain, where the final phase of the cyber attack: “Actions on objectives” is actually replaced by “actions inside network”. From there, attackers proceed to a new phase of reconnaissance, this time internally. They intend to set up local elevation of privilege and lateral movements to gain access to the Endpoint target. Through endpoint manipulation, they achieve their initial goals.
While facing a cyber attack, knowing the adversary and being able to anticipate its move is a highly valuable defensive asset. Therefore, following such models can help prevent and detect early breaches, disrupt and recover.
Facing malicious network activity?
Contact our team email@example.com