Despite not always being factually correct, these shows have sparked a curiosity in many individuals to learn more about hacking and, unlike twenty years ago, there are now many a wealth of resources available to help individuals develop these skills.
As individuals acquire these skills, they can now use them for legitimate and legal purposes, such as through Bug Bounty programs. These programs, which have become more prominent in the last decade, enable individuals to test systems and report any identified issues in exchange for a reward. Bug Bounty programmes can serve as a valuable learning resource, providing valuable disclosure to participants, however they could also provide insight into crafting attacks in environments with security measures.
The increasing number of assets on the internet could also be a factor in the evolution and success of online threats over the last decade. The number of servers exposed to the internet, often without proper security assessments, is now huge and offers potential easy targets for threat actors of all abilities, especially when factoring in the limited security budgets organisations must work within.
The Cyber Kill Chain – understanding the techniques adopted by threat actors
The Cyber Kill Chain provides a framework for understanding the techniques used by threat actors. Developed by Lockheed Martin, it is based on military models and is used to identify and prevent cyber intrusion activities.
The kill chain is split into seven phases, covering activities from reconnaissance through to actioning their objectives. It is often used by cybersecurity professionals to analyse how an attack was carried out, as well as understand the techniques and stages involved.
The stages have been summarised below:
1 – Reconnaissance
Abraham Lincoln said: “Give me six hours to chop down a tree and I will spend the first four sharpening the axe”. The same is true for cyber-attacks; threat actors will take time to profile assets, ensuring they are best prepared when it comes to advancing the attack.
This is the first stage of any attack, and the most important, as it allows the threat actor to find ‘uninventoried’ or unknown assets, which they may be able to compromise, identify potential injection points for attacks, or locate interfaces that could be used to carry out phishing.
Examples of the profiling a threat actor could carry out include, but are not limited to:
- Trawling social media for organisation or employee information such as names, interests, location, and email naming conventions. This information would allow them to craft more successful phishing attacks by tailoring them and ensuring a best attempt to use valid email addresses occurs.
- Domain scanning is another recon technique a threat actor could use. An organisation’s domain is easily identifiable, and often undergoes the most security testing, however, subdomains less so. These subdomains could be identified by using automated tooling and reveal unknown, or unmanaged, applications that could be targeted.
- Simply browsing web applications, monitoring responses, noting down user inputs and any useful information will enable the threat actor to create a resource pool to use when the time comes. Useful information could include software version, internal file paths or internal server information, verbose error messages or email addresses for employees.
2 – Weaponisation
Weaponisation is where a threat actor will leverage the information obtained during the Reconnaissance stage to start to create payloads.
The payloads threat actors use will vary depending on what was identified during the previous phase and can either be custom written, developed specifically for the target, or publicly available exploits from sources such as ExploitDB.
Examples of weaponisation include, but are not limited to:
- Searching exploit databases for the software and version numbers which could have been inadvertently leaked in verbose error messages. Attackers can leverage this information and prepare payloads to breach an organisation’s perimeter.
- Creating pages for use in phishing attacks – attackers can purchase domain names imitating the legitimate sites they want to target, for example by replacing a letter, and can mimic their design to be identical to the one the user will be expecting. These pages can include malicious payloads hidden in documents or utilise contact forms to harvest sensitive information before redirecting to the legitimate application to reduce likelihood of being flagged by end users.
3 – Delivery
Armed with the payloads they prepared and sufficient information about their target, attackers would now seek to deliver these payloads.
Each attack will be unique, with different delivery methods being opted for. For example, a phishing attack will not have the same delivery method as a remote code execution attack that targets a vulnerable version of software.
Many different delivery methods exist, such as:
- Web based – directly targeting publicly facing applications.
- Physical – dropping USB drives with payloads in car parks, plugging in rogue devices into networks or following employees into access restricted areas.
- Email – sending phishing attacks from a threat actor, or occasionally using compromised account.
From here, attackers need only wait for their payloads to trigger and, typically, connect back, enabling the next stage to commence.
4 – Exploitation
With the perimeter having been breached, the next stage would be Exploitation. Exploitation, in this context, refers to leveraging the access gained following the successful delivery of the crafted payload.
Often, threat actors will seek to leverage misconfigurations within the environment to elevate their privileges from a standard user to local admin to domain admin. Misconfigurations exist in most environments, as such, the importance of regular testing is pivotal to uncover these prior to legitimate attack.
Examples of activities carried out in this section include:
- Internal network enumeration – This would include port scanning, scanning for network shares, assessing files on network shares, and enumerating available services on the network to determine if any versions are outdated or what Endpoint Detection and Response (EDR) software they might have to contend with.
