Why would threat actors prefer to use a zero-day attack in the cyber kill chain weaponization phase?

In this article, we are going to understand Cyber Kill Chain by looking at the attacker’s and defender’s perspectives. In this way, it will be easier to remember and understand. We are also going to discuss if the Cyber Kill Chain is outdated?

What is Cyber Kill Chain?

Cyber Kill Chain (CKC) is a framework developed by lockheedmartin is an intelligence defense-driven model for identification and prevention of cyber intrusions activity. Basically, Cyber Kill Chain is a series of steps that can trace most of the cyber attacks. The CKC framework can help IT, security teams, to understand even advanced attacks like combat ransomware, Security Breaches, and advanced persistence threats (APTs).

As you can see in the above image there are a total of 7 steps in the Cyber Kill Chain framework. The seven steps of the Cyber Kill Chain enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques, and procedures.

In the next section, we are going to discuss all these 7 Steps with Attacker’s and Defender’s Perspectives.

Cyber Kill Chain Steps

1. Reconnaissance

Attacker/intruder Chooses their target and will conduct research on the target. They conduct research for finding Vulnerabilities in the system or organization. Attackers also create tactics to attack specific vulnerabilities. Recon includes steps like scanning the network for open ports, performing OSINT researches, etc.

In this step, the defender will receive precursors like the IP address of the attacker because of the port scanning.

2. Weaponization

In this step, the Attacker creates malware or worm, or virus to exploit the vulnerability of the target. The malware weapon can exploit any known or unknown vulnerabilities (Zero-Day Attacks). Most of the time attacker creates their own backdoor instead of using some prebuilt program to exploit the system.

This step is really hard to detect by defenders because it’s not happening in their organization. So, the only thing they can do is to deploy anti-virus, system hardening, etc.

3. Delivery

In this step, the attacker delivers the malware weapon to the target from any medium. The attacker can create a spear-phishing email to deliver the weapon to the target, or they can use a USB stick to deliver it, or any medium.

In this step, Defenders should employ all the email defenses and attachment sandboxing

4. Exploitation

In this step, malware created by the attacker starts to take action. the main motive of this step for attackers is to exploit the system to get higher privileges. So, most of the time attackers try to exploit vulnerabilities like code execution.

The defenders can prepare for this step by implementing security policies, hardening the system, performing vulnerabilities management, and try to solve all the vulnerabilities.

5. Installation

In this step, The malware created by the attacker creates a backdoor or access point which only the attacker can use. With this, they try to stay persistent and keep a foothold in the infected system.

The defenders can deploy EDR ( Endpoint Detection and Response) to check for any malicious presence and remove it.

6. Command and Control (C2)

In this step, the attacker finally gets full command over the system. The malware gives access and command to the attacker.

If the attack reaches this step, this is the last chance for stopping the attack for the defender by stopping the command execution anyhow.

7. Actions on Objectives

In this step, The attacker has full and persistent access to the system. Now they can finally fulfill their purposes like ransomware, or data exfiltration, or data destruction. They can complete any objectives they have.

In this step, the defender has to take quick actions to prevent further damage.

Is Cyber Kill Chain Outdated?

Cyber attacks tactics are constantly changing with time and sometimes this model doesn’t show how the attack has taken place. There are some more reasons why researcher thinks it is outdated like Cyber Kill Chain don’t provide any information about insider threats.

To tackle this problem MITRE combined its ATT&CK framework with the CKC framework to make a Unified Kill Chain (UKC) which solves most of the problems with the cyber kill chain. UKC can also be used exactly the same as Cyber Kill Chain to work with Cyber Attacks.

For more blogs like this please visit our blog page

Developed by Lockheed Martin, the Cyber Kill Chain® framework is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.

The seven steps of the Cyber Kill Chain® enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures.

Learn More About Our Cyber Solutions

For more than a decade, Lockheed Martin’s Intelligence Driven Defense® and Cyber Kill Chain® methodologies have helped our customers defend their most sensitive networks. It is because of this proven framework, superior technology, and hundreds of skilled analysts that Lockheed Martin remains a global leader in cyber innovation.

