Hackers and the kill chain

Before getting into using the tools, let's have a look at why cyber security has become so important over the last decade. Robert Morris was one of the earliest hackers to mount a public attack, when in 1988 he released the Christmas Tree worm onto the internet. And caused over 6,000 computers to crash. He was charged and fined $10,000. Rather a lot in those days. Then, in 1990, two hacking groups, the Legion of Doom and the Masters of Deception declared war on each other, and mounted attacks over the internet on each other's computers.

A number of their members were jailed. There were other high profile hackers active in the 1990's, including Kevin Mitnick, otherwise known as Condor, who was in and out of jail because of his hacking. He eventually became an author on cyber security. Acted as a CIA agent in ABC's TV spy thriller, Alias, and he's now a security consultant. Mitnick's book, Ghost in the Wires, describes his adventures as a wanted hacker on the run. During the 1980's and 90's, hackers were more a novelty than a significant problem.

However, by the late 1990's, the number of servers on the internet began to skyrocket as individuals and businesses started to take advantage of the benefits of an online society. As soon as money could be exchanged online, and banking systems became internet accessible. Organized crime began to take an interest. Over the next decade, online crime became a significant problem for society, and is lucrative an activity for organized crime, as a legal drug. Criminals were not the only groups, starting to take notice of an increasingly online society.

So did national intelligence agencies. With an interest both in monitoring their own people and espionage against foreign targets. Cyber attacks now use well defined business processes. In 2009 an analyst in the Lockheed Martin Cyber Emergence and Response Team, Mike Cloppert introduced the concept of the Cyber Kill Chain. This views an attack in seven stages, reconnaissance, weaponization, delivery, exploitation, installation, command and control and action.

An attack doesn't always progress from one step to the next, they'll often overlap, but each stage represents a milestone in prosecuting the attack. Reconnaissance is the term given to finding out about a target, just as a burglar will case a joint before breaking in. So a cyber criminal has to find out his or her target. Individuals typically have one address on the Internet, which has been allocated by their Internet service provider, where as a business may have a number of addresses in what is known as their internet domain. A cyber attack against a business target will start with a well known website address.

And then scan the internet space around that address for the systems used by the target. The business will see this as a response as a response check on every host on its domain. This is known as an IP address scam. Then, when the attacker has a list of active hosts, he or she will scan each host in turn to find out what entry points are exposed. This is known as a port scan. Attacks nowadays are not done manually. An attacker will usually purchase time on a network of compromised computers. These networks are known as botnets, and may consist of hundreds, thousands, if not millions of compromised computers.

In order to run automated scans. Malware is weaponized when it's customized to a specific target or a group of targets. It may be designed to exploit a vulnerability in a specific version of an operating system or target a specific online banking website. In the age of hacking as a business cyber criminals will often purchase rather than develop their malware. One way of delivering malware into the target is to infect a document, pdf image or other electronic item with the malware and then send it via email to an individual.

This is known as a phishing attack. Another way might be to find a vulnerable website and infect it with the malware, in such a way to insure when someone visits the website the malware infects their workstation. The third way might be to gain access to a stolen user ID and password to enter the target system or to use default user ID's and passwords built into software on the target system and direct the transfer in the malware. It's also possible to find flaws in software that is exposed to the internet and to manually deliver the malware. In practice, and the tack will often require establishing a beach head on an internet exposed host, and then using that to penetrate deeper into the system to get to the real target which may not be directly connected to the internet.

For email, web, or USB based attack, the infected item will exploit a vulnerability in the target software post-delivery, when the document is open. For remote access the exploit takes place through a packet or a stream of packets sent to the internet exposed host. As soon as the vulnerability is exploited, the infected documents or the hacker then drops the payload into the target system. This could be into memory or onto disk and may also involve installing some form of mechanism to make sure the payload continues to execute even if the system is rebooted.

One way of doing this on Windows is to add a registry entry to automatically run the payload when the system starts up. An attack may be planned to carry out actions over a long period of time using remote command and control of the implanted payload, such as when the payload is designed to provide a long term source of intelligence. Exactly what form of action is carried out by the payload when it arrives at its target depends on the motives of the attacker. A hacktivist may want to deface a website. A state sponsored agent may want to steal sensitive information.

And the cyber criminal may want to access a bank account in order to steal money.

The Stuxnet kill chain

…The most serious malware created by state-sponsored hackers is…often called an advanced persistent threat, or APT.…This is because it's coded with many vectors to get into its target and…it's stealthy.…It operates in a long and slow manner, staying below the level of…normal detection, and remaining in its target for a long time.…APT malware will often have many components, so…that it can detect removal of any component and rebuild itself.…Ralph Langner in November, 2013,…released the most complete report to date on an APT known as Stuxnet.…