- Cracking password hashes – Password hashes could be relayed across the network and can prove particularly useful when obtained. These could also be cracked, or guessed, by powerful computers which can try upwards of millions of permutations a second. To further increase their odds, attackers will often use lists of leaked passwords. They might also try various permutations on each password, for example replacing ‘e’ with ‘3’, or appending dates at the end.
5 – Installation
The Installation phase is when the threat actor would run their desired payloads on the device. Example payloads used by threat actors include ransomware, calls to the Command & Control (C2) centre or installing persistence so that even if the device were to be rebooted access would still be possible.
Activities during this phase could include:
- Creating multiple beacons that communicate back to the Command & Control centre. Multiple beacons increase resilience and avoids the need to go through initial compromise again if one beacon becomes unresponsive.
- Ensuring the persistence of these beacons to allow for the communications with the C2 to survive disconnections or reboots for example.
Attackers will need to balance their installation activities to avoid detection while attempting to meet their objectives. With every compromise comes an increased risk of triggering alerts, however, rarely can they meet their objectives with only the initial foothold gained.
After compromising other machines, the threat actor may revisit certain phases within the kill chain to further their access, leveraging information obtained so far.
6 – Command & Control (C2)
The Command & Control centre acts as a centralised hub for the threat actors. It provides functionality for multiple individuals to collaborate, communicate with each other and be able to obtain access to the compromised devices.
Most importantly, the Command & Control centre is where the installed payloads, or beacons, would receive their instructions from. Threat actors need to carefully manage how frequently beacons phone back – too frequent and the Security Operations Centre (SOC) might detect it. Too infrequent and the response time could become a hinderance, potentially leading to missed opportunities.
Avoiding detection is a core aspect of C2s and threat actors have shown incredible ingenuity when devising new methods to do so. From embedding instructions in innocuous pictures of cats to using a hard-drive activity blinking LED – bridging air-gapped networks, their creativity could almost be admired.
7 – Action
With the network compromised, persistence ensured, and activities hidden, threat actors are now able to take action that will allow them to complete their objectives.
Typically, and particularly as of late with ransomware attacks, this will simply be downloading as much confidential and sensitive data as possible. The actors then threaten to publish these online, either by posting them publicly or selling them to the highest bidder. They might also encrypt every file on every machine, promising to provide the decryption key in return for a significant sum.
Or some might simply seek to punish the company for a perceived slight, usually by encrypting every machine with a key they may or not have, but certainly will not share.
Using the Cyber Kill Chain to improve your security posture
Now that you know about the stages of the Cyber Kill Chain and the dangers posed, how do you apply it to your organisation to help improve your overall security posture?
It is important to conduct assessments of specific elements to gauge the current resilience and to understand areas that need improvement. To achieve this, various approaches can be taken, ranging from smaller individual assessments to comprehensive, in-depth analysis of the entire process.
At Pentest, we could offer:
- Reconnaissance exercises to gain insight into the information that could be gathered regarding your organisation or employees, as well as the assets you have. This helps identify weaknesses and enables the implementation of necessary changes, such as introducing a social media policy and removing excessive organisational information.
- Web and external infrastructure penetration tests to determine the current attack surface and identify any issues that could be exploited. This allows for the introduction of remediation steps to reduce the likelihood of a successful compromise of confidentiality, integrity, availability, and unauthorised access to the internal environment.
- Internal infrastructure penetration testing to understand the existing misconfigurations within the internal environment and assess the potential for privilege elevation or lateral movement within the network, which could compromise confidential data and impact integrity. Additionally, this assessment helps in understanding the possibilities of exploitation, privilege escalation, lateral movement, denial of service, and exfiltration.
- A red team exercise to replicate the kill chain in the same manner a threat actor would, navigating through all stages to avoid detection and exfiltrate data or compromise a desired target. Red Team engagements provide a holistic view of an organisation’s security posture while helping assess and train the SOC team and broader defences in place.
It is important to note that the Cyber Kill Chain is just one framework that can help you understand and improve the security posture of your organisation, however for it to be successful, it needs to be part of a wider ongoing process. Regular security audits are a key feature of this but must be integrated into a wider, iterative security process.
Testing can be undertaken in several ways, however, using an expert test provider, such as Pentest Limited, brings with it several key benefits. Because our testing is conducted manually by experts, it means we can simulate threat actors faithfully and use our skills to exploit vulnerabilities that a scan could never detect. Furthermore, our comprehensive reports will give you clear overview of the issues we find, as well as our expert advice on how to successfully remediate them to improve your overall security posture.
So, if you are looking to utilise the Cyber Kill Chain, why not contact Pentest to see how we can help you get the best from your cybersecurity improvement efforts.
