You're reading from The Ultimate Kali Linux Book - Second Edition

Product typeBook

Published inFeb 2022

PublisherPackt

ISBN-139781801818933

Edition2nd Edition

Concepts

Cybersecurity

Author (1)

Glen D. Singh

Understanding the Cyber Kill Chain framework

As an aspiring penetration tester who is breaking into the cybersecurity industry, it's vital to understand the mindset of threat actors. To be better at penetration testing, you need to have a very creative and strategic mindset. To put it simply, you need to think like a real hacker if you are to compromise systems and networks as a cybersecurity professional.

The Cyber Kill Chain is a seven-stage framework developed by Lockheed Martin, an American aerospace corporation. This framework outlines each critical step a threat actor will need to perform before they are successful in meeting the objectives and goals of the cyber-attack against their targets. Cybersecurity professionals will be able to reduce the likelihood of the threat actor meