Cyber Kill Chain

The process for intrusion detection developed by Lockheed Martin is based on an actual military model(F2T2EA) “Find, Fix ,Track, Target, Engage and Asses”.

There are Seven stages in this model.

1. Reconnaissance

2. Weaponization

3. Delivery

4. Exploitation

5. Installation

6. Command and Control

7. Actions on Objectives

Each infiltration by an attacker can be pinpointed to the above 7 steps. It has been proven multiple time with case studies and actual intrusion exercises . The famous public case studies are that of the Sony, Target, JP Morgan Chase and Home Depot to name a few.

Reconnaissance:

This step involves the basic information gathering from publicly available information like the company websites, Employers on Social media especially Linkedin and finding the contact information available.

Weaponization:

In this stage the exploit is developed to create a payload that is malicious and is done by the attacker based on the reconnaissance. Most common example is the remote Access Trojan that is also known as RAT

Delivery:

The exploit is delivered to the victim by means of communication like email , SMS or even a USB stick. Even though USB stick seems a bit more user intensive but has been successful multiple times. The biggest example is that of the Stuxnet virus

Exploitation:

After the delivery of the infectious file to the victim’s system/computer/network. The exploit is access via the RCE(Remote code execution) or Remote access toke or a Simple patch miss on a server or machine that let the Attacker use that exploit.

Installation:

After getting to this stage attacker has a foothold on the victim’s system either using the RAT or a backdoor due to the missing patch. At this point the Attacker has a persistent access and can maintain it.

Command and Control:

Using the machine that is exploited is used in a command and control channel to keep the access to the remote asset internally. This could be a manual or an automatic process and could even be a simple step like pressing Shift key multiple times.

Actions on Objectives:

The Attacker will perform the goal for performing all the above six stages by moving laterally within the network and accessing confidential data or the information they were initially looking for.

The first two steps are done within the attackers network , the Incident Response can begun from the third step and can be utilized and greatly help in incident response and track the intrusion from the Delivery to the Actions on objectives that were performed by the attacker/intruder.

SIEM(Security Incident and Event Management) can be configured with the log monitoring with multiple sources to correlate the information to detect and track the intrusion. This does require the SIEM to be configured properly based on the business objectives and the assets that are secured. The attack to could merely start with a phishing email with a known exploit that will install scripts to even utilize PowerShell or sysinternal tools that can be easily embedded within the victim network , after being persistent the attacker can than move laterally by using privilege escalation and hide in plain site by using a normal user credential or even a privileged user credential to scour the network.

Follow up

ATT&CK by MITRE have developed a whole process to tie everything into Tactics, Techniques and Procedures and they maintain a whole list of these processes that in my opinion is useful in real world. My next article will focus on ATT&CK Framework.