How Does Cyber Attack Happen?
Have you ever wondered how threat actors go around stealing money from banks, individuals and organizations?
How do millions of data leave the coffer of an organization to the hands of the attacker?
How easy they go in destroying systems to deny their users the availability of the services they provide?
And trends of locking out owners of digital assets from their data for them to pay ransom to the adversary. All of the above hacks aren’t done the way we watch them in movies, they are not magical but practically PLANNED.
The success of an attack planned by an adversary against a target is largely dependent on three important factors; intent, methods and opportunity. When these three factors are positive, then a cyber incident takes place. What we need to know is that every attack is planned from the beginning to the end.
The adversary considers what their objectives are, weigh in their options on TTP (Tactics, Techniques and Procedures) and ensure their target present all possible opportunities to make it easy to get into systems by looking out for vulnerabilities and loopholes in the system/network or their security policy.
The planning comes with various iterated results (FORMAT) using different possible TTP based on opportunities presented by the target. Over time, what could be considered the most favorite format is the power of exploiting the human weakness of the target which has proven to be potent over the years and it will still be as we move into the future. The human weakness, in this case, many not necessarily exist in just the employee as we all know it, it could be the top management officers, business partners and organization’s supply chains.
Many times, the adversary does compare possibilities (commitment in terms of time and resources) of breaking through an attack surface and their likely gain (how much in term of money, fame and computing resources) from such attempt.
So, if there are easy ways to getting things done, why not take it? Social engineering has proven to be effective and cost-effective for the attackers to implement. It is always their favorite card which is now available in various format such as Spear phishing, Business Email Compromise, MiTM attack, CEO Fraud etc.
Just last week, Checkpoint reported a Chinese Venture Capitalist’s $1 Million meant for an Israeli Startup was lost to an adversary, after exploiting the human weakness in both organizations. What a beautiful headline, but you need to understand how much commitment the adversary has put into the coordination of such an attack.
Following the Lockheed Martin’s Cyber Kill Chain, a methodology borrowed from the military. One can easily learn what is in the adversary mind when planning an attack which enables an organization to put up the necessary controls at all level to strengthen its defense.
When adversary follows this methodology, it pictures the possibilities of what an adversary will do at every stage of the attack plan depending on the intent. We can dry-run an attack that involves an adversary delivering a payload into an organization’s network for them to have their hands on the objectives to show some of these possibilities.
The Cyber Kill Chain
There are seven stages in the cyber kill chain; we can take them one after the other to see what actions the adversary performs at each stage.
- The target organization’s employee posts information about his project, position in the organization, and interest on the social networking website such as Facebook and LinkedIn.
- Adversary gathers contact details of the target employee from the social networking site
- Get to know tools and applications the employees have worked with on LinkedIn and research for vulnerabilities in those applications.
- Extends searches to organization’s business partner and supply chain to understand the business communication process.
- Some recon requires the adversary to be physically present at the target location to study organization workflow
- Using information gathered at stage one, attacker builds a deliverable malware payload using an exploit and a backdoor
- Prepares a command and control server to manage his activities on the target’s network and drop-zone servers on the Internet
- Draft believable phishing email with the attached malicious payload
- Designed in such a way that the antivirus does not detect the attachment
- Adversary sends a phishing email to the target employee, management officers or business partners.
- Email passes through the target organization’s antivirus protection
- A watering hole could be the source of delivery to the organization
- Social media interactions.
- The recipient at the target organization open the genuine-looking email and downloads the attachment and double-clicks the malicious file
- The file which could come in various extension (jpeg, pdf, docx etc.) is executed, which installs several files in the root folder and modifies registry keys
- The adversary takes advantage of the unpatched vulnerability in the target system to escalate privileges
- Malware is launched after installation, which leads to persistence access (using scheduled task, run once and other registry functions) to the target system.
- The malware sends a signal and establishes a backchannel with the command and control server and opens various firewall rules to evade detection/blockage on endpoints.
- Spreads the infection to other end systems in the network so long those vulnerabilities exist on them.
Command & Control
- Obtains locally stored password hashes and a hash of user account in domain admin group on another workstation computer from the target’s system (PassTheHass)
- Establishes a two-way communication channel between compromised systems and C2 server using various protocol
- Performs remote exploitation on the target system or network
- Searches for files of interest (employees & customers PII, Financial credentials, legal document, R&D information) in all the systems by establishing a connection with them using DC.
- Exfiltrate interesting files from the target system to his drop-zone servers.
- Destroy systems or information are encrypted for the organization to pay a ransom.
- Take data to the dark web for sale.
If you work in the position of a defender in your organization, you can as well put some controls in place to interrupt the attacker’s move along the cyber kill chain and contain the incident if a breach had been identified. Control mechanisms can be placed in the first three stages of the cyber kill chain to help identify, detect, deny, and contain the attack in its early stage before exploitation and further damage can be done.
Defenders can try out the following;
- Check out for metadata in documents leaving the organization to the public
- Basic awareness for employees, management officers, and business partner on information they share on social media network such as LinkedIn, Twitter and Facebook and what to do when they receive unusual emails.
- Gather information about domain and subdomain names, email addresses, and check out for compromised email accounts affected by data breaches.
- Using tools to identify possible weakness on the host, network and applications before the attacker finds them.
- Understand your attack surface, find new campaigns and related payload being used and put in place preventive or detective controls.
- Review your security policy and ensure you create controls (detection and prevention) for possible delivery means an attacker can use.
- Ensure your logs (security devices, endpoints, network devices, e-mail, Active Directory, applications) arrives with contextual data.