In military theory, they typically divide warfare up into three levels: tactics, operations, and strategy. Each of these levels give you a different perspective into the art of war, making you much more versatile as a practitioner. When it comes to the art of cyber, it’s no different. If you’re trying to learn something like hacking, it’s often easy to focus too heavily on the tactical level, which may be specific commands, tools, and techniques to hack a target. While this might be all you care about at first, you miss out on the bigger picture of why you’re running Kali and trying to pop a box in the first place. Which is why in this video, we’re going to go over the cyber kill chain, operations that happen at each step, and its strategic-level implications for cyber security.
The cyber kill chain framework was originally published in a landmark paper, titled, Intelligence-Driven Computer Network Defense, back in 2013 by three Lockheed Martin analysts, Eric Hutchins, Michael Cloppert, and Rohan Amin. Just as how computer networking is described using conceptual layers of the TCP/IP or OSI models, the three analysts took the military kill chain and adapted it to describe the process for offensive security and hacking targets in seven-steps: reconnaissance, weaponization, delivery, exploitation, installation, command & control, and actions on the objective. Modern attackers will automate most of these steps during a hack, but it’s important to start-off by understanding all the components first.
So the original idea of a kill-chain was a military concept that describes the structure of a kinetic attack, which involves finding, fixing, tracking, targeting, engaging and assessing stages against an opponent with a prime example being Operation Neptune Spear, which was a kill-or-capture mission of Osama Bin Laden in 2011. Pulling this off required years of hunting, months of mission planning, and less than 40 minutes to actually execute, which included assaulting Bin Laden’s safe house, taking his body, and extracting useful sources of data like hard disks, thumb drives, books, tapes, and other files from the compound. Analyzing all this intel would again, take maybe months or years.
The cyber kill chain follows a similar tempo with long periods of reconnaissance and understanding your target, developing and assembling the right toolkits, followed by quick execution of the hack, and then a longer period of post-exploitation activities like escalating privileges, gaining more access, and stealing data. Unlike a kinetic operation with most of the action happening at the execution stage, for cyber, hacking onto a box is pretty anticlimactic with most of the exciting parts occurring after you’ve gained initial access. Can you do it? Yeah, it’s done. It’s been done this entire time? Yeah, man. Oh, drug dirt, real estate dirt, yacht dirt… So with all that being said, let’s get started with Step 1, reconnaissance. The reconnaissance step involves a considerable amount of planning and researching about a target of interest, whether a person, organization, or facility to map out any vulnerabilities.
You’ll use a lot of OSINT, or open-source intelligence, as a passive way to collect data relevant for the hack. For a person, this might be personal identifiers like email addresses or phone numbers, or contextual information like hobbies, interests, and key relationships. Harvesting login credentials from data breach dumps would be fair game too. For a company, you might be more interested in policies, work hours, and organizational patterns-of-life. Dumpster diving, striking up casual conversations, and even social engineering are all ways to obtain intel. For technical data, you’d want to discover digital infrastructure like IP addresses, domain names, subdomains, and third-party services used. Common scanning tools like Nmap or Shodan can enumerate hosts and ports running on server-side infrastructure. Identifying the software that users have installed along with their versions can also help you find client-side avenues of approach to hack into the network. This might include web browsers, media players, or messaging apps like Discord or Slack. For instance if you knew someone used an outdated version of VLC to listen to rock music on his work computer, you’d have a decent amount of information to craft a hack that leverages this vector while watching out for a particular anti-virus or endpoint intrusion detection software that might be installed on the work laptop by this company. And that brings us to the weaponization step of the cyber kill chain, which involves combining exploit code together with a payload to run against a target. One reason this step is called weaponization is that for client-sided attacks,
you’ll often need to hide and obfuscate the exploit and payload with a benign file like a PDF or Word document to make it become malicious. Depending on the target, exploiting a piece of software, whether service-side or client-side, can be really difficult to engineer. You might have to bypass traditional memory protection techniques like ASLR or data execution prevention, then escape sandboxes internal to the software, or external ones like Docker containers and virtual machines. You might also need to chain more exploits together to achieve privilege escalation on the local operating system. Some sources of exploits that are more off-the-shell, proof-of-concept ones can be freely found on GitHub or ExploitDB, while others can run in the six to seven-figures for something that’s a reliable, zero-click, full-chain, zero-day for Android or iOS from brokers like Zerodium. Now on the payload side of the house, we’re concerned about what types of code to actually have the victim device run after exploiting a piece of software on it, whether it’s an interactive shell on the simple side to a fully-featured implant like Meterpreter on the complex side.
