The first step in overcoming any problem is understanding it. This holds true for cyber attacks also.
Cyber security teams have often operated blind. They often throw random countermeasures at any threat, hoping something will be effective. Needless to say, threat actors have enjoyed a good run so far.
The Cyber Kill Chain, a network security model developed by Lockheed Martin, outlines the sequential steps of a cyber attacker. It dissects each stage of a cyber attack, and identifies what threat actors seek to achieve at each stage.
Adversaries succeed only when they progress through all phases of a cyber attack. Identifying the indicators of activity associated with each phase allows for deploying specific countermeasures. When security teams deploy such targeted measures, the effectiveness of the countermeasures improves.
Lockheed Martin’s Cyber Kill Chain lists seven stages of a cyber attack. Stopping adversaries at any stage breaks the chain of attack.
Reconnaissance
Most threat actors plan the attack upfront. They conduct reconnaissance on their targets to gather information to execute the attack. Among other initiatives, they:
- Scan the network for open ports or other vulnerabilities.
- Harvest emails and identify employees from social media, conference lists, and other sources. Threat attackers target such employees through social engineering attacks.
- Seek public information on the network, such as press releases.
Detecting reconnaissance in real-time is difficult. But there is often a time gap between reconnaissance and the execution. If cyber teams can discover the reconnaissance in time, they can succeed in their pre-emptive measures.
Measures to detect reconnaissance include analysing website visitor logs and browser traffic. On detecting reconnaissance, identify the services attackers target to get information, and block such pathways. The most common suspects are Windows Management Instrumentation and Sendmail.
Weaponisation
Threat actors weaponise the information collected at the reconnaissance stage. They use automated tools to couple malware and exploits into a deliverable payload. Possible payloads include phishing emails containing decoy documents or backdoor-implanting malware files.
Cyber security teams cannot detect weaponisation as it happens. But they can analyse malware artefacts to identify its presence and take prompt eradication measures. Options include:
- Shrinking and hardening the attack surface to reduce the avenues available for attack.
- Patching and updating systems and maintaining good IT hygiene.
- Deploying robust network monitoring and malware analysis tools. Some payloads may slip in despite the best of precautions and cyber hygiene.
Delivery
After weaponisation, the threat actors deliver their malicious payload to the target system. The most common tactics to deliver the attack to the targeted system include:
- Deploying malicious websites, phishing emails, or social media links.
- Supplying infected USB drives
- Launching drive-by downloads.
There is no magic wand to kill every attack vector in one go. Protecting the network is everybody’s job – from end users to the cyber security team and from the top management to partners. There is no shortcut to eternal vigilance.
A multi-pronged cyber-defence approach that co-opts physical security, enterprise-wide risk management, and user education thwarts most attacks. Leveraging weaponised artefacts detects malicious payloads at the point of delivery. Email and weblogs aid forensic reconstruction.
Exploitation
Exploitation is when the attackers execute their malicious code on the victim’s system.
The attacker leverages chosen exploits to target vulnerabilities and access the target system. An event targeted by the threat actor triggers the malware. Such events may include the victim clicking on a malicious link or downloading a malware-infected file. The malware slips through gaps in defences and exploits operating systems and applications.
Thwarting the attacks when cyber attackers execute the malicious code requires:
- Identifying abnormal traffic or other indicators of compromise. Good antivirus software, regular vulnerability scanning, and behavioural monitoring services do the job.
- Good cyber hygiene, to stop most cyber attacks in their tracks.
- Restricting admin privileges to thwart hijacking attempts.
- Secure coding training for web developers, to reduce vulnerabilities in the first place.
Installation
After entering the target system, the attacker establishes persistence on the compromised system. Typically, the adversaries install backdoors to retain access to the compromised systems. They install malware on the endpoint or gain administrative privileges. Some adversaries install AutoRun keys or time stamp the file to make malware appear as part of the standard operating system install.
Effective countermeasures include:
- Deploying threat intelligence services to stop malware installations and configuration changes.
- Auditing endpoint process, to unearth abnormal file creations.
- Developing an approved whitelist.
Command and Control (C2)
It is not enough for the attackers to slip in malware. They need the malware to do their bidding. To this end, the attackers establish two-way communication channels with the compromised system. The most common C2 channels are over the web, DNS, and email protocols. The attackers use such channels to issue commands, steal data, or launch further attacks.
The best approach to block the threat actor at the C2 stage is blocking the channels established by the adversaries. If adversaries cannot issue commands, they cannot achieve their objectives.The most effective ways to block the threat actors include:
- Adopting the Zero Trust approach to block all unauthorised communications by default.
- Deploying firewalls and network monitoring tools as additional layers of protection. These deployments detect and block suspicious network activity. Such suspicious activities include communications with unusual remote hosts or unknown DNS servers.
- A thorough malware analysis, to unearth C2 infrastructure.
- Hardening the network. Consolidating the internet points of presence and proxies for all types of traffic foils the attackers best laid plans.
Actions on Objectives
The last stage of a cyber attack is when the attackers attain their objectives of the attack. The priority of the attacker is to establish “hands-on keyboard” access. Next, they collect user credentials, exfiltrate data, deploy ransomware, or disrupt operations. Their action depends on the objectives behind the attack.
The defenders can no longer expect to thwart all attacks at this stage. They have to think about the fallout of the attack or remediation measures. Possible defences include:
- Making it harder for threat actors to execute their objectives, by locking the network. The longer the attackers have to work, the more unattractive and uneconomical the attack becomes for them. It also increases the chances of detection. Set up alerts to spot abnormal activities and align alerts to threat intelligence information.
- Establishing incident response playbooks to mitigate the fallout. Standard inclusions in the playbook include executive engagement and communications plan.
Even though the cyber kill chain lists seven stages, it is not always a linear process. Attackers may skip or revisit stages. Advanced threats may deploy complex techniques that deviate from the traditional model.
Proofpoint suite of products offers effective protection at all stages of a cyber attack. These products secure cloud accounts, block phishing attacks, and protect sensitive data. The latest solutions offer AI-powered protection against ransomware, phishing, and other advanced threats. Deep insights such as Targeted Attack Protection pinpoint the employees or endpoints most at risk. Automate incident response and remediate threats in double quick time.