Breaking The Kill Chain: A Defensive Approach


First developed by Lockheed Martin, the cybersecurity kill chain is a model for describing the steps an attacker must complete to carry out a successful attack. The model is made up of seven sequential steps: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and finally, actions on objectives. To disrupt the attack, one or more of these steps must be broken for the entire chain to fail. Understanding these steps is crucial in developing a robust defensive strategy using the NIST cybersecurity framework as a reference. In this blog, we’ll look at tools and strategies at every phase that will lead to a multi-layered security plan for your organization.


RECONNAISSANCE 

The first step of any cybersecurity attack is to gather information about the victim, also known as reconnaissance. This phase has two stages: passive and active.

  • Passive reconnaissance: Attackers use indirect methods to gather information from publicly available sources like WHOIS records, Google, Shodan, job listings, and company websites.
  • Active reconnaissance: Attackers actively probe your network or system, looking for open ports and services using tools like Nmap for port scanning and banner grabbing, and vulnerability scanners.

Defensive Measures

To defend against reconnaissance, you must limit the information publicly available about your organization:

  1. Limit exposed details: Control the information shared on job postings, train personnel on acceptable social media use, and remove specific error messages from public servers.
  2. Disable unused ports and services: This limits the entry points an attacker can use.
  3. Use honeypots: These act as decoys, diverting attackers' attention and revealing their tactics.
  4. Employ firewalls with IPS capabilities: These provide filtering and segmentation, monitoring for port scans and banner grabs.
  5. Block known proxies and Tor networks: These are commonly used to obfuscate the real IP addresses of attackers.

WEAPONIZATION

Once an attacker has found a weakness, their next step is to find or create an attack that will exploit that vulnerability. Common tools used in this phase include Metasploit, Exploit DB, Veil framework, and the Social Engineering Toolkit.

Defensive Measures

  1. Patch management: Ensuring all systems are up-to-date and free of known vulnerabilities is crucial.
  2. Disable unnecessary features: Office macros, JavaScript, and browser plugins should be disabled if not needed.
  3. Antivirus and IPS: Use these to detect and block known malware and exploit attempts.
  4. Email security: Implement solutions with antivirus and anti-spyware capabilities to filter out malicious emails.

DELIVERY

In the delivery stage, the attacker tries multiple avenues to deliver the weapon. This can include malicious websites, social media interaction, email, or even physical methods like infected USB drives.

Defensive Measures

  1. User awareness: Regular security training and phishing campaigns to teach good security practices.
  2. Email authentication: Use SPF and DKIM to detect spoofed emails.
  3. Web and DNS filtering: Prevent access to malicious sites and block DNS lookups to known bad domains.
  4. Disable USB ports: Where not necessary, disable USB ports to prevent malware introduction.

EXPLOITATION

During exploitation, the attacker has successfully delivered the weapon, and the attack is executed. This could be through methods like buffer overflows, SQL injection, or undetected malware.

Defensive Measures

  1. Data Execution Prevention (DEP): This software and hardware feature prevents execution of code in non-executable memory regions.
  2. Anti-exploit features: Available in some antivirus solutions, these monitor applications for unusual behavior.
  3. Sandboxing: This isolates and analyzes potentially malicious files before they can harm the network.

INSTALLATION

A successful exploit allows the attacker to install a payload, giving them control over the system. Common techniques include DLL hijacking, installing remote access tools, and making registry changes.

Defensive Measures

  1. Isolation techniques: For Linux, use chroot jail; for Windows, disable PowerShell where possible.
  2. Monitoring tools: User and Entity Behavior Analytics (UEBA) and Endpoint Detection and Response (EDR) solutions can detect and flag unauthorized changes.

COMMAND AND CONTROL

At this stage, the attacker maintains persistent control over the compromised system, even after reboots or patches.

Defensive Measures

  1. Network segmentation: Make it harder for attackers to move laterally and easier to detect unusual activity.
  2. Next-generation firewalls: Use these to block known command and control servers.
  3. DNS security solutions: These can block botnet and command and control communications at the DNS level.
  4. Deep packet inspection: Inspect SSL/TLS traffic to avoid blind spots in encrypted communications.

ACTIONS ON OBJECTIVES

Finally, the attacker executes actions to achieve their objectives, such as data exfiltration or further lateral movement.

Defensive Measures

  1. Data Loss Prevention (DLP) and UEBA: These tools detect and prevent data from leaving the network.
  2. Zero trust security model: Treat all users and devices as untrusted until verified, to limit the damage of a breach.

SUMMARY

The kill chain is more than just a model for how an attack is executed; it's also a blueprint for building a robust cybersecurity program. By implementing multiple layers of security throughout each phase, we can make it increasingly difficult for an attack to succeed. This approach can deter many opportunistic attacks.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.

Subscribe to: Posts (Atom)