An advanced understanding of Threat Actor Workflows

The "Cyber Kill Chain"

Understanding the mechanisms behind cyber-attacks is crucial for effective cybersecurity.

One of the key frameworks that help us dissect and comprehend these attacks is the Cyber Kill Chain. Developed by Lockheed Martin, this model outlines the stages of a cyber-attack.

In this lecture, we will explain the Cyber Kill Chain at a high level that will set us up for success for the successive lectures.

Lesson Summary

The cyber kill chain is a step-by-step process followed by threat actors during cyber attacks.

The goal can range from poisoning a water supply to stealing money through compromising a financial analyst's machine.

• The process involves gaining initial access.
• Moving laterally through the network.
• Conducting reconnaissance.
• Compromising more machines.
• Finally achieving the objective.

The cyber kill chain is iterative, meaning it can be repeated multiple times until the desired goal is reached.

Understanding the cyber kill chain is crucial for both attackers and defenders in effectively preventing and mitigating cyber threats.

The Cyber Kill Chain is a framework developed by Lockheed Martin that outlines the stages of a cyber-attack.

In this lecture, the lecturer explains the high-level overview of the Cyber Kill Chain:

• Reconnaissance: Attackers gather information on their targets.
• Weaponization: Attackers choose the tools or methods to exploit vulnerabilities in the target's systems.
• Delivery: Attackers send the weapon or exploit to the victim, often through phishing emails or exploiting technical vulnerabilities.
• Exploitation: Attackers gain control over the victim's machine or network by the victim interacting with the weapon or exploit.
• Persistence: Attackers install mechanisms to maintain access and control over the compromised system.
• Command and Control: Attackers establish a means to communicate with and manage compromised systems.
• Action on Objective: Attackers take actions on their objective, such as stealing information or causing damage.

The Cyber Kill Chain provides a structured understanding of how attackers operate, enabling better defense and prevention of cyber-attacks.

Transcription

00:00:03:04 - 00:00:32:10

Hello and welcome to the first lecture in the Threat Actor Workflow section, the cyber kill Chain. You're going to love this one. So this is a graphic depiction of the cyber kill chain now. Lockheed Martin is credited with developing this, but many, many different vendors inside the cybersecurity space have their own version and their own flavor of the cyber kill chain.

00:00:32:16 - 00:01:04:23

But basically, they're all very similar to what you're seeing right here. Now, I'm going to walk through it. Now, what do you need to know about the cyber kill chain? When we think of threat actors, cyber criminals, whether they're nation state threat actors or they're financially motivated or they're hacktivists, ideologically motivated, whatever it is, if somebody is going to commit some type of cyber attack or cyber crime, they're typically going to follow this exact methodology.

00:01:04:27 - 00:01:42:02

Now, there's all sorts of different ways of implementing this methodology, but at a kind of theory base, this is the workflow, and we're going to go through each of these steps. Okay. Starting at the top, you can see reconnaissance. Now, reconnaissance is critically important and any attack of any type, there will always be some form of reconnaissance, even if it's just a massive spray and prey phishing attack for, you know, scams and such where they're emailing tens of thousands of people.

00:01:42:05 - 00:02:15:18

Those criminals still needed to harvest a list of viable email addresses. So they got that through some level of reconnaissance. Now, you can see in the graphic there's a couple examples, but recon is typically getting information on people that are within your target scope infrastructure like operating systems, IP addresses, tech stack of whatever your target is, as well as, if possible, what kind of processes they are.

00:02:15:21 - 00:02:35:18

Right. So maybe you're going to case a building and you're going to break into the server room. Perhaps you look at what the processes are for employee swipe in and swipe out, right? Maybe they use a swipe badge to check in, or maybe they do a retinal scan or whatever it is you don't know, but you're going to do your reconnaissance to make sure you understand as best you can.

00:02:35:25 - 00:03:13:24

And there are a whole host of tools and techniques for doing reconnaissance. If you are interested in learning more, look into open source intelligence or osint as it's called. Put some links in the additional information section. But Osint is very, very cool and basically whenever a cybercriminal is going to say attack a college or a university or a bank or a country, they need to know where they're sending their assets and their tooling and their malware and stuff like that.

00:03:13:24 - 00:03:44:00

So this is the recon. So at this point, moving on to step two, the threat actor knows some information on its target. Let's just make a fun little silly example here. Let's say a threat actor operating out of Europe is going to attack a water treatment plant in the United States. Okay. Well, maybe they did their recon and they went online and they looked at LinkedIn to see who worked there.

00:03:44:02 - 00:04:05:28

They looked at the different roles that were there. Maybe they went to the website for the water treatment plant, if there is one, and looked at what kind of technologies are there. Perhaps they went onto Google Earth or Google Maps and walked around the physical plant. Maybe they saw somebody on social media at a happy hour and could see that their swipe badge was present in the photos.

