Chapter 2 - 02 - Describe Hacking Methodologies and Frameworks - 03_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Cyber Kill Chain Methodology O The cyber kill chain methodology is a component of intelligence-driven defense for the identification and prevention of malicious intrusion activities QO 1t helps security professionals to understand the adversary’s tactics, techniques, and procedures beforehand Create a deliverable malicious payload using an exploit and a backdoor Exploit a vulnerability by executing code on the victim's system Weaponization Exploitation Create a command and control channel to communicate and pass data back and forth Command and Control Reconnaissance Delivery Installation Actions on Objectives Gather data on the target to probe for weak points Send weaponized bundle to the victim using email, USB, etc. Install malware on the target system Perform actions to achieve intended objectives/goals L All Rights Reserved. Reproduction is Strictly Prohibited. Cyber Kill Chain Methodology The cyber kill chain methodology is a component of intelligence-driven defense for the identification and prevention of malicious intrusion activities. This methodology helps security professionals in identifying the steps that adversaries follow in order to accomplish their goals. The cyber kill chain is a framework developed for securing cyberspace based on the concept of military kill chains. This method aims to actively enhance intrusion detection and response. The cyber kill chain is equipped with a seven-phase protection mechanism to mitigate and reduce cyber threats. According to Lockheed Martin, cyberattacks might occur in seven different phases, from reconnaissance to the final accomplishment of the objective. An understanding of cyber kill chain methodology helps security professionals to leverage security controls at different stages of an attack and helps them to prevent the attack before it succeeds. It also provides greater insight into the attack phases, which helps in understanding the adversary’s TTPs beforehand. Module 02 Page 161 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Discussed below are various phases included in cyber kill chain methodology: Create a deliverable malicious payload using an exploit and a backdoor Exploit a vulnerability by executing code on the victim’s system Create a command and control channel to communicate and pass data back and forth Weaponization Exploitation Command and Control | ‘ll , 1 Q \ / % | | Re]) "‘ / 1 [\ | l' ‘I | | \ || ’,‘ ' | o) | / [ | |\ pyen Reconnaissance Delivery Installation Actions on Objectives Gather data on the target to probe for weak points Send weaponized bundle to the victim using email, USB, etc. Install malware on the target system Perform actions to achieve intended objectives/goals Figure 2.2: Cyber kill chain methodology = Reconnaissance An adversary performs reconnaissance to collect as much information about the target as possible to probe for weak points before actually attacking. They look for information such as publicly available information on the Internet, network information, system information, and the organizational information of the target. By conducting reconnaissance across different network levels, the adversary can gain information such as network blocks, specific IP addresses, and employee details. The adversary may use automated tools such as open ports and services, vulnerabilities in applications, and login credentials, to obtain information. Such information can help the adversary in gaining backdoor access to the target network. Activities of the adversary include the following: = o Gathering information about the target organization by searching the Internet or through social engineering o Performing analysis of various online activities and publicly available information o Gathering information from social networking sites and web services o Obtaining information about websites visited o Monitoring and analyzing the target organization’s website o Performing Whois, DNS, and network footprinting o Performing scanning to identify open ports and services Weaponization The adversary analyzes the data collected in the previous stage to identify the vulnerabilities and techniques that can exploit and gain unauthorized access to the target organization. Based on the vulnerabilities identified during analysis, the adversary Module 02 Page 162 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 selects or creates a tailored deliverable malicious payload (remote-access malware weapon) using an exploit and a backdoor to send it to the victim. An adversary may target specific network devices, operating systems, endpoint devices, or even individuals within the organization to carry out their attack. For example, the adversary may send a phishing email to an employee of the target organization, which may include a malicious attachment such as a virus or worm that, when downloaded, installs a backdoor on the system that allows remote access to the adversary. The following are the activities of the adversary: * o ldentifying appropriate malware payload based on the analysis o Creating a new malware payload or selecting, reusing, modifying the available malware payloads based on the identified vulnerability o Creating a phishing email campaign o Leveraging exploit kits and botnets Delivery The previous stage included creating a weapon. Its payload is transmitted to the intended victim(s) as an email attachment, via a malicious link on websites, or through a vulnerable web application or USB drive. Delivery is a key stage that measures the effectiveness of the defense strategies implemented by the target organization based on whether the intrusion attempt of the adversary is blocked or not. The following are the activities of the adversary: o Sending phishing emails to employees of the target organization o Distributing USB drives containing malicious payload to employees of the target organization o Performing attacks such as watering hole on the compromised website o Implementing various hacking tools against the operating systems, applications, and servers of the target organization = Exploitation After the adversary’s weapon is transmitted malicious code to to the exploit intended a victim, vulnerability exploitation in the triggers operating the system, application, or server on a target system. At this stage, the organization may face threats such as authentication and authorization attacks, arbitrary code execution, physical security threats, and security misconfiguration. Activities of the adversary include the following: o Exploiting software or hardware vulnerabilities to gain remote access to the target system Module 02 Page 163 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Installation The adversary downloads and installs more malicious