The following is an example of an attack. We have summarized the attack process and added possible defense measures for each step.2
Important to know: This is a possible attack scenario. An attacker has a multitude of different attack vectors.
1. Reconnaisscance
In the first phase, all available information is searched and collected. The terms OSINT, SOCMINT, TECHINT, HUMINT used in technical jargon offer a variety of information gathering techniques.
OSINT – Open Source Intelligence – Used to gather information and gain intelligence. Attackers use freely available, open sources of information such as television, radio, print media, publications, forums, blogs, or classically the corporate website.
SOCMINT – Social Media Intelligence – Used to collect information from social media such as LinkedIn, Xing, Facebook and co.
TECHINT – Technical Intelligence – Is used to analyze technical systems such as networks or servers through technical tools.
HUMINT – Human Intelligence – Is the acquisition of information through human sources by e.g. former employees.
Name, email address and position combined with private information are already sufficient and provide an ideal template for a spear phishing email.
Cybercriminals can make it even easier for themselves by buying data records with access or further information on the Darknet. There are now numerous marketplaces that do business with the trade of access data.
If technically savvy attackers are planning an attack, they typically obtain technical information through various channels. Network scanners offer a remedy. With such a security tool, it is possible to learn more about the company’s network topology in order to subsequently launch targeted attacks against insufficiently protected interfaces.
The attackers’ goal: to find and collect all useful information.
How can you protect yourself?
- Limit the information made available to the outside world. Publish only what is necessary.
- Explain to your employees the danger of public profiles in social media.
- Disable unused services and ports. Protect your company with a firewall and other security tools.
2. Weaponization
In the second phase, the information found is used to find a suitable attack method. If the technical barriers are too great or if there is no security hole available, cybercriminals usually resort to other methods that bypass the security systems. They used social engineering attacks like spear phishing emails or CEO fraud3. These attack methods are characterized by the fact that no security measures really provide a remedy, as human psychology is exploited.
The attackers’ goal: to use attack vectors based on the information gained.
How can you protect yourself?
- Maintain proper patch management and make sure systems are always up to date.
- Disable Office macros and limit JavaScript use.
- Disable add-ons such as Flash. These can contribute to malware running on your system without installation.
- Use standard technical protection measures such as antivirus programs, intrusion prevention systems, multi-factor authentication and maintain a security information and event management system.
3. Delivery
In the third phase, the attacker looks for an optimal way to place the malicious code into the system. The most popular and at the same time the easiest way to spread the malicious code is by means of phishing emails. According to the 2019 Data Breach Investigation Report4, a whopping 94% of malware delivery methods are email and 45% of emails receive infected Office documents. In addition to email, USB sticks distributed around the corporate campus are also a good option. Depending on the access to their company, attackers could also leave the prepared USB stick in more inconspicuous places, such as in the canteen, lounge or office.
The attackers’ goal: to smuggle the malicious code into the system.
How can you protect yourself?
- Sensitize your employees.
- Conduct a security awareness campaign.
- Under no circumstances should found USB sticks or other devices simply be plugged into the computer.
4. Exploitation
Let’s assume that Paul, an accounting employee, has received an e-mail from his financial manager Klara asking him to update the attached Excel document with the latest data and send it back to her. Dutiful as Paul is, he quickly gets to work. He downloads the document, activates the macros and is amazed to see that the spreadsheet is empty. This is how real-world cyberattacks usually occur. Once an employee downloads an infected attachment and activates the macros, the attacker can find ways to systematically spread.
The attacker’s goal: gaining privileged rights on the system.
How can you protect yourself?
- Use Data Execution Prevention System (DEP) to prevent malicious code execution in a privileged area.
- Install anti-exploit software to have protection against vulnerabilities.
5. Installation
Attackers attempt to gain administrative privileges once they have gained initial access. They then look for ways to spread across the network. They use tools that are available in conventional systems, in Windows this would be PowerShell, WMI or other tools such as psexec. These tools allow malicious code to be reloaded and connect to an external server, a control server. This attack method is called “living off the land”.
Attackers’ goal: to secure access to the system
How can you protect yourself?
- To limit the damage it is recommended to use Endpoint Detection and Response (EDR) solutions, these consist of tools that detect malicious activity on your networks.
- Have a contingency plan ready for your employees so they know what to do in the event of a compromise.
- Completely rebuild your systems after an attack.
6. Remote Control (C&C)
The control server is a system that regulates the communication between the attacker and the infected system. Using the control server, the attacker can control the system remotely and manipulate or load malicious code at will. Nowadays, attackers rent cloud services with automated domain generation algorithms to make tracking much more difficult.
Attackers’ goal: remote access and control of the system.
How can you protect yourself?
- Segment your networks to make lateral movement more difficult.
- Use Next Generation Firewalls, these not only examine the protocol and port used, but also check their content to detect unusual activity.
- Use current Indicators of Compromise (IoC) that point to a possible compromise.
7. Actions on objectives
Depending on the attacker’s motivation, there are numerous possible scenarios here in which the attacker can accomplish his work. In the final phase, the attacker executes his original plan. Possible scenarios would be, for example, copying the trade secrets, manipulating or reading out data, sabotaging the entire systems or penetrating further systems.
Example: Crafty attackers diverted payment transactions at a company in Köniz, Haag-Streit, and thus captured 2.4 million Swiss francs5. According to the company spokesman Christof Gassner, the perpetrators read the mail traffic for a while and noticed that a transfer payment was pending. The payment was diverted to an account in Mexico. The criminals are gone with the money and the proceedings are still ongoing, but the prospects for Haag-Streit to get the money back are poor.
The attackers’ goal: to carry out the desired action
How can you protect yourself?
- Use Data Leakage Prevention (DLP) systems to prevent unwanted data leakage.
- Use User Behavior Analysis (UBA) to identify patterns in user data that indicate possible malicious behavior.
Â
Attackers must go through the entire process to get to their target, while defenders can only stop the attack at one stage. In some cases, for example vishing, single or even multiple steps are skipped. As you can see from the Cyber Kill Chain, numerous technical solutions exist to achieve damage limitation. To prevent a successful attack from happening in the first place, we recommend raising awareness against possible deliveries.
Your employees are most often the first line of defense. If your employees are trained to deal with the threats by means of a Security Awareness Training or a Phishing-Simulation, you have significantly increased the security of your company. If the barricades are too high for the attacker in advance, it will also be unattractive for other attackers to pursue you as an attack target.
Test your Security Awareness now with our free demo of our Phishing-Simulation and get a comprehensive overview of what is included in our Security Awareness Training.
1 https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
² The CISO Perspective (05.02.2019). Breaking the Kill Chain: A defensive Approach.
[Video] Youtube. https://www.youtube.com/watch?v=II91fiUax2g
3 https://www.sans.org/security-awareness-training/blog/applying-security-awareness-cyber-kill-chain
4 https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
5 https://www.nau.ch/ort/koniz/konizer-firma-wird-gehackt-und-ausgebeutet-65764179
