TryHackMe Cyber Kill Chain

Content by Dan Rearden

The Cyber Kill Chain framework is designed for identification and prevention of the network intrusions. You will learn what the adversaries need to do in order to achieve their goals.

Task 1: Introduction

The term kill chain is a military concept related to the structure of an attack. It consists of target identification, decision and order to attack the target, and finally the target destruction.

Thanks to Lockheed Martin, a global security and aerospace company, that established the Cyber Kill Chain framework for the cybersecurity industry in 2011 based on the military concept. The framework defines the steps used by adversaries or malicious actors in cyberspace. To succeed, an adversary needs to go through all phases of the Kill Chain. We will go through the attack phases and help you better understand adversaries and their techniques used in the attack to defend yourself.

So, why is it important to understand how Cyber Kill Chain works?

The Cyber Kill Chain will help you understand and protect against ransomware attacks, security breaches as well as Advanced Persistent Threats (APTs). You can use the Cyber Kill Chain to assess your network and system security by identifying missing security controls and closing certain security gaps based on your company's infrastructure.

By understanding the Kill Chain as a SOC Analyst, Security Researcher, Threat Hunter, or Incident Responder, you will be able to recognize the intrusion attempts and understand the intruder's goals and objectives.

We will be exploring the following attack phases in this room:

• Reconnaissance
• Weaponization
• Delivery
• Exploitation
• Installation
• Command & Control
• Actions on Objectives

Task 2: Reconnaissance

Reconnaissance is discovering and collecting information on the system and the victim. The reconnaissance phase is the planning phase for the adversaries.

OSINT (Open-Source Intelligence) also falls under reconnaissance. OSINT is the first step an attacker needs to complete to carry out the further phases of an attack. The attacker needs to study the victim by collecting every available piece of information on the company and its employees, such as the company's size, email addresses, phone numbers from publicly available resources to determine the best target for the attack.

Email harvesting is the process of obtaining email addresses from public, paid, or free services. An attacker can use email-address harvesting for a phishing attack. The attacker will have a big arsenal of tools available for reconnaissance purposes including:

• theHarvester - gathers emails, names, subdomains, IPs, and URLs
• Hunter.io - email hunting tool for contact information
• OSINT Framework - collection of OSINT tools

Task 3: Weaponization

After a successful reconnaissance stage, the attacker would work on crafting a "weapon of destruction". He would prefer not to interact with the victim directly and, instead, he will create a "weaponizer" that combines malware and exploit into a deliverable payload.

Let's define some terminology:

• Malware is a program or software designed to damage, disrupt, or gain unauthorized access to a computer.
• An exploit is a program or code that takes advantage of a vulnerability or flaw in the application or system.
• A payload is a malicious code that the attacker runs on the system.

In the Weaponization phase, the attacker would:

• Create an infected Microsoft Office document containing a malicious macro or VBA scripts
• Create a malicious payload or worm, implant it on USB drives
• Choose Command and Control (C2) techniques
• Select a backdoor implant

Task 4: Delivery

The Delivery phase is when the attacker decides to choose the method for transmitting the payload or the malware:

• Phishing email: A malicious email targeting specific people (spearphishing attack) or multiple people in the company
• USB Drop Attack: Distributing infected USB drives in public places
• Watering hole attack: A targeted attack compromising websites the target group frequently visits, leading to drive-by downloads

Task 5: Exploitation

To gain access to the system, an attacker needs to exploit the vulnerability. After gaining access, the malicious actor could exploit software, system, or server-based vulnerabilities to escalate privileges or move laterally through the network.

The attacker might also apply a "Zero-day Exploit" - an unknown exploit in the wild that exposes a vulnerability in software or hardware and can create complicated problems well before anyone realizes something is wrong.

Task 6: Installation

Once the attacker gets access to the system, he would want to maintain access through a persistent backdoor. The persistence can be achieved through:

• Installing a web shell on the webserver - a malicious script written in ASP, PHP, or JSP
• Installing a backdoor using tools like Meterpreter
• Creating or modifying Windows services (technique T1543.003 on MITRE ATT&CK)
• Adding entries to "run keys" in the Registry or Startup Folder

The attacker can also use the Timestomping technique to modify file timestamps and avoid detection by forensic investigators.

Task 7: Command & Control

After getting persistence and executing the malware on the victim's machine, the attacker opens up the C2 (Command and Control) channel through the malware to remotely control and manipulate the victim. This is also known as C&C or C2 Beaconing.

The most common C2 channels used by adversaries nowadays:

• HTTP/HTTPS on port 80 and 443 - blends malicious traffic with legitimate traffic
• DNS Tunneling - the infected machine makes constant DNS requests to an attacker's DNS server

Task 8: Actions on Objectives (Exfiltration)

After going through six phases of the attack, the attacker can finally achieve his goals. With hands-on keyboard access, the attacker can achieve the following:

• Collect credentials from users
• Perform privilege escalation
• Internal reconnaissance
• Lateral movement through the company's environment
• Collect and exfiltrate sensitive data
• Delete backups and shadow copies
• Overwrite or corrupt data

Task 10: Conclusion

Cyber Kill Chain can be a great tool to improve network defense. Is it perfect and can it be the only tool to rely on? No.

The traditional Cyber Kill Chain was last modified in 2011. The absence of updates and modifications creates security gaps. It was designed to secure the network perimeter and protect against malware threats, but cybersecurity threats have developed drastically.

Since the main focus of the framework is on malware delivery and network security, the traditional Cyber Kill Chain will not be able to identify Insider Threats.

We recommend not only relying on the traditional Cyber Kill Chain model but also referring to MITRE ATT&CK as well as the Unified Kill Chain to apply a more comprehensive approach to your defense methodologies.

About the Author: Dan Rearden aka HaircutFish is focused on becoming a SOC analyst. He uses his passion for cybersecurity to learn as much as possible and pass on knowledge to others. Follow his write-ups at LinkTree.