cyber kill chain

At what stage of the cyber kill chain theory model does exfiltration occur?

At what stage of the cyber kill chain theory model does exfiltration occur?

Option 1 : INSTALLATION
Option 2 :
COMMAND AND CONTROL
Option 3 :
WEAPONIZATION
Option 4 :
Actions on Objectives

1. INSTALLATION

At the cyber kill chain in this the installation stage of a foreign access Trojan or backdoor on the victim system allows the adversary to take care of persistence inside the environment. Installing malware on the asset requires end-user participation by unknowingly enabling the malicious code. Taking action at now are often considered critical. One method to effect this is able to be to deploy a HIPS (Host-Based Intrusion Prevention System) to alert or block on common installation paths, e.g. NSA Job, RECYCLER. It’s critical to know if malware requires administrator privileges or only user to execute the target . Defenders must understand endpoint process auditing to get abnormal file creations. they have to be ready to compile time of malware to work out if it’s old or new. Answers to the subsequent questions should be consider mandatory: How does it last, survive, etc. Does it use Auto run key, etc. Does Backdoor got to run to supply access. are you able to identify any certificates and extract any signed executables?

2. COMMAND AND CONTROL

cyber kill chain in this the command and control stage is the defender’s “last best chance” to block the operation: by blocking the Command and Control channel.  If adversaries can’t issue commands, defenders can prevent impact.   Typically, compromised hosts must beacon outbound to an Internet controller server to establish a Command & Control (aka C2) channel.  APT malware especially requires manual interaction rather than conduct activity automatically. Once the C2 channel establishes, intruders effectively have “hands on the keyboard” access inside the target environment.  Let’s remember that seldom is Malware automated, normally this command channel is manual.  The general practice of intruders is:  Email – in, Web = Out.  The trick for them is to have established the control over many work stations in an effort to “exfiltrate” data without setting off any anomalies or other monitoring applications based upon content, quantity, frequency, etc.  Hence, the reason it is essential to have the proper tools in place that can identify, track, observe, stop and destroy these campaigns within your arsenal of capabilities.

3. WEAPONIZATION

Coupling exploit with backdoor into deliverable payload. Next, attackers will re-engineer some core malware to suit their purposes using sophisticated techniques. Depending on the needs and abilities of the attacker, the malware may exploit previously unknown vulnerabilities, aka “zero-day” exploits, or some combination of vulnerabilities, to quietly defeat a network’s defenses. By reengineering the malware, attackers reduce the likelihood of detection by traditional security solutions. This process often involves embedding specially crafted malware into an otherwise benign or legitimate document, such as a press release or contract document, or hosting the malware on a compromised domain.

4. Actions on Objectives

The longer an adversary has this level of access, the greater the impact. Defenders must detect this stage as quickly as possible and deploy tools which can enable them to gather forensic evidence. One example would come with network packet captures, for damage assessment. Only now, after progressing through the primary six phases, can intruders take actions to realize their original objectives. Typically, the target of knowledge exfiltration involves collecting, encrypting and extracting information from the victim(s) environment; violations of knowledge integrity or availability are potential objectives also . Alternatively, and most ordinarily , the intruder may only desire access to the initial victim box to be used as a hop point to compromise additional systems and move laterally inside the network. Once this stage is identified within an environment, the implementation of prepared reaction plans must be initiated. At a minimum, the plan should include a comprehensive communication plan, detailed evidence must be elevated to the very best ranking official or board , the deployment of end-point security tools to dam data loss and preparation for briefing a CIRT Team. Having these resources well established beforehand may be a “MUST” in today’s quickly evolving landscape of cybersecurity threats.

Learn CEH & Think like hacker


This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Leave a Comment