The sophistication of your tool instrumentation is what actually allows you to control and affect the target, whether it’s bricking the device or using it to snoop on phone calls and text messages. Once you have the exploits and payloads ready, the next step of the cyber kill chain is delivery, which involves serving the package through an attack channel. Putting the hard work and due diligence in at the recon stage is going to offer you more ways to serve up the package. The three-primary vectors for delivery will be either client-side, service-side, or supply chain-based. Client-side attacks typically need end-users to interact like inserting a USB stick, clicking a link to a website, or opening a malicious file. Hacking end-user clients has become much more popular because vectors like email or text messages can bypass traditional perimeter security measures like firewalls and are cheaper to pull-off. For example, if you drop a bunch of USB drives in the parking lot of a company, chances are that somebody’s going to find it and plug it in to their computer. If that company didn’t implement removable media restrictions or logging, it’d be near-impossible to detect this delivery mechanism just monitoring the network. With just a bit of participation from the victim, client-side attacks lets you hack directly into end-user devices and steal credentials to abuse trust relationships within a network. Service-side attacks are rarer and more expensive to execute because they’re typically non-interactive and can be fired off directly, whether through the Internet at a web server, via radio frequency at a home wireless router, or at a phone through a WhatsApp call, as demonstrated by the Israeli spytech company, the NSO Group. Supply-chain attacks are another way to distribute implants deeply to a wide range of targets. For instance, in 2018, Bloomberg reported that China was able to compromise thousands of servers located in data centers used by cloud-providers like Amazon AWS, by installing the hardware implants shipped with the motherboards for servers made by Super Micro Computers. This is particularly effective since any company using these cloud-providers running the hardware with the bonus features, can now also be hacked with it being really difficult to know where the attacks originated from. Another delivery method using the supply-chain approach is by compromising software and code repositories, so when developers import libraries from these sources when they’re coding, the programs they compile will then carry the malicious payloads, executed downstream later on for end-users. Whatever the approach, having the right delivery method can be just as important as having the right tooling, and requires good reconnaissance to determine how to get your tools from point A to point B. Step 4, exploitation, involves the actual process of compromising a service or app and executing the payload on a target. On the surface there doesn’t seem like much at this step, but in reality, the rabbit hole can get pretty deep. As we mentioned earlier, it might take chaining several exploits together to bypass different protections, and maybe even multiple stages of payloads to finally run your implant. Many programs’ memory stacks might only support running a small initial payload that can then be run to download a larger one afterwards. Each payload may have layers and layers of packing, encryption, and obfuscation to bypass signature-based detections. If you want to take a deeper look at how things work under-the-hood for the exploitation step, topics like reverse engineering and return-oriented programming will help you understand how exactly buffer overflows work and different ways to bypass memory protections. Resources you can take a look at include the classic, “Hacking: The Art of Exploitation” by Jon Erickson, which covers the topics I just mentioned along with some networking and cryptology too. Capture-the-flag exercises, especially picoCTF by Carnegie Mellon University tend to have a lot of binary exploitation and reverse-engineering type challenges, with historical write-ups you can study, posted by other people online. Next up, we have installation, which involves securing persistence on a target, an activity typically performed by the installed implant. To survive reboots and crashes, attackers may often migrate their tool to a more stable system process through memory injection, or by modifying a software’s linked libraries with a malicious version, so that they can load together. When an implant gets fully installed, you might see new registry entries or startup scripts appear, which will automatically run the program upon boot. To evade detection by anti-virus products, implants may be written to run only in-memory