The Cyber Kill Chain: Understanding Advanced Persistent Threats

In contrast with common cybercriminals who leverage attacks opportunistically, Advanced Persistent Threats (APTs) select a specific target and devote substantial effort into planning a data breach.

Lockheed Martin’s Cyber Kill Chain® framework breaks down cybercriminal activity into five distinct stages. Understanding the tools, tactics, and procedures that characterize each of these stages will better equip your organization to identify and combat advanced persistent threats.

STAGE ONE | IDENTIFY & RECON 

Cyber Kill Chain: Identify & Recon

In the first stage of an APT attack, adversaries footprint their target, carefully compiling information with the goal of developing an intrusion strategy. According to Michael Gregg’s Certified Ethical Hacker Exam Prep guide, this involves a seven-step process:

Information Gathering: Public sources can provide adversaries with valuable baseline knowledge. Employee names, office locations, and contact information can be instrumental in planning a social engineering attack. Details listed on an IT employee’s LinkedIn profile or a press release highlighting a recent merger could allude to potential security gaps. Advanced ‘Google dork’ search operators can locate web pages not intended for public viewings, such as sensitive directories or insecure login portals.

  • Hot Tip: TheHarvester is an automated tool that can be used to automatically gather emails, hosts, employee names, open ports, and banners from public sources. You can use this tool to keep tabs on your online exposure.

Determining the Network Range: An open-source DNS query such as NSLOOKUP is used to identify the IP address associated with the targeted organization’s website. Entering this IP address into a WHOIS lookup will return the full range of IP addresses on the network. 

Identify Active Machines: The initial range of targeted IP addresses can be narrowed down to active machines by running a ping sweep, which sends an echo request to each IP address within the targeted range. Active machines will respond with an echo reply, while inactive machines return a request time out.

Identify Open Ports: A wide range of port scanning tools are available to identify open ports. Since these scans establish a connection with TCP and UDP ports, they can potentially be detected by the targeted network’s intrusion detection system (IDS). Stealthier port scanners are available, but come with the trade-off: reduced reliability. Other methods for identifying open ports include port knocking, wardialing, and wardriving.

OS Fingerprinting: There are two approaches to identifying the operating system (OS) that a target is using. Active fingerprinting identifies the OS based on a targeted machine’s responses to specially crafted ICMP or TCP packets, whereas passive fingerprinting captures and analyzes outbound web traffic sent by the targeted system to identify the OS. The trade-off here is that active techniques are more powerful, but passive techniques are more difficult to detect.

Service Fingerprinting: Identifying which services run on an open port enables adversaries to plan an application-specific attack. Effective service fingerprinting tools include Telnet, FTP, and Netcat.

Network Mapping: Adversaries can now compile the information they’ve gathered to create a blueprint of the targeted network. Automated tools such as traceroute programs or Cheops may be used to map out server placement and network connections.

STAGE TWO | INITIAL ATTACK

Cyber Kill Chain: Initial Attack

After mapping out the targeted network, adversaries move forward to prepare a malicious payload, deliver it to the target, exploit a vulnerability, and establish a presence in the compromised environment.

Weaponization: The creation of a malicious payload can be carried out using an automated malware-generating tool. In a targeted attack, this malware is customized based on the information gathered during the Identify & Reckon stage.

Delivery: There are two basic methods of malware delivery: (1) adversary-controlled delivery, which involves direct hacking into an open port, and (2) adversary-released delivery, which conveys the malware to the target through phishing. Alternatively, adversaries can compromise a trusted web application used by the target to enable iframe malware injection.

Exploitation: It’s not enough to simply deliver the malware bundle to the target. To execute the malicious code onto the targeted system, a vulnerability must be present. Adversary-triggered exploits rely on system vulnerabilities, whereas victim-triggered exploits rely on human vulnerabilities.

STAGE THREE | COMMAND & CONTROL

Cyber Kill Chain: Command & Control

Targeted attacks require adversaries to maintain remote control over their malicious payload in the targeted system for an extended period while avoiding detection. This stage focuses on establishing these capabilities.

Installation of either a web shell on a compromised web server or a backdoor implant on a compromised computer system enables adversaries to bypass security controls and maintain access in the victim’s environment.

Remote Connectivity is established with the victim’s command and control (C2) infrastructure to enable remote connectivity-typically using the web, DNS, or email protocols. Multiple channels may be established to maintain connectivity if one of the channels is removed or interrupted.

STAGE FOUR | DISCOVER & SPREAD

Cyber Kill Chain: Discover & Spread

Having established two-way communications with the victim’s network, adversaries can now move about the network in search of additional useful information relevant to achieving their objectives and deliver additional payloads if necessary.

Internal Recon: Adversaries can create a more detailed map of the victim’s network by scoping out internal factors such as network structure, services, and operating systems. This information can be used to develop a lateral movement strategy for avoiding detection and gaining access to targeted assets.

Privilege Escalation: It’s unlikely that an adversary’s initial access point provides them with access to all the resources that they’ve targeted. The horizontal approach to privilege escalation uses techniques brute force, keylogging, or ARP spoofing to steal credentials and gain access additional user accounts, whereas the vertical approach exploits vulnerabilities or misconfigurations to escalate permissions on an existing account.

Lateral Movement: Adversaries are now free to move about the network, searching for targeted assets and discovering additional resources worthy of exfiltration. Targeted assets can include sensitive customer data, confidential documents, private emails, and valuable intellectual property.

STAGE FIVE | EXTRACT & EXFILTRATE

Cyber Kill Chain: Extract & Exfiltrate

In the final stage of the Cyber Kill Chain, adversaries fulfill their ultimate objective: transmitting their targeted assets to an external server. This can have a devastating impact on targeted organizations, such as loss of revenue, a tarnished reputation, and possible legal ramifications.

Transmission: The backdoor installed during the Command & Control stage typically has built-in file transmission capabilities. A Remote Access Trojan (RAT) could also be used to siphon data out of the targeted environment.

Cleanup: After extracting their targeted assets, adversaries may take measures to cover up their tracks, such as timestamp manipulation and efforts to obscure the adversary’s identity.