Kill Chain - In today’s wildly unpredictable threat landscape, the modern enterprise should be familiar with the cyber kill chain concept. A cyber kill chain describes the various stages of a cyberattack pertaining to network security. Lockheed Martin developed the original cyber kill chain framework to help organizations identify and prevent cyber intrusions. The steps in a kill chain trace the typical stages of an attack from early reconnaissance to completion. Analysts use the framework to detect and prevent advanced persistent threats (APT).[1]
Organizations can use the cyber kill chain to defend themselves against many complex attacks, such as last year’s Uber hack. If you recall, back in September of 2022, a threat actor successfully infiltrated the company’s Slack application by convincing an employee to grant them access. The attacker spammed the employees with multi-factor authentication (MFA) push notifications until they could gain access to internal systems and browse the source code.
This article will walk you through the kill chain of this specific attack twice. First, we’ll take the perspective of the attacker, and then we’ll outline the prevention strategies organizations can take at each step of the chain.
Each Step of the Cyberattack Kill Chain
Recon - This first step is about information gathering. Like in many attacks, threat actors use social engineering tactics to gain access to employee information. Attackers typically gather intelligence from scraping data readily available from public sources, called open source intelligence (OSINT). Thanks to social media and publicly documented online activities, attackers can easily profile an organization or employee.
Weaponize - The next step is essentially the preparation stage. The bad actor is now armed and ready to deploy these compromised credentials and any other relevant information they need to log in to the target employee’s account.
Delivery - Delivery is all about set-up: like a boxer’s jabs before landing the knockout punch. In this step during the Uber hack, the attacker spammed the employee with push notifications (this can be called MFA fatigue or prompt bombing). Then, he contacted the employee through social media channels, posing as IT, asking them to accept the notifications so they would stop.
Exploit - Staying with the boxer analogy, exploit is like a right hook. In the Uber attack, the attacker gained access to the employee’s VPN once the MFA fatigue attack was successful.
Install - Install is where the bad actor officially launches the malicious and dangerous part of the attack. In the Uber hack, the attacker was able to scan the network and discover a power shell script on a shared drive. The script contained an admin user credential for the company’s PAM solution that provided the attacker with further access to multiple services.
Callback - For attackers, callback is all about taking control of the target’s systems so they can launch more attacks. For victims, this is the step in which prevention is much more difficult. In the Uber attack, the bad actor proceeded to wrangle access to other internal systems and steal confidential data.
Persist - When attackers reach this stage, they’ve essentially gained enough rights to continuously execute attacks. This may come in the form of ransomware, data exfiltration for monetary gain or launching DOS attacks.
How the Enterprise Can Prevent Attacks at Each Stage
Recon and Weaponize - The strategies for Recon and Weaponize prevention are the same at both stages. One of the most crucial prevention strategies is eliminating the use of passwords whenever possible. While the password will probably never die, going passwordless is typically a positive step in the right direction. That said, it shouldn’t be the only authentication method. Passwordless should be the first factor to be combined with another form of authentication. Adding or changing contact info for key employees is another way to keep attackers guessing.
Delivery - Deploying high-assurance MFA options like a FIDO2 key, mobile smart credential or other passkeys is one of the best ways to prevent MFA-based attacks. After all, MFA is not foolproof. Another great way to ensure an attack like the Uber hack doesn’t happen in your organization is to send a notification to the user whenever the account logs in from a new location for the first time. Adopting zero trust principles is always recommended here (and at any stage).
Exploit - Using a physical token is one of many secure authentication methods. By deploying risk-based adaptive authentication, authentication requests can trigger a defined action or set of actions based on predetermined risk factors. Potentially malicious requests may trigger an email or SMS notification or be blocked outright. This could (and should) include VPN authentication requests. Much like for the delivery stage, it’s wise to consider location-based notifications for first-time access.
Install - For the install stage, all the same prevention strategies relevant to the exploit stage also apply. But here, organizations can bolster security for desktops, servers, hidden folders and other resources by applying adaptive MFA. Privileged Access Management (PAM) solutions should also be secured with high assurance MFA.
Callback/Persist - Here is where real-time monitoring of any suspicious data movement and detecting suspicious behavior is critical. At this stage, bad actors are motivated to move and act quickly, and timing for the security team is crucial. The key is the ability to be proactive instead of reactive.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://securityintelligence.com/articles/breaking-down-cyberattack-kill-chain-steps/
Comments