The Cyber Kill Chain is a model used in cybersecurity to describe the various stages that adversaries go through during a cyber attack. It is essential for understanding and preventing cyber threats effectively. It’s important to note that various versions of the Cyber Kill Chain exist, and they may differ slightly in the number or definition of stages. Popular version of the Cyber Kill Chain includes the following stages:
1. Initial Recon: In the initial reconnaissance phase, cyber attackers engage in a comprehensive information-gathering process. They might employ various techniques, such as open-source intelligence (OSINT) gathering, scanning public records, social engineering, and even spear-phishing emails. Understanding the organization’s geographical location, network structure, employee details, and routines allows attackers to craft highly targeted attacks, increasing the likelihood of success. This phase may also involve footprinting and fingerprinting the target to identify vulnerabilities in the organization’s infrastructure.
2. Initial Compromise: The initial compromise is often the most critical stage in an attack. Attackers use various tactics, such as sending malicious emails (phishing), exploiting software vulnerabilities, or even physically infiltrating an organization’s premises. They may also use techniques like baiting, where they leave infected USB drives or enticing files in the hope that an unsuspecting employee will execute them. Once a foothold is established, attackers might install remote access tools or create user accounts to maintain control.
3. Establish Foothold: Creating a persistent backdoor is crucial for attackers to maintain access to the compromised system. They often install rootkits or malware that hide their presence, making it difficult for security personnel to detect and remove them. Additionally, attackers may manipulate startup scripts or use scheduled tasks to ensure their code runs automatically even after system reboots.
4. Escalate Privileges: Escalating privileges is essential for attackers to access sensitive information and critical systems. Techniques like privilege escalation exploits, brute-force attacks, and abusing misconfigured access control lists (ACLs) are used to gain higher-level access. Once elevated to admin or domain admin status, attackers can move laterally and compromise additional systems.
5. Internal Recon: After escalating privileges, attackers engage in a deeper reconnaissance of the network. They may scan for hidden assets, unpatched vulnerabilities, and unprotected backup servers. This phase often involves using network mapping tools and vulnerability scanners to identify weak points within the network’s defenses.
6. Move Laterally: To achieve their objectives, attackers must navigate through the network to reach their target. They use tools like PowerShell, PsExec, or lateral movement techniques to hop from one system to another. The lateral movement phase is a careful process to avoid triggering security alerts and to remain undetected.
7. Maintain Presence: Attackers work to maintain their access and control over the network. They may periodically update their tools, modify configurations, and cover their tracks by deleting logs or altering event records. Maintaining persistence ensures that they can continue their operations for an extended period.
8. Complete Mission / Exfiltration: The final phase involves accomplishing the attacker’s primary mission, which may include data theft, data destruction, or other malicious activities. To avoid detection, attackers aim to leave no traces behind, erasing any evidence of their presence, which could be used to identify them or reveal their methods.
MITRE ATT&CK
The MITRE ATT&CK framework is an extensive resource that catalogs adversary behaviors and techniques during various stages of cyberattacks. It offers a highly detailed perspective on tactics, techniques, and procedures (TTPs) used by adversaries. This framework complements the Cyber Kill Chain model by providing in-depth insights into attacker behaviors at each stage, allowing organizations to develop more targeted cybersecurity defenses. By mapping the Cyber Kill Chain stages to specific MITRE ATT&CK techniques, organizations can enhance their threat detection and mitigation strategies. For a more detailed understanding and practical application of this framework, you can explore it further on the MITRE website: MITRE ATT&CK.
Example for a attack techniques map in MITRE ATT&CK
Network Models:
- OSI Model:
- The OSI (Open Systems Interconnection) model is primarily an educational framework used to understand how different networking protocols and functions interact in a network. It divides network communication into seven distinct layers, each with specific roles.
- The layers in the OSI model, from the top layer (Application) to the bottom layer (Physical), are as follows:
- Application: This layer deals with end-user applications, such as web browsers and email clients.
- Presentation: Responsible for data translation, encryption, and compression.
- Transport: Adds functionality related to ports and manages end-to-end communication, including error checking and data segmentation.
- Network: Focuses on routing, addressing, and logical network structure, with source and destination IP addresses added at this stage.
- Data Link: Manages data link layer protocols and includes MAC (Media Access Control) addresses. Error checking is also performed at this layer.
- Physical: This is the lowest layer and deals with the actual physical hardware, such as network cables and network interface cards.
- TCP/IP Model:
- The TCP/IP model is a more practical representation of how network protocols function in real-world networking. It corresponds closely to the actual protocols and technologies used on the internet. The model simplifies the networking stack into four layers:
- Application (Service): Corresponds to the OSI Application layer, including high-level protocols like HTTP, FTP, and DNS.
- Transport: Similar to the OSI Transport layer, this layer is responsible for end-to-end communication and includes protocols like TCP and UDP.
- Internet: Corresponds to the OSI Network layer, managing routing and addressing. IP (Internet Protocol) operates at this level.
- Network Access: This layer encompasses functions related to both OSI Data Link and Physical layers, dealing with the physical transmission medium and network interface hardware.
- The TCP/IP model is a more practical representation of how network protocols function in real-world networking. It corresponds closely to the actual protocols and technologies used on the internet. The model simplifies the networking stack into four layers:
WireShark:
WireShark is a powerful, open-source network protocol analyzer that allows users to capture, inspect, and analyze network traffic in real-time. It offers several features and use cases, including:
- Monitoring Network Traffic: WireShark captures and displays all data packets that traverse a network. This real-time visibility can help in assessing network performance and identifying issues, such as packet loss, latency, or unusual traffic patterns.
- Diagnosing and Monitoring the Network: Network administrators and security professionals use WireShark to diagnose network problems, investigate security incidents, and identify any unusual or suspicious network behavior.
- Fixing the Network: After identifying issues or anomalies, administrators can make necessary adjustments to network configurations, routers, or other components and then use WireShark to check if the changes resolve the problems.
- Learning Network Structure: WireShark can be used to learn more about a network’s architecture and understand how different devices communicate with one another. This knowledge is valuable for network optimization and security.
Key Features of WireShark:
- Real-Time Information Perception: WireShark provides real-time monitoring and analysis of network traffic, allowing users to observe all data flowing through the network as it happens. This is useful for immediate issue detection and response.
- File Import/Export: WireShark allows the capture of network traffic data to be saved in files for later analysis. This feature is crucial for storing historical network data and for sharing data with other professionals for collaborative analysis.
- Open Source and Package Monitoring: WireShark is an open-source tool, which means that it is freely available and supported by a community of contributors. It uses popular packet monitoring libraries like WinPCAP or LibPCAP to capture network packets efficiently.
Using Wireshark