Interested in cybersecurity? Not sure what to study or how to prepare? Our Lockheed Martin experts share advice about how to get a cyber job.

Guide: Download the analyst’s guide to understanding and applying the Cyber Kill Chain® methodology to network defense.

White Paper: Examine seven ways to apply the Cyber Kill Chain® with a threat intelligence platform.

The Cyber Kill Chain was created by defense giant Lockheed Martin, which describes various phases of a targeted cyberattack. The seven stages of cyber kill chain give a deep insight into a cyberattack, which helps organizations to understand adversary’s tactics, techniques and procedures. Stopping cybercriminals at any stage breaks the chain of an attack! A cybercriminal ought to progress completely through all phases for success – this drawback acts as the biggest favor for defenders. Every attack gives a chance to comprehend more about adversaries and use their persistence to advantage.

The seven stages of cyber kill chain are explained below:

1) Reconnaissance

This stage of kill chain explains how cybercriminals plan their attacks. Before launching an attack, they gather maximum information by studying targets via public websites, following their employees on social media and using their public information. Attackers also scan organization’s network for vulnerabilities, services and applications they can exploit to satiate their intentions.

Detecting reconnaissance as it happens is extremely difficult for organizations, but if they succeed in this - it can reveal the intent of bad actors.

2) Weaponization

In the second stage of kill chain, cybercriminals analyze the data to determine the suitable attack method. They may choose to embed intruder code disguised as important invoice, PDF file, Word document or email message. In case, if attacks are highly-targeted and are planned to launch with a nasty intention, they must try to spark the specific interests of a victim. Besides, attackers may also target specific operating systems, firewalls and other technologies to exploit the flaw.

Defenders must understand this stage of cyber kill chain. Even though they fail to detect the weaponization as it happens, they can analyze malware artifacts. Detecting malware artifacts can help companies build the robust and resilient defenses.

Source

3) Delivery

Endpoints meaning humans acts as primary means of delivery and this may be executed via drive-by download from a website, a targeted phishing attack or infecting an employee-owned device via secure VPN. Delivery of the weapon also occurs through a vulnerable application, especially a web application,which can be easily manipulated through cross-site scripting, form fields tampering and other means.

In order to mitigate cyberattacks, it is essential to understand how they might be delivered. A good cyber hygiene i.e. ignoring the attachments sent by an unknown person, avoid clicking on third-party links helps to protect the organization’s network.

4) Exploitation

The fourth stage of attack kill chain proves to be dangerous if it is not neutralized well in-time. Exploiting the organization’s network always begin with one infected system, either through a DNS server or through an infected endpoint. Once a single system connected to the network is infected, malicious activity can penetrate at a lightening speed. And when a cybercriminal gains complete access, he/she can scan the network to find specific applications and servers to steal data. Once installed, malware hides their existence from security devices.

At this stage, organization’s ought to work hard to identify and stop malware penetration. Although traditional hardening measures add resiliency, custom capabilities are equally important to stop zero-day exploits at this stage.

5) Installation

Installing malware on the infected computer comes into the picture only when attackers use malware as a part of cyberattack. During malware installation, the dropper program disables host-based security controls and hides the malware. However, deploying endpoint instrumentation into the organization’s network helps detect the log installation activity and blocks the process completely.

6) Command & Control

Cybercriminals create a command channel back through the internet to a server.It helps them to communicate and pass data back and forth between infected devices and their server. However, this action can be easily controlled by blocking command-and-control communication and outbound communication.

7) Action or Execution

In the final stage of kill chain, attackers gain complete control over the target systems and successfully send confidential data and files outside the organization. Nonetheless, outbound traffic monitoring easily identifies the last stage of an attack. But,to surpass the security controls, cybercriminals send their data from unsuspecting servers and use very low and slow bursts to thwart outbound protections.