00:04:05:28 - 00:04:28:12

They could make a duplicate of that if they wanted. Maybe they sent an email pretending to be a sales person to the CIO at this water treatment plant in order to get a response to see what the email address scheme is. Right. So maybe it's first letter, last name at water treatment plant dot com, right. Just to be silly.

00:04:28:14 - 00:04:56:16

And what this means is now I can look at LinkedIn and say, okay, there's somebody in finance named Karl Jenkins. And if it's first letter, last name, good chance that his email address is C Jenkins. So now I can email him maybe a little bit easier, softer of a target, right? Maybe you go on social media and then look at this Karl Jenkins and understand what sports teams they're into or things that are politically upsetting to them.

00:04:56:19 - 00:05:27:00

Something that you can use to leverage later on in the kill chain. Now, moving on to weaponization, Step two, whether you're going to send a phishing email to Carl Jenkins or you're going to exploit a technical vulnerability on the web server for this water treatment plant, or perhaps you've found where employees remotely log into. They set it up during the pandemic and it's still up allowing for remote workforce, whatever it is.

00:05:27:02 - 00:05:52:16

Once you understand what the attack surfaces based on your reconnaissance, then you're going to choose what the weapon is you use to attack this organization. Now, think of it as like a fishing tackle box or a golf bag. Right. If you're on you know, if you golf. Right, say you're on like the tee box for 500 yard course, you're not going to pull the putter out.

00:05:52:16 - 00:06:08:07

Right? You're going to pull the driver out. Same with like fishing. Just to use another example for folks, you know, you're going to use the right lure to catch the right fish based on where you're fishing. Right. Or as a cooking example, you know, if you're making bread or something, you're going to use like a rolling pin to roll out the dough.

00:06:08:07 - 00:06:32:26

You're not going to use a spatula, right? It's the right tool based on the situation and circumstances based on your reconnaissance. So in this instance, let's just pick a, you know, email that's going to go to Carl Jenkins. And the goal is to steal money from this water treatment plant. Okay, So we've got our weapon selected. Now, step three is delivery.

00:06:32:26 - 00:06:58:20

And this is pretty straightforward. This is sending the weapon we chose to the recipient or the victim. Now, this could be an individual like Carl Jenkins getting the email. It could also be, you know, sending an attack at the web server that we identified or that remote access gateway we identified. Right. It could be a technical exploitation. It could be an attack in the process.

00:06:58:21 - 00:07:15:13

Remember earlier we talked about the badge being able to swipe in a lot of attacks happen over the Internet, but sometimes you physically go there. So maybe we make a fake badge and we walk up to the badge and we wait for someone to swipe in and we walk in right behind them, making it look like we swipe in.

00:07:15:16 - 00:07:38:04

But we really didn't. They swiped in for us and we just tailgated with them, Right? But the process had a weakness there. They didn't have like one of those turnstiles where one person could pass through at a time. It's a swipe and walk, swipe and walk, and you're able to get right in there. Okay. So for this example, we're going to deliver our weapon via email to Carl Jenkins, who works in finance.

00:07:38:07 - 00:08:03:19

And we're simply going to say, Hey, Carl, you know, there was a mistake on the last invoice. Please see updated invoice. Now we're hoping maybe during our reconnaissance we saw in a newspaper clipping that this water treatment plant recently signed a big deal with a major technology provider. Well, we pretend to be that technology provider and we send an invoice with our bank account attached to it.

00:08:03:21 - 00:08:27:10

Maybe Carl's not paying attention. Right. Maybe Carl's expecting an invoice and wants to send it. Okay. Or maybe we want to get into Carl's machine and send the money ourselves. So instead of a fake invoice email, we send an attachment that has malware associated. We're going to take over Carl's machine. Okay, let's do that. So we send the email.

00:08:27:12 - 00:09:02:12

Carl Hey, it says Click on the link below to see the invoice. Carl clicks on it. It opens up. Nothing happens. It doesn't look like an invoice. Carl is confused, but just closes it and moves on. However, when Carl clicked on it, step four happened. Exploitation. Carl's laptop or business workstation got taken over by the malware we delivered because it's the piece of technology we chose during weaponization, which we made sense because of the reconnaissance we've exploited.

00:09:02:14 - 00:09:21:17

Carl's machine. Now, just in full disclosure, we have access to Carl's machine at this point. Let's go to step five. Perhaps with exploitation, we just get access. We want to maintain that access. Right. We don't want to have to have Carl click on things every single time. So one of the first things we're going to do is step five.

00:09:21:17 - 00:09:41:14

We're going to install a persistence mechanism, something that's going to allow us to come and go as we please later on. Think of it as like a house right with a front door. Now you have to knock on the door. Someone has to let you in. No big deal. But you tricked Carl to open the door and let you in.

00:09:41:15 - 00:10:00:08

Now you're in the house. Well, step five is basically blowing out a side of the wall of the house and putting your own door there. Carl doesn't see it because it's behind some cupboards and stuff. That doesn't matter. Now, when you come up to the house, you can just use that side door, Come and go as you please, because no one knows it's there.