software on the target system to maintain access to the target network for an extended period. They may use the weapon to install a backdoor to gain remote access. After the injection of the malicious code on one target system, the adversary gains the capability to spread the infection to other end systems in the network. Also, the adversary tries to hide the presence of malicious activities from security controls like firewalls using various techniques such as encryption. The following are the activities of the adversary: o Downloading and installing malicious software such as backdoors o Gaining remote access to the target system o Leveraging various methods to keep backdoor hidden and running o Maintaining access to the target system Command and Control The adversary creates a command and control channel, which establishes two-way communication between the victim’s system and adversary-controlled server to communicate and pass data back and forth. The adversaries implement techniques such as encryption to hide the presence of such channels. Using this channel, the adversary performs remote exploitation on the target system or network. The following are the activities of the adversary: o Establishing a two-way communication channel between the victim’s system and the adversary-controlled server o Leveraging channels such as web traffic, email communication, and DNS messages o Applying privilege escalation techniques o Hiding any evidence of compromise using techniques such as encryption Actions on Objectives The adversary controls the victim’s system from a remote location and finally accomplishes their intended goals. The adversary gains access to confidential data, disrupts the services or network, or destroys the operational capability of the target by gaining access to its network and compromising more systems. Also, the adversary may use this as a launching point to perform other attacks. Module 02 Page 164 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Tactics, Techniques, The term Tactics, Techniques, and Procedures (TTPs) refers to the and Procedures (TTPs) ’ associated with specific threat actors or groups of threat actors e Tactics “Tactics” are the guidelines that describe the way an attacker performs the attack from beginning to the end Techniques “Techniques” are the technical methods used by an attacker to achieve intermediate results during the attack Procedures “Procedures” are organizational approaches that threat actors follow to launch an attack Tactics, Techniques, and Procedures (TTPs) The terms “tactics, techniques, and procedures” refer to the patterns of activities and methods associated with specific threat actors or groups of threat actors. TTPs are helpful in analyzing threats and profiling threat actors and can further be used to strengthen the security infrastructure of an organization. The word “tactics” is defined as a guideline that describes the way an attacker performs their attack from beginning to end. The word “techniques” is defined as the technical methods used by an attacker to achieve intermediate results during their attack. Finally, the word “procedures” is defined as the organizational approach followed by the threat actors to launch their attack. In order to understand and defend against the threat actors, it is important to understand the TTPs used by adversaries. Understanding the tactics of an attacker helps to predict and detect evolving threats in the early stages. Understanding the techniques used by attackers helps to identify vulnerabilities and implement defensive measures in advance. Lastly, analyzing the procedures used by the attackers helps to identify what the attacker is looking for within the target organization’s infrastructure. Organizations should understand TTPs to protect their network against threat actors and upcoming attacks. TTPs enable the organizations to stop attacks at the initial stage, thereby protecting the network against massive damages. = Tactics Tactics describe the way the threat actor operates during different phases of an attack. It consists of the various tactics used to gather information for the initial exploitation, perform privilege escalation and lateral movement, and deploy measures for persistence access to the system. Generally, APT groups depend on a certain set of unchanging tactics, but in some cases, they adapt to different circumstances and alter Module 02 Page 165 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 the way they perform their attacks. Therefore, the difficulty of detecting and attributing the attack campaign depends on the tactics used to perform the attack. For example, available on connections addresses of to obtain information, some threat actors depend solely on information the Internet, whereas others might perform social engineering or use in intermediate organizations. Once information such as the email employees of the target organization is gathered, the threat actors either choose to approach the target one by one or as a group. Furthermore, the attackers’ designed payload can stay constant from the beginning to the end of the attack or may be changed based on the targeted individual. Therefore, to understand the threat actors better, tactics used in the early stages of an attack must be analyzed properly. * Techniques To launch an attack successfully, threat actors use several techniques during its execution. These techniques include initial exploitation, setting up and maintaining command and control channels, accessing the target infrastructure, and covering the tracks of data exfiltration. The techniques followed by the threat actor to conduct an attack might vary, but they are mostly similar and can be used for profiling. Therefore, understanding the techniques used in the different phases of an attack is essential to analyzing the threat groups effectively. = Procedures “Procedures” involve a sequence of actions performed by the threat actors different steps of an attack life cycle. The number of actions usually differs upon the objectives of the procedure and the APT group. An advanced threat advanced procedures that consist of more actions than a normal procedure the same intermediate result. This is done mainly to increase the success attack and decrease the probability of detection by security mechanisms. to execute depending actor uses to achieve rate of an An understanding and proper analysis of the procedures followed by certain threat actors during an attack helps organizations profile threat actors. In the initial stage of an attack, such as during information gathering, observing the procedure of an APT group is difficult. However, the later stages of an attack can leave trails that may be used to understand the procedures the attacker followed. Module 02 Page 166 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.