Your daily war in cyberspace may not be as bloody as an epic World War II battle, but it’s just as deadly. To win this war, you have to know your enemies as well as yourself.
To stop these enemies in their tracks, you must understand the “kill chain,” the eight phases of attack that hackers use to strangle your business and devastate your assets. Usually, the kill chain occurs without your knowledge. The earlier you discover and disrupt your adversaries’ attempts to execute their attack, the better you’re able to protect your data. The mantra of good security professionals is “It’s easier to keep them out, than get them out.”
Here we present the eight stages in an advanced persistent threat (APT) kill chain. APT threat actors are persistent and highly skilled in the tradecraft they use to obtain their objectives. Those objectives could include espionage or obtaining an organization’s trade secrets, customer data or financial account information. An experienced cyber security team with the right tools can help you become aware of the attack as early as stage one and help you take appropriate action to block the enemy. If you miss the attackers in the reconnoiter stage, cyber security experts can step in any time before or after to get the attackers out of your network.
Stage 1: Reconnoiter. During this step, the attackers perform reconnaissance. They research your company and possibly its key players, such as executives or board members. The attackers may review social media sites such as Facebook or Twitter to see what your organization is doing and to see which executives or board members have social media accounts they might target to ultimately sneak into your network. The adversaries may also look into public Security Exchange Commission filings, job postings that show information on the types of technology you use inside your organization, and other sites that may have posted information on your company.
Stage 2: Vulnerability weaponization. In this stage, the threat actors use the information they gather in stage one to select weapons to attack your company. These exploits take advantage of security weaknesses in your environment, including insufficiently secured web applications, ports on your firewall that have been accidentally opened, and even your employees themselves. Typically, threat actors can buy or rent exploits for about $1,000, but researchers at Dell SecureWorks have seen prices as low as $100. Sales of these weapons are a lucrative business for their creators, who sell to criminals and avoid the risk of getting caught hacking into a network or stealing valuable information.
Stage 3: Distribution and delivery. Adversaries will distribute and deliver to their target the malware they selected in stage 2. They may do this in a variety of ways, including:
• Email an executive, a board member or someone on staff a message crafted specifically for the receiver, with the goal of convincing that person to click on an attachment or a link that contains malware. These emails typically contain information gained during the reconnaissance phase, making them look legitimate. They might reference a business issue or even the soccer team the executive’s child is on (using information gathered from Facebook). In some cases, the sender of the email has been altered, making the email look as if it’s from an employee of the company.
• Send your employees USB sticks with the name of a known business partner embossed on them, hoping someone will stick the USB into his computer. These USB sticks can be configured to launch an application automatically whenever they’re plugged in.
• Compromise websites that your employees are likely to visit. Attackers targeting a specific company often attack websites the employees of the targeted company are likely to visit. For example, it might be difficult for an attacker to attack a big enterprise with layers and layers of security. So the attacker may hack the website of an association to which the company belongs. Unbeknown to anyone, the attacker secretly plants malware on the association’s website. Employees of the target company visit the association’s website and get malware on their computers, which then allows the attacker access to the targeted company’s network.
However it’s delivered, whether via a link to a website, an attachment in an email or a file on a USB stick, when the unsuspecting employee clicks on the link, opens the attachment or inserts the USB stick, an application is launched that infects the user’s computer.
Stage 4: Exploitation. In this stage, the malware the attacker delivered to your organization is surreptitiously executed. The initial infection might give the attackers complete remote control of the infected computers. Once they have control, the attacker may download and run additional applications that can steal passwords, log keystrokes, take or destroy sensitive files or perform other malicious activities.
Stage 5: Persistence/lateral movement. Once a computer is infected, it’s important to the attackers that it remains infected. The attackers will install multiple pieces of malware, hoping that if one piece of malware is discovered, the rest will survive. They will also configure the computer to restart malware if it’s ever stopped or if the computer is rebooted, to preserve their control. They may also try to use the computers they have infected as launching points to attack other computers inside your network. The more widespread the infection, the harder it is to remove, and the more likely the attackers are to find the sensitive data they may be seeking.
Stage 6: Command and control. Once the attackers have a sufficiently firm foothold in your network, they will begin to command the computers under their control to collect valuable data and deliver it to them. Sophisticated attackers make it difficult to track infections back to them by connecting through intermediate servers. If your security team becomes aware of the infections and traces the outbound Internet connections, they will only discover these intermediates and not the attackers themselves.
Stage 7: Action on target. Now that the intruders have the ability to collect information from many computers inside your environment, they will take action and steal your information. This theft could begin nearly immediately after the initial infection and go on for months. Or, the intruders might decide to just lie and wait, watching your users, logging user names and passwords, collecting account numbers and other information. Then, at the time of their choosing, they could use this information to access bank accounts and start transferring funds to their own accounts overseas.
Stage 8: Data exfiltration. Once the data has been collected, the intruders now begin to move the stolen content from your servers to theirs in a process known as exfiltration. They may take data directly from the machine it’s stored on, or collect the data, store it in a centralized location and exfiltrate it from there. The attackers will take steps to make sure this migration doesn’t set off alarms inside your company. One common way for the attackers to accomplish this is to command an infected machine to zip up all the data that has been gathered, and email it to them in a .ZIP file. Since people send dozens or more emails every day, that .ZIP file would likely go unnoticed and wouldn’t look suspicious to anyone monitoring your network.
Turning Mission Impossible to Mission Possible
Without knowing the tactics the attackers use, it’s near impossible to know your organization is under attack. But with knowledge of the attackers’ tactics and strategies, you can help prevent your organization from being breached and being victimized by the kill-chain gang.
• Avoid clicking on email links or attachments in emails from untrusted sources. Even when you know the senders, if there are links or attachments, confirm with the senders personally that they sent that specific email.
• As soon as patches become available, install updates for your applications and for your computer’s operating system.
• Ensure you have the most up-to-date, anti-virus protections installed.
• Deploy firewalls around your network and your web applications.
• Install intrusion prevention systems or intrusion detection systems (IPS/IDS) around your network to inspect inbound and outbound traffic.
• Install host intrusion prevention systems (HIPS) to add another layer of protection around your most valuable servers. These days, web application firewalls are a necessity.
• Scan your web and mobile applications for vulnerabilities at least quarterly and every time a change has been made to them.
• Provide information security training, including information regarding social engineering, to all employees and board members.
• Implement and enforce policies that forbid employees from downloading executable files via the Internet and using peer-to-peer networks.
• Monitor your network 24 hours a day.
• Implement global threat intelligence services so you can find out in advance when attackers are targeting your network for an attack.
• Provide ongoing security awareness training for your employees and customers. Help the human firewall work!