Cyber Kill Chain

attack lifecycle//stop an attacker from progressing further up the kill chain

adversaries won't operate in a linear manner

1. The recon stage is the initial stage

   1. choose target

   2. performs information gathering

   3. passive information gathering

   4. documentation on the target organization's web pages

   5. Job ads

   6. company partners

   7. specific information about antivirus tools, operating systems, and networking technologies

   8. actively scan external web applications and IP addresses

2. In the weaponize stage, the malware to be used for initial access is developed and embedded into some type of exploit or deliverable payload.

   1. crafted to be extremely lightweight

   2. undetectable by the antivirus and detection tools.

   3. the sole purpose of this initial stager is to provide remote access to a compromised machine in the target environment

   4. has the capability to persist through machine reboots

   5. ability to deploy additional tools and functionality on demand

3. In the delivery stage

   1. exploit or payload is delivered to the victim

   2. phishing emails contain a malicious attachment or a link to a web page.

   3. The web page either containing an exploit or hosting the malicious payload

   4. web page can also mimic a legit website used by the target organization

   5. trick the victim into entering their credentials and collect them

   6. call the victim on the phone with a social engineering pretext in an attempt to convince the victim to run the payload

   7. physical interaction is utilized to deliver the payload via USB tokens

4. The exploitation stage

   1. the moment when an exploit or a delivered payload is triggered

   2. attempts to execute code on the target system in order to gain access or control

5. installation stage

   1. common techniques used :

      • Droppers: Attackers may use droppers to deliver malware onto the target system.

        • A dropper is a small piece of code that is designed to install malware on the system and execute it.

        • The dropper may be delivered through various means, such as

          • email attachments

          • malicious websites

          • social engineering tactic

      • Backdoors: A backdoor is a type of malware that is designed to provide the attacker with ongoing access to the compromised system.

        • The backdoor may be installed by the attacker during the exploitation stage or delivered through a dropper. Once installed, the backdoor can be used to execute further attacks or steal data from the compromised system.

      • Rootkits: A rootkit is a type of malware that is designed to hide its presence on a compromised system.

        • Rootkits are often used in the installation stage to evade detection by antivirus software and other security tools. The rootkit may be installed by the attacker during the exploitation stage or delivered through a dropper.

6. In the command and control stage

   1. the attacker establishes a remote access capability to the compromised machine.

   2. use a modular initial stager that loads additional scripts 'on-the-fly'.

   3. advanced groups will utilize separate tools in order to ensure that multiple variants of their malware live in a compromised network

   4. if one of them gets discovered and contained, they still have the means to return to the environment

7. The final stage of the chain is the action or objective of the attack.

   1. exfiltrating confidential data

   2. obtain the highest level of access possible within a network to deploy ransomware

   3. Ransomware is a type of malware that will render all data stored on endpoint devices and servers unusable or inaccessible unless a ransom is paid within a limited timeframe