A Survey of Attack Life-Cycle Models

Earlier, I talked about Beyond Confidentiality, Integrity & Availability which touched on the info-security concepts beyond ICT systems and a brief introduction to the Three Tenets Model which is in use by US Air-force research laboratory.

This round, instead the usual writing style of just dumping info/opinions, I want to share some views of Threat Capability with a episode from a popular US TV series Mr Robot. All scenes are works of Universal Cable Productions & Mr Robot(TM) seems to be owned by Novasoft. This is not-for-profit, please don’t send me lawyer letters.

Without further a do, let’s take a look at Season 1 episode 6 :

Being an anti-social person with several mental conditions, he prefers to connect with people by hacking them.

In this particular episode, Elliot provided anonymous tips to the police which got the most of the key people of the drug syndicate busted. Elliot was prompted to do so because the drug syndicate boss (named Vera) was a physical threat to Elliot’s friend Shayla. Shayla works for Vera as more than a peddler (eg. his sex toy) and she was selling drugs to Elliot.

It was a matter of time that Vera figured out Elliot was behind this, so he ordered his brother (who escaped the police raid) & remaining crew to take Shayla as hostage so as to force Elliot to free him.

Elliot did some research on the facility that the Boss was being held. Apparently it was controlled by systems that had vulnerable Programmable Logic Controllers. These are the little gadgets that opens/closes gates and so on.

Notice the ‘E’ logo on the USB stick? It’s the corporate logo of the largest corporation E-Corp which basically owned the country in this story. Charlene took advantage of this familiar and ‘trusted’ logo to attempt to infiltrate the correction (prisons if you are more UK’ish) facility.

Sure enough, an officer took the bait and inserted into his computer.

Charlene planted a malware within a ‘survey-for-goodies’ program which the officer went on to take but the malware was stopped in the process. Take note of the wall mounted screens (top left) which showed street-views.

Officer yanked the power cord out from his terminal.

Elliot lost connection to the officer’s PC at his end. He had to go on-site.

Elliot visited Vera, he wants Vera to talk to him to buy some more time. Vera challenged Elliot why was he stupid enough to show up to physically implicate himself. Elliot assured Vera that all the doors will open at night. Vera was very pleased with Elliot’s plan.

While the two was chatting, Elliot’s phone was scanning the wireless networks. Unfortunately, the wireless networks are protected with WPA2 which will need some time to crack... Not much time left….

After Elliot claimed his phone and walked out the facility, hope materialized in the form of a blue-tooth keyboard which he was confident to break into. The keyboard was in turned connected to the patrol car computer system that had a mobile camera-feed over 4G network into the facility’s system. Recall the earlier scene where there were wall mounted screens, those street-views were captured by these 4G mobile car cameras.

Elliot got the gang members to get ahead of the patrol car. He needed 40 seconds max to own the blue-tooth keyboard which was within range.

To free Charlene from being the second hostage, Elliot threaten the gang member to let Charlene go or he would abort the whole mission. Charlene did a good job with her assets and flirting skills.

Elliot did his chops and bingo. Sure, the computer may be hardened but fortunately for Elliot, they missed out the keyboard.

While the officer was busy looking elsewhere, Elliot uploads the payload and launched the malicious time-activated process.

The payload worked as programmed. It shut off the lights for a few minutes and opened the prison gates simultaneously.

As the lights went back on, the inmates broke the gate and the mission was a success! But unfortunately, Elliot would only see Shayla’s body but Vera was kind enough to let Elliot go after killing his own brother whom got him into trouble in the first place by conducting drug transactions openly in social media networks.

Relating the story with Three Tenets Model

  1. The prisons’ system was susceptible. It had vulnerabilities and was of value to Elliot.
  2. The susceptible system was ultimately accessible through the patrol car’s system which had a blue-tooth keyboard that could be controlled by Elliot.
  3. Elliot was capable of creating a payload that would instruct the prison’s PLC system to turn off the lights and opened the gates on time.

All these are still rather high-level and certain details of Elliot’s capabilities are not evident. It will be useful to further expound Threat Capabilities with more in-depth models that cover more specifically the attacker’s Tactics, Techniques & Procedures.


Lockheed Martin’s Kill-Chain

Lockheed Martin adapted a military concept of a Kill-Chain (Find, Fix, Track, Target, Engage and Assess) and applied it to Cyber:

This model is useful but creates the impression that things are rather linear and one-off. There is no notion of external and internal reconnaissance. No notion of ‘Lateral Movement/Incursion’ and so on.

Mandiant Attack Life Cycle

The folks at Mandiant further expanded the model to include tactics like Establish Foothold, Escalate Privilege, Move Laterally & Maintain Presence.

Source: https://www.fireeye.com/blog/executive-perspective/2014/04/zero-day-attacks-are-not-the-same-as-zero-day-vulnerabilities.html

Mandiant’s diagram has a ‘cyclical’ view of which can be seen as the Attack Cycle Life can be repeated again on a different target within the organization so as to establish a stronghold and ultimately complete the mission. In reality, this is often the case which Mandiant as a professional Digital Forensics and Incident Response company observed through their many engagements.