or with an encrypted virtual file system located in hidden parts of the hard drive. To hide any traces of its presence and activity, you may also see a hacker drop rootkits disguised as drivers to patch the operating system kernel. More insidious rootkits can even modify the bootloader, or flash firmware like the BIOS to further hide malicious activities at a low-level. Properly written rootkits are really difficult to find without offline forensics or live debugging of the operating system, so they’re pretty useful for maintaining stealth and persistence upon installation. But just evading detection on the device itself isn’t enough, since the implant’s got to somehow phone back home to communicate with its command-and-control servers. Speaking of command-and-control, also called C2, this happens to be step 6 of the cyber kill chain. To avoid detection by network security monitoring, when communicating between the target and your hacking infrastructure, it’s important to use common protocols like HTTP, preferably encrypted with TLS, since custom protocols on non-standard ports are easy to detect. Long persistent connections will also stand out as anomalous as well as large amounts of files transferred in a short period of time. Evasion methods like timing high-volume activity during work hours, sending data slowly over longer periods of time, blending in with normal user traffic, can all help mask communications. Along with rootkits, good C2 methods can help a hacker’s ability to maintain stealth and persistence on a target network. In situations where devices are air-gapped, or disconnected from the Internet, there are techniques like worming through USB drives, which was how the Stuxnet virus got into Iran’s nuclear-enrichment facility. Less traditional techniques might include using the speakers and microphone on a device to communicate via sound waves, or even radio frequencies to another infected device that does have network connectivity, thereby bridging the air gap. The C2 servers you’re using are a big consideration as well. If you’re using hard-coded IP addresses with a cloud VPS instance, they can easily get blacklisted, DDoS’d, or hacked back into. If you’re using domain names along with a reverse-proxy service like Cloudflare, you can mitigate some of the previous concerns. But when the domains get reported as malicious, they can get also sinkholed and taken down. An alternative to centralized servers are peer-to-peer botnets, which make great forms of C2 infrastructure since they’re distributed with fewer single points-of-failure to account for, but are much more complicated to develop and manage. However you build the command-and-control systems, as long as there’s a way to phone home over the Internet, it’s easy to carry on a hacking operation with all sorts of different covert channels. The last and arguably most important step of the cyber kill chain is actions on the objective, sometimes also referred to as the post-exploitation stage. Once you’ve gained initial access, follow-on actions might include harvesting credentials from the system, exfiltrating data, or using the victim device as a jump point for more reconnaissance on the internal network and for launching subsequent attacks, and the entire kill-chain process repeats itself. Personally, I think defining your actions-on-objective step is the most important of the entire cyber kill chain because it directly contributes to an end-state. It doesn’t matter how much recon or tooling you do, if there’s no clear purpose with a set of actions to achieve, all the work you’ve put in the previous steps are a bit of a waste. This is where the strategic-level considerations for cyber security start to matter because it’s the foundation for all the tactics and operations in the entire kill chain. Examples of strategic objectives might include intelligence gathering or industrial espionage for governments, or theft, fraud, and extortion for criminals. As a cyber professional, a personal strategy can be to become a red teamer or a more capable blue teamer. Whoever you are, hacking is really just a means to an end, with the cyber kill chain as a path to guide you there. Always define the end-state first, and learn responsibly. Highly recommend you go out and read the original Lockheed Martin paper, and if you’re really motivated, check out a more comprehensive version called, The Unified Kill Chain, which has some more steps broken down in detail. Links are in the description below. So that’s it for this video on the cyber kill chain. If you like what we’re doing here with Cyberspatial, remember to subscribe, like, and comment on the video if you enjoyed it, and be sure to share the goodness with friends. Thanks so much for watching, and I’ll see you soon!