By Joseph Raczynski
Technologist, Thomson Reuters
In our new world reality where cyberattacks are a daily occurrence and every organization must focus on critical infrastructure surrounding cybersecurity, businesses have begun to think like the military. How can we defend our enterprise? To that end, it’s not surprising that companies have adopted soldierly, combative mindsets and terminology.
The term “kill chain” originates from the armed forces and refers to the structure—or seven stages—of a cyberattack:
1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command & Control
7. Action on Objectives
Now, many proactive institutions are attempting to “break” an opponent’s kill chain as a defense method or preemptive action. One of the leaders in this space adapting the concept for Information Security is Lockheed Martin.
Thinking Like a Hacker
A hacker typically has a creative, analytical mindset. These individuals search for paths toward a solution—often devising serpentine and circuitous routes to attain their goal. It’s this approach that we need to build awareness around if we are to thwart an onslaught of attacks.
As an example, let’s pretend that a hacker wants to get into your Tax Consultancy LLP organization to pilfer the Social Security numbers of your clients. This is how they may think at every stage of the kill chain. Your goal is to understand the steps and proactively counter each one to protect your network.
Stage 1: Reconnaissance
Hackers begin by researching your company online—gathering names, titles, and email addresses of people who work for the organization. They identify one person to target and then plan their avenue of attack. They may use e-mail attachments with viruses, port surf the company network, drop a memory card containing malicious code in the parking lot, or decrypt WiFi traffic. In this scenario, let’s say they choose e-mail as their method. An e-mail containing a link is sent to the selected individual, who, once they click on the link, inadvertently downloads the malware.
Stage 2: Weaponization
Hackers have libraries of code at their disposal that they use and tweak for their attacks. They consider the networks, operating systems, and software that Tax Consultancy LLP—and every company they target—may run. By identifying these components through research, the hackers can customize their code to work in those environments. One of the most common ways to compromise a computer or network is to attack unpatched software by companies such as Microsoft Cisco—applications that have known vulnerabilities, but ones that Tax Consultancy LLP may not have updated.
Stage 3: Delivery
In this instance, the hacker has decided to target the CFO of Tax Consultancy LLP. Through research, the hacker knows the name of the CFO, where she lives, works and even personal information gathered from the Web. He knows she coaches an eighth-grade softball team, enjoys camping, and shops at a local Safeway Food store she once complained about on Google reviews. Armed with this information, the hacker decides to lure the CFO with a spear phishing tactic.
Stage 4: Exploitation
The hacker crafts a perfectly feasible email to the CFO.
“Dear Jenny, it has been too long since we last spoke! I hope all is well. The last time we chatted we were at Safeway, complaining about their so called “fresh fish” section. One of these days they will have fresh shrimp, not just the frozen variety. The reason I am writing is that our daughters are in the same softball league. They have grown up so fast! I know you are busy, so you may not be aware, but they are hoping to go to Florida for a tournament in a few months. We are trying to raise some money for the kids who currently don’t have the means to get there, can you please help by donating say $20 to the cause? You can click here to donate.”
Stage 5: Installation
There is a 96 percent likelihood that the CFO will click on the link in the spear phishing e-mail. When she does, the malicious software takes root.
Stage 6: Command & Control
Once the malicious code has been installed, it phones home to the hacker. The hacker then has the ability to control it, let it sit for an extended period of time, automatically listen to packets across the network, or crawl through the network. All of this depends on what was deployed and what the hacker wants from the system. In our imaginary scenario, the hacker is after Social Security numbers, so he may attack the central database of Tax Consultancy LLP that houses all of their clients’ information, most likely found in an unencrypted DBA system, or perhaps Excel spreadsheets or other email accounts. The hacker is then able to harvest the information and send it out through the firm’s firewall to a remote server as a repository.
Stage 7: Action on Objectives
Finally, the hacker is able to extract whatever information they’ve been targeting. They can now easily gather Social Security numbers contained in the firm’s data. Of course, the options for exploiting this sort of information are many. The hacker may sell the numbers on the dark web, file fake tax returns, or use them to apply for credit or new identities.
All of this happened because the hacker was able to effectively use each stage of the kill chain to astutely identify the company’s possible vulnerabilities and leverage them. Today, all businesses should spend time walking through these stages, identify vulnerabilities, and shoring up their defenses to eliminate them. It’s not an easy task, but the more critically each of us look at these seven stages of the kill chain, the better we can prevent the next hack.