Anatomy of a Cyber-Attack
It is often said that you must ‘know your enemy’ in order to succeed, but for many it may be a difficult mindset to step into. Fortunately, frameworks over the past couple years have matured to a point that they can be used to understand what Tactics, Techniques, and Procedures (TTPs) bad actors are using to get into, and move around, our networks.
For some background, the term “kill chain” comes from military origins, and refers to a high-level definition of the steps executed in an attack. Developed by Lockheed Martin, the “Cyber Kill Chain” framework became the foundation for what we now call a cyber-attack. Moving into the past year, MITRE has structured a categorical effort called Adversarial Tactics, Techniques, & Common Knowledge, or “ATT&CK”, which acts as a ‘mid-level’ framework to tie specific TTPs to the kill chain. The knowledge base is vast, comprehensive, and an easy bookmark for all in the space.
I would argue that without being able to categorize TTPs, it is hard to make well-calculated decisions on what is needed to refine your defenses. Using the categories outlined by the frameworks above, and you as the assumed target, let’s dissect the high-level actions a threat might perform to get into your network.
Reconnaissance
The legwork in any attack, cyber or otherwise, is knowing what you are up against. Anyone worth their weight in salt will spend most of their time performing reconnaissance on their target, and revisit it frequently. This entails understanding all assets you have — technology or otherwise. Collecting information is often done passively, using Open Source Intelligence (OSINT) gathering techniques.
Reconnaissance can be done actively by sending packets to your target and looking for open ports, but is considered the more dangerous route. Anywhere traffic can be received has potential for identifying the attacker’s source. Now, with search engines like Shodan and Censys, attackers don’t have to give away any bit of their information to see what you have exposed to the world. Your external systems are already scanned! This also proves why ‘security through obscurity’ never works.
Many attackers use the intelligence they have collected, purchasing equipment on Ebay that they found through reconnaissance, and reverse engineering them to find zero-days with which they can get their initial foothold. Let’s just say that it is unlikely an actual attacker will hit you with Nessus.
Rather, they will understand who works for you via LinkedIn, what hostnames or IP addresses are assigned to you, who the domains are registered to, metadata on files you publish online, what emails are publicly available out on the Internet, any physical locations or characteristics, and as many other bits of information as can be identified. Enumerated subdomains in particular are a commonly cited target, as it exposes which applications the target uses to conduct business. Much of this requires little more than strategic Googling skills, though the OSINT community is vast and full of techniques most would never think of.
With a cache of information, it is time to plan the attack.
Weaponization and Delivery
Once there is a sound understanding of what you have and where gaps in your defenses exist, it is time to mobilize. The ‘Weaponization’ phase of a cyber-attack is where the attacker begins structuring a payload to be used against you, and a delivery mechanism to get it over to you. If this were a middle ages battle, the delivery mechanism would be the catapult, and the payload would be the burning barrel it was loaded with. It would make sense for the attacker to use his knowledge of where your fortifications are the weakest to maximize the amount of damage their siege weapons can deliver.
Unlike a castle siege, the aim is to lay low and go undetected. A payload will usually consist of a Remote Access Tool (RAT) which is compiled software that communicates with pre-programmed coordinates to reach back to its operator. The RAT itself can consist of as many or as few tools as the attacker can compile, and often depend on how over-encumbered they want their delivery mechanism to be. This is the equivalent of going on a three day hiking trip and packing two weeks worth of supplies. Sometimes it isn’t necessary to bring everything along, and may even slow down the attack. Depending on what the objective is, a keylogger and some basic scripts may be enough to get them to their goal, and everything in excess is a potential signature to get picked up by IDS or antivirus.
Now that the payload is prepped, it is time to determine the ‘Delivery’ mechanism. This is where phishing often comes into play, as email addresses are readily available on the Internet via LinkedIn, Salesforce, Facebook, etc. Email messages lend themselves especially well to being delivery mechanisms, as many organization’s vulnerability management processes mature. A payload can exist in an attachment or at a link you may be directed to click on. An alternate delivery method would be to exploit an edge device such as a web application or gateway appliance, and come in through the front door. There are numerous other delivery mechanisms (USBs, wireless, physical access, etc).
Exploitation and ‘Command & Control’
Arguably the shortest real-time phase in a cyber-attack, the ‘Exploitation’ stage is where the delivered payload is executed. The inevitable goal of this is to get code to run on a workstation and get the initial foothold into your network. The exploit may be as complex as a custom-built zero-day that leverages a buffer overflow vulnerability in an Internet-facing appliance which remotely executes shellcode [deep breath]… or as simple as an email with a link tricking a user into running a fake program named AdobeReaderUpdate.exe”. Either way, something (or someone) is getting exploited.
This is followed by ‘Command & Control’, commonly referred to as ‘C2’. The first objective of almost all malicious software is to communicate back to the person(s) in control, and establish a channel to siphon out information. This can be done in multiple ways, but is not very different than most client/server software in your own network. Many attackers know this, and try to obfuscate the C2 traffic with encryption, hoping to get drowned out in the noise. Many large scale campaigns, such as the Mirai botnet which wreaked havoc a couple years ago, are strong examples of this. IoT devices, known for their shoddy coding practices, make themselves highly susceptible to being collected in large-scale C2 campaigns.
Execute and Maintain, or ‘Actions on Objectives’
This is where we get into ‘post-exploitation’, or everything that occurs after the foothold is made. Now that there is some code running on a system in your network, the ‘Execute’ phase can begin. The attacker will set their sights on the real goal, which may be as specific as gaining and exfiltrating intellectual property (like source code, classified emails, product blueprints, etc.), or as vague as “as many credit cards or social security numbers as possible”. In order to get to the objective, the attacker is going to have to perform some actions first.
They will have to become ‘situationally aware’, and understand what system they are on and what else is inside the network. Considering they are likely on an average user’s workstation, they will have to ‘escalate privileges’, and escape “userland”. This usually consists of getting administrative level access to the system they landed on, and eventually onto the other systems in the network. They will also have to ‘move laterally’, or jump from system to system until they get to the one that contains the data they are looking for. Finally, the attacker is going to want to ‘Maintain’ access to your network. This is done by digging their hooks into your systems, often via scheduled tasks, startup registry keys, discovered or created backdoor credentials, or numerous other methods. Anything that allows them to persist in your network, for as long as they need to, to get the data they are looking for. Why go through all the effort if a simple reboot will undo all progress?
Now that you have stepped into the mindset, think back to where deficiencies may be in your own network. Are your vulnerability management and patching processes enough to fend off exploits at the perimeter? How much information are you exposing to someone who would target you? If someone did get into your network, do you have enough visibility to determine where they might be sitting? It can be hard to reflect on our own flaws, but it is necessary to build a resilient defense.
Thanks for reading! I am a Sr. Security Engineer with InquisIT, offering premier cybersecurity services to the federal government. Our goal is to help agencies tackle complex cybersecurity challenges, and bridge policy into operations. Comments or critiques? Reach me on LinkedIn , email — jtrinka[at]inquisitllc[dot]com, or reply below.
