Section 3.6 Cyber Killchain
This diagram visually represents the seven distinct phases of the Cyber Kill Chain model, a framework developed by Lockheed Martin to describe the stages of a cyberattack. The typical stages shown sequentially are: 1. Reconnaissance (attacker gathers information about the target), 2. Weaponization (attacker creates a malicious payload), 3. Delivery (attacker transmits the weapon to the target), 4. Exploitation (weapon’s code is triggered, exploiting a vulnerability), 5. Installation (malware establishes persistence on the victim system), 6. Command and Control (C2) (malware enables the attacker to remotely control the compromised system), and 7. Actions on Objectives (attacker achieves their goals, such as data exfiltration or system disruption). The diagram usually depicts these stages in a linear progression, often using chevrons or connected blocks.
One way of analyzing an attack involving malware is through the steps of the Cyber Killchain. The Cyber Killchain was developed by Lockheed Martin and is a military method of analysis that has been adopted by cybersecurity. Cyber Killchain is broken into seven steps: Recon, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Exfiltration.
Subsection 3.6.1 Recon
Recon is short for reconnaissance , military parlance for a preliminary survey used to gain information. During the recon phase, a malicious actor will gather as much information as possible. Methods used in this phase may be passive or active.
Passive recon involves gathering information without sending anything to the target. This typically involves accessing publicly available information, such as social media, published websites, and DNS records. If the actor has access they may also passively sniff network packets.
Active recon involves interaction with the target. This can include port scanning, vulnerability scanning, brute forcing directories and filenames on an HTTP server, or even contacting workers. Active recon can yield more information, but it is also significantly easier to detect.
1
www.kali.org/tools/dirbuster/Subsection 3.6.2 Weaponization
In the weaponization phase the actor begins readying exploits for the vulnerabilities that were assessed during recon. This may include tailoring malware, creating phishing emails, customizing tools, and preparing an environment for the attack. For malware to be effective it must utilize the correct exploits and work under the correct OS and environment. Metasploit is a penetration testing framework that is often used in this step to create custom malware.
2
www.metasploit.com/Subsection 3.6.3 Delivery
During the delivery phase the malware is handed over to the target. Typically steps are taken to bypass detection systems. Delivery may involve the sending of emails linked to malware or the exploitation of vulnerable servers to then run malware. At the end of this phase, an attacker typically waits for a callback from the malware via the command and control channel.
Subsection 3.6.4 Exploitation
Technically, the exploitation step occurs once the malware is successfully executed. In many cases, this involves almost no interaction from the attacker. Once malware is activated or the payload of an exploit executed, the victim has completed the exploitation step.
Subsection 3.6.5 Installation
The installation step is typically performed by the malware once it is running. The malware installs itself, hides itself, and sets up persistence (the ability to restart after being stopped). The malware may escalate privilege or move laterally. It may also install second stage additional payloads from a remote server. A common tactic is injecting downloaded code into an existing process to mask which process is performing questionable actions.
Subsection 3.6.6 Command and Control (C2, C&C)
Malware will reach out via its Command and Control channel for more instructions. At this point an attacker may interact with the malware, giving it additional commands. C2 traffic is usually designed to blend in with existing traffic and not draw attention.
Subsection 3.6.7 Exfiltration / Actions & Objectives
The final step involves getting data from the exploited systems or disabling/misusing the systems in another way. At this point an attacker can use the C2 channel to pull sensitive information from the system, credit card information, password hashes, etc. Its important to not that exfiltration of data may not be the only goal of the attack. An attacker can also disable the system, commit fraud with the system, mine crypto currencies, etc. At this point the malicious actor is in complete control of the exploited system.
You have attempted 1 of 1 activities on this page.