Mitre Research — Adversarial Tactics, Techniques, & Common Knowledge

The folks at Mitre Research expanded on Cyber Kill Chain and came up the ATT&CK model cum framework which focuses on post-intrusion adversarial behavior & techniques:

ATT&CK incorporates information on cyber adversaries gathered through MITRE research as well as from other disciplines such as penetration testing and red teaming to establish a collection of knowledge characterizing the post-access activities of adversaries. While there is significant research on initial exploitation and use of perimeter defenses, there is a gap in central knowledge of adversary process after initial access has been gained. ATT&CK focuses on TTPs adversaries use to make decisions, expand access, and execute their objectives. It aims to describe an adversary’s steps at a high enough level to be applied widely across platforms, but still maintain enough details to be technically useful:

ATT&CK Technique Matrix — Tactics vs Techniques

This matrix is very useful, particular from a protection and detection perspective. Because these techniques are specific (perhaps with exception of Host Enumeration which could be done by let’s say a sys-admin), the signatures/rules that can pick this out will be likely less noisy. I will leave the discussion of this matrix of techniques in the next sharing.

Combined Attack Life Cycle

I combined these models into:

I borrowed the idea of Phase from Boeing’s Threat Life-Cycle which supposedly predates Cyber-Kill-Chain. We can think of the Phases as severity levels which increase with number. For instance, an internal recon is more severe than an external recon since the attacker is most likely already within the environment. It is also safe to assume that the attacker(s) had gotten past the earlier phases/defenses and is likely to proceed to the next objective.

I placed the two different classes of actors along side with the tactics (external recon, deliver payload….) within each phase. The complicated cycles and arrows attempt to illustrate that these tactics are not necessary linear/one-after-the-other and carried out in order. Consider attacks like DDoS which can start with Phase 1 — External Recon and straight to the systems’ availability being impacted without the need to go through Phase 2 or 3.

I also further expanded on the Phase 4 — Actions on Objectives. Attackers’ objectives in turn becomes our problems which impact data or systems dependability. In my earlier sharing, I briefly covered the attributes of Dependability which is applicable to both ICT and Cyber-Physical systems.

An external attacker can also steal information along the way, thus from the initial intrusion, s/he can start evasive extraction of information out bit-by-bit (no pun intended but some clever folks manage to piggy back info packet by packet through DNS requests or jump across air-gaps by manipulating the heating-cooling system), or further recon internally & lay low to plan for the next step which could be get to another victim within the organization after studying the org-chart from the intranet site or existing documents within the compromised machine.

Insider Threats are the most difficult given the authorized access and internal knowledge of the systems and processes. Much of insider actions will not be flagged as attacks since they are allowed to use the system in the first place. It is usually a series of legitimate actions that performed over a period of time (eg. printing out sensitive documents as with fraud) or at a single instance (eg. angry employee/contractor shuts down plant controls as with sabotage) that become threatening.


Relating the story to an Attack Life-Cycle

They say always begin with the end in mind. The end in Elliot’s mind was to open the gates and shut off the lights for a few minutes… Now let’s work backwards to connect the dots:

Elliot had to gather info to figure out that he needed a payload to control the PLC within the prisons system. With the knowledge, he had to quickly create a payload that would instruct the PLC to do what he wanted (weaponization). And since his first intrusion failed, he had to go on-site to scan the network to find another way to deliver the main PLC payload but it turned out to be unfavorable for his time-limited mission. It shows his persistence, which is the P in the APT — Advance Persistent Threat.

The ‘E-corp’ USB sticks were strategically dropped (delivery) at a place where officers would walk pass. Someone took the bait and launched the ‘survey’ program laced with a malware (execution). The first intrusion was almost successful (Elliot had a remote control shell for a while) until the officer yanked out the power cord after seeing the Anti-Virus (a typical security control on endpoints) alert.

The second successful intrusion was after attacking blue-tooth wireless keyboard which could be remotely taken over to deliver the PLC payload. Elliot then migrated payload code to the process that had the necessary privilege to control the gates and lights.

Elliot tried three different vectors (USB, Wifi network and ultimately Bluetooth) before gaining control. The officer’s PC and patrol-car terminal can be thought of as a stepping stones or pivoting points into the prisons network. Suppose the officer’s PC was compromised, then Elliot could have more time to move along laterally to other systems within the network by abusing the officer’s credentials and rights. Ultimately, Elliot took over the keyboard and used the car’s terminal to perform internal recon, uploaded the time-activated PLC payload and injected the malicious code to the control system software process. Amazing as it may seem, all that was done in 40 seconds. If it’s not dramatic then it won’t look that ‘Advance’. :P

The whole point of the story was Elliot hacking the control system to set Vera free so as to free Shayla. Before he could open the gates and off the lights for that amount of time he desired, he had to go through all these various steps. This story is an example of Cyber-Physical systems being breached and result to consequences beyond just information breach.


What about ‘Insider’ Threat?

If we look at the Insider problem with the Three Tenets Model “lens”, you will realize the problem of Insiders is difficult simply because they have valid access to the resources and systems. Does it take a lot of skill to deliberately or carelessly press delete? That’s why in my combined ALC, I reasoned that Phase 1 & 2 are quite irrelevant to an Insider given their access and knowledge of the systems. The problem is further compounded by the abuse of credentials by external actors which could make it look like an insider job. Insider Threat Management is a big topic that requires separate treatment. I believe the general idea to treat Insider should take into considerations of Motivation as with the Motivation, Opportunity & Means perspectives since the last two are given for Insiders.

What’s Next?

Now that we have looked at it from the external attacker’s perspective and how attacks can be generalized and modeled by an Attack Life-Cycle, the next sharing will cover how ALC is used in a defensive setting.