00:10:00:08 - 00:10:23:21

No one's looking at it. This is installing the malware and that's just for persistence. You can also install malware to start stealing all the credentials and tokens and keys on the machine, setting up keyloggers so you can steal passwords or anything else. The victim types, you could do screenshots, turn on their webcam or turn on their listening devices like their microphone.

00:10:23:21 - 00:10:54:10

Listen to what they're saying, see what's going on in the room. That's usually more an espionage or kind of creep scenarios, but it's all possible. Step six is command and control. Now, we talked about installing malware for persistence, but in modern malicious workflows, threat actor workflows, the threat actor can get control of hundreds or thousands or in some cases, hundreds of thousands of victim machines.

00:10:54:12 - 00:11:17:21

And it would be crazy for them to have to log into each one and click, and it would just be overwhelming and burdensome. So commanding control is essentially how that is handled. Step six Think of it as like a mothership, right? Hovering over the earth like a satellite, and then all the victim machines. There's a line going from the mothership to the victim machines.

00:11:17:23 - 00:11:44:15

And the victim machines check in every once in a while with the mothership, say every 5 minutes, 10 minutes, whatever the threat actor decides. And it simply checks in and says, Hey, you got anything for me now? Hey, you got anything for me? No. Hey, you got anything for me? Yes. Yes, I do. Here. Do this. Take these screenshots, install this additional malware, turn on the camera, whatever it is.

00:11:44:18 - 00:12:06:02

That is what's going on with command and control. It allows the threat actor to kind of manage from a console all of the victim machines that they've compromised. Pretty powerful stuff. Finally, at this point, the threat actor owns the machine or can do whatever they want with it and then they begin taking actions on objective. Now this is like whatever the goal was.

00:12:06:08 - 00:12:35:04

So if the goal was to poison the water at the water treatment plant, they're going to move laterally through the environment, repeating this workflow until they find the machine that can control chemicals and they're going to execute on that objective or they're trying to steal money, they're going they already compromised. Carl Jenkins, The financial analysts machine. So they'll go in and adjust bank account numbers or just do key logging and steal credentials until they get access to the bank accounts and then they simply move the money out.

00:12:35:07 - 00:13:04:13

Pretty scary stuff. But no matter what your objective is and hopefully it's made sense through this lecture, no matter what your objective is, this workflow is pretty much exactly what all threat actors are going to do. Now, I wanted to call this out because it's important to note that the cyber kill chain, while it looks linear from start to finish, it's actually iterative, meaning you do it and then you do it again and then you do it again.

00:13:04:14 - 00:13:27:18

Reason being, you could see in the first instance it's the initial foothold. You got access to Carl Jenkins system, for example. Right. And you could see each of the blue Kyron's represent stages in the cyber kill chain. But say you got on Karl's machine. But like I said before, say you were trying to poison the water at the water treatment plant.

00:13:27:20 - 00:14:01:25

Well, Karl's machines in finance, that's not going to do anything for you. So you need to move laterally through the environment looking for that machine. Now, once you get on Karl's machine, you can start the reconnaissance phase over because you have an asset on the internal network. At this point, you can dump the IP address schema for the network, you can dump the credentials, username and password that have logged into Karl's machine in the past, say an I.T. administrator logged in to Karl's machine to install a piece of software just yesterday.

00:14:01:28 - 00:14:30:27

Well, the credentials for the item in a trader may be cached or saved to Karl's workstation to make log in faster at another time. Right. This is a service, a capability, a feature that Windows offers. Well, the problem is, as a threat actor, I can dump those now instead of using boring plain general Access Karl Jenkins account. I have an IT administrators account that has super user privileges.

00:14:31:04 - 00:14:58:25

I can go into any machine. I can install anything. I can disable security software. So once I've done that, now I'm using the IT administrators account that I got through the recon phase and I'm iterating, looking, moving through the network, compromising more machines, figuring out what it is. And then finally, the third ring. That's the critical asset. I found my goal and I'm going to take actions on objective.

00:14:58:28 - 00:15:24:05

I hope this conveys and doesn't scare you, but this is the cyber kill chain. This is the workflow of threat actors. I don't care what kind of threat actor there is. I don't care if they're nation state solo, you know, affiliate, whatever. If they're cybercriminal, they're going to follow the cyber kill chain. Great work in this one. Don't be afraid to go back and watch it again if some things didn't stick.

00:15:24:08 - 00:15:48:19

It's important to understand this because as we work through techniques, capabilities and kind of drill into all these different elements, the cyber kill chain will ever be looming as kind of a paradigm for how threat actors approach this. And frankly, as defenders, how we need to think about how to stop them. We don't just stop them at actions on objective.

00:15:48:19 - 00:16:04:27

No, no, no, no, no. We introduce controls at every stage of the kill chain, hoping, if you think of it as like a chain, that we can break the links on the chain and keep them from going down the kill chain. All right. Great work in this one. Thank you very much. I will see you in the next one.