We'll walk through this attack in the context of the cyber security kill chain.…The United States had, for some time,…been concerned about Iran's growing capability for uranium enrichment, and…the potential for Iran to develop a full nuclear weapons program.…In June 2012, the security company, Virus Blockader,…discovered a new virus, which it called Rootkit.Tmephider.…Symantec later renamed this to W32.Stuxnet.…Analysts indicated that it was a newer version of malware… originally created in 2005 and that it was targeted at Siemens industrial plant equipment using nuclear fuel enrichment. Contain validation criteria to target only certain configurations of the Siemens industrial system control and data acquisition was garden network a number of analysts have suggested that the target of the structure virus was the uranium enrichment facility at the terms Iran the reconnaissance phase of this attack required detailed intelligence on the equipment and systems being used in the uranium nuclear enrichment programme much of which would have come from monitoring sales and movement of component parts involvement of stocks that require very specific details of the operating systems being used to control the equipment and the management systems used within the facility which would connect to the sky the system the attack required extensive research and development to create the malware needed to explore the highly specific versions of the industrial equipment and to incorporate the highly focused targeting for exploitation analysts suggest that this weaponisation phase would have taken many many years of effort stocks that was designed to be delivered via email or USB stick or through prior implantation on electronic equipment being used in the facility used for zero day exploits on Windows computers to propagate and deliver the payload to the sky the system statesmen took advantage of a vulnerability in the Siemens win cc: PCS seven Scarborough control software exploitation of this former ability allowed it to take control of the Skype software and then repeatedly speed up and slow down the centrifuges causing the aluminium tubes to expand and contract eventually destroying the equipment during the time the worm is reported to be active at the plant between 901,000 centrifuges were replaced on 29 November 2010 the Pres of Iran stated that there were some problems at the enrichment so security software installed in electronic parts stocks that have succeeded in terms of the chilled chain was no command control required. As it was created to be self-sufficient and highly targeted in a similar way there was no requirement ritual pression is the goal was destruction not intelligent

Common forms of cybersecurity attack

IP address and port scanning a useful activities to network administrators that they can also be preliminary steps in attack reconnaissance will look at how these were later in this module of only mentioned the five methods of payload delivery fishing via email malicious websites USB sticks access to credentials and software flaws but slotted a little more closely email fishing occurs on an email has an attachment which had been infected and clicking on the attachment installed an excuse the malware this could be an executable program which may have had its name changed to look innocuous it may even be a picture word document a spreadsheet all of which have in the past have vulnerabilities which allowed nowhere to be installed malicious website is one in which an attacker has been able to plant some malicious code this could be a website created specifically for hosting malware or it could be a legitimate website which has been compromised by hacker without the owner's knowledge anyone visiting a specific page on the website would then have malware downloaded onto their computer email fishing can be combined with malicious websites in the more sophisticated attacks in this case the email will include a hyperlink to the compromised websites increasingly fishing emails are focused on specific individuals will use information taken from social media sites to read more like a legitimate email fishing email may also be crafted to look like this come from a legitimate address in Morningside individuals and organisations another form of malicious website is one website looks like a real website is in fact run by the hacker banter from the target these attacks the purpose is to get the user to enter their credentials which are then used by the hacker to take funds from the real website similar attack is known as the man in the browser attack in this case the hacker will use one of the above attempts to exploit vulnerabilities in the user's browser software then the next time the user visits their bank the malware will change transactions to affect the funds transferred to the academic discotheque is problematic for banks as it happens after the user has authenticated and so is difficult to detect the mentioned earlier cyber criminals rarely attacked their targets individual there will often purchase a botnet operators, rental botnets and will use cybercrime software switches used to manage the economic control servers which in turn are used to control a vast number of compromised computers known as zombies all around the world all the cyber criminal needs to do is compose an attack and then send it through the baht this is organised crime a global scale around half million baht net connections are seen every day attacks don't have to come through a remote connection flash drives are used by attackers as a vector for malware/charting infected with inserted into an infected computer and then will carry this infection to any other computer it subsequently plugged into using secure flash drives such as the INT avoids this kind of attack and up-to-date anti-virus software will catch most nominal passwords provide the basic form of access control however attackers are quite good at finding ways to get passwords is an attacker can intrude or get malware into a system he or she can take a copy of the password file this file will typically only hope codes which had been generated from the password is an unattached but by using special password cracking software an attacker can generate and harsh tens of millions of passwords and look in the file format this is known as a dictionary attack is more difficult to the attacker to obtain a password when it consists of a small characters and is not a dictionary were password crackers are very good at adding numbers to the end of passwords so secret 42 isn't really that sacred best way of creating good password is to use two or three words with from lowercase such as tubular Bells and replace one character with a number say tubular the three arrests attackers are familiar with the default credentials that are provided with software and they should always be changed all this is a well-known security role it's surprising how often these passwords are found when enterprise software is tested finally no legitimate service desk should ask for users credentials to view the call from the help desk asking your credentials you should be very suspicious that this is an anniversary rather than your real desk root cause of many attacks is software flaws and is continually discover software flaws and issue patches and these need to be applied as soon as possible are automatic update unable to software of all kinds is very good practice however it's quite common for attackers to find software flaws before the vendor to the mental patches made available those vulnerabilities are extremely dangerous during this period the software is said to have a zero day vulnerability all is little that can be done to reduce the level of vulnerability when using software with is a very recent to patches available minimising systems exposure to the Internet helps reduce the risk of the Zero Day being exported now would look at the bigger picture cyber security that some of the tools that can be used for protection

#ITSecurity #practicalsecurity