In this article we will discuss how to build a strong cyber defense through the enhancement of your secure posture, and understanding the different phases of the cyber kill chain. To build a strong defense, you need to understand the different stages of an attack. It is very important to understand those stages, because you want to add detection in the different areas and different moments of the attack. The core idea is that you can and should mitigate an attack early in the cyber kill chain phase. Ideally you should be able to detect that there is something happening in the reconnaissance phase, because the attacker was not able to perform a lot of malicious activity inside of network yet. Let’s go through some of the main aspects of each one of those phases.
The reconnaissance phase, as the name says is the phase in which the attacker gathers information about the target before the attack actually takes place. This is a very important phase, because it’s understanding the target that they build the campaign to perform malicious activity. That can be scam phishing email or phishing email, something along those lines.
Which leads us to the weaponization. This is the stage then you are already using the information that you gathered in the reconnaissance, and weaponizing that information. You can utilize that information in a malicious way. So it’s basically creating the artifact that will be used to compromise the victim. Which goes to the next phase, which is the delivery phase. Which is the transmission of the attack itself to the victim. In this case, you gather information, you create your phishing campaign, and now it is time to send it out to the victim.
But maybe the phishing email is just the entry point to something else that is going to happen in the next phase, which is the exploitation. So in the exploitation, something is going to happen, for example, let’s say that the phish email has a link to download a piece of malicious code. And that piece of malicious code is going to try to exploit the build. So that is already part of the exploitation phase, and when it is doing that then it is time to move on to the next phase, which is now I’m going to install that exploit into the destination computer. So you see that very smoothly, the attackers gain more and more access to the target’s system, and that is what the attacker wants.
When the attacker is already there then he can start doing other things such as contacting the command and control, which is the C2 phase. At this stage he will try to extract more information or perhaps to even download more malicious codes and install on private systems. Between the C2 and the actions on the objectives, there will be some other things that they will try to accomplish.
Microsoft created variation of the cyber kill chain to put in practice, which puts a slightly different amount of steps. Here it is:
Because we start with the external recon, which is basically the reconnaissance. Then we compromise the machine via some sort of exploitation, taking advantage of a vulnerability. Then we start internal reconnaissance, notice that there’s the external reconnaissance and the internal reconnaissance. That’s very common because once hacker establishes his footprint in the target machine, then he can start doing some internal recon in the network because now he has access to that internal machine. Then he is going to do some malicious actions such as, lateral movement, local privilege escalation, harvesting domain credentials until he gets to the point where he has full domain dominance.
Most likely that during C2 stage hacker is going to place Trojan.
What you really need to do is to build a better security posture, and this is not only for cloud, but on premise infrastructure as well. Security posture consist of three stages. Detect→Response→Protect.
*This article is based on Microsoft Press media, Pearson Education materials and Yury Doigines lecture