Life cycle of a cyber attack

To get protected against cyber attacks, it is essential to know how attackers proceed. Using the Cyber Kill Chain® designed by Lockheed-Martin1 , we can understand what methods cyber criminals use to smuggle malware into the company.

The following is an example of an attack. We have summarized the attack process and added possible defense measures for each step.2

Important to know: This is a possible attack scenario. An attacker has a multitude of different attack vectors.

Cyber Kill Chain - Reconnaisance

1. Reconnaisscance

In the first phase, all available information is searched and collected. The terms OSINT, SOCMINT, TECHINT, HUMINT used in technical jargon offer a variety of techniques for information retrieval.

OSINT - Open Source Intelligence - Used to collect information and gain knowledge. Attackers use freely available, open sources of information such as television, radio, print media, publications, forums, blogs or classic the company website.

SOCMINT - Social Media Intelligence - Used to collect information in social media such as LinkedIn, Xing, Facebook and co.

TECHINT - Technical Intelligence - Serves the analysis of technical systems such as networks or servers using technical tools.

HUMINT - Human Intelligence - is the procurement of information by using human sources by e.g. former employees.

Name, e-mail address and position combined with private information is all that is needed and provides an ideal template for a spear phishing e-mail.

Cyber criminals can make it even easier for themselves by buying records with further information in the darknet. In the meantime, there are numerous marketplaces that deal with trading data.

If technically skilled attackers plan an attack, they typically obtain technical information through various channels. Network scanners offer a remedy. With such a security tool it is possible to learn more about the network topology of the company, in order to launch specific attacks against insufficiently protected interfaces.

Target of the attackers: Find and collect all useful information.

How can you protect yourself?

  • Limit the information provided to others. Publish only what is necessary.
  • Explain to your employees the danger of public profiles in social media.
  • Disable unused services and ports. Protect your business with a firewall and other security tools.
Cyber Kill Chain - Weaponization

2. Weaponization

In the second phase, the found information is used to find a suitable method for an attack. If the technical barriers are too large or if there is no security hole available, cyber criminals usually use other ways to bypass the security systems. They use social engineering attacks like spear phishing mails or CEO fraud3. These methods of attack are characterized by the fact that no security measures really provide relief, because the psychology of the person is exploited.

Goal of the attackers: Using attack vectors based on the obtained information

How can you protect yourself?

  • Run an appropriate patch management and make sure that the systems are always up to date.
  • Disable Office macros and limit the use of JavaScript.
  • Disable add-ons like Flash. These can contribute that malware is executed without being installed on your system.
  • Use common technical protection measures such as antivirus programs, intrusion prevention systems, multi-factor authentication and implement security information and event management
Cyber Kill Chain - Delivery

3. Delivery

In the third phase, the attacker seeks an optimal way to place the malicious code into the system. The most popular and at the same time easiest way to spread the malicious code is via a phishing e-mail. According to the 2019 Data Breach Investigation Report,4 , 94% of malware delivery methods are email and 45% of emails receive infected Office documents. Besides e-mails there are also USB sticks which are distributed in the vicinity of the company premises. Depending on the access to their company, attackers could also leave the prepared USB stick in more inconspicuous places, such as the canteen, lounge or office.

Goal of the attackersTo smuggle the malicious code into the system.

How can you protect yourself?

  • Sensitize your employees.
  • Run a security awareness campaign.
  • Found USB sticks or other devices should under no circumstances be simply plugged into the computer.
Cyber Kill Chain - Exploitation

4. Exploitation

Let's suppose that accounting employee Paul has received an e-mail from his financial manager Klara asking him to update the attached Excel document with the current data and send it back to her. Conscientious as Paul is, he quickly gets to work. He downloads the document, activates the macros and is stunned because the spreadsheet is empty. Real cyber attacks usually occur in a similar way. As soon as an employee downloads an infected attachment and activates the macros, the attacker can find ways to spread himself systematically.

Goal of the attackers: Obtain the privileged rights on the system.

How can you protect yourself?

  • Use Data Execution Prevention System (DEP) to prevent malicious code from being executed in a privileged area.
  • Install anti-exploit software to have protection against security vulnerabilities.
Cyber Kill Chain Installation

5. Installation

Attackers will attempt to gain administrative privileges after they have gained initial access. They then look for ways to spread out in the network. They use tools available on traditional systems, on Windows this would be PowerShell, WMI or other tools like psexec. These tools allow you to download malicious code and connect to an external server, a control server. This attack method is called "Living off the Land".

Goal of the attackers: Secure access to the system

How can you protect yourself?

  • To limit the damage it is recommended to use Endpoint Detection and Response (EDR) solutions, which consist of tools that detect malicious activity in your networks.
  • Have an emergency plan ready for your employees so that they know what to do in case of a leak.
  • Set up your systems completely new after an infestation.

6. C&C

The control server is a system that controls the communication between the attacker and the infected system. Using the control server, the attacker can remotely control the system and manipulate or reload malicious code at will. Nowadays, attackers rent cloud services with automated domain generation algorithms to make tracking significantly more difficult.

Goal of the attackers: Remote access and control of the system.

How can you protect yourself?

  • Segment your networks to make lateral movement more difficult.
  • Use Next Generation Firewalls, which not only examine the protocol and port used, but also control their content to detect unusual activity.
  • Use current Indicators of Compromise (IoC) that indicate a possible compromise.
Cyber Kill Chain - Actions on objectives

7. Actions on objectives

Depending on the motivation of the attacker, there are numerous possible scenarios in which the attacker can accomplish his work. In the last phase, the attacker executes his original plan. Possible scenarios would be, for example, copying company secrets, manipulating or reading out data, sabotage of the entire systems or intrusion into other systems.

Example: Shrewd attackers diverted the payment traffic at a Könizer company, Haag-Streit, and got away with 2.4 million Swiss francs5. According to the company spokesman Christof Gassner, the perpetrators have been reading the e-mail traffic for a while and noticed that a transfer payment is pending. The payment was diverted to an account in Mexico. The criminals have left with the money and the proceedings are still ongoing, but the prospects for Hague dispute to get the money back are poor.

Goal of the attackers: Execute the desired action

How can you protect yourself?

  • Use Data Leakage Prevetion (DLP) systems to prevent unwanted data leakage.
  • Using User Behaviour Analysis (UBA), you can identify patterns in user data that indicate possible malicious behavior.

 

Attackers must go through the entire process to reach their target, while defenders can only stop the attack at one level. In some cases, such as vishing, single or multiple steps are skipped. As you can see from the Cyber Kill Chain, there are numerous technical solutions to limit damage. In order to prevent a successful attack in the first place, we recommend raising awareness of possible delivery.

Your employees are mostly the first line of defense. If your employees are trained to deal with the dangers with the help of a security awareness campaign or a phishing simulation, you have significantly increased the security of your company. If the barricades are too high for the attacker in advance, it will also be unattractive for other attackers to pursue you as a target.

1 https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

² The CISO Perspective (5th of February 2019). Breaking the Kill Chain: A defensive Approach.

[Video] Youtube. https://www.youtube.com/watch?v=II91fiUax2g

3 https://www.sans.org/security-awareness-training/blog/applying-security-awareness-cyber-kill-chain

4 https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf

5 https://www.nau.ch/ort/koniz/konizer-firma-wird-gehackt-und-ausgebeutet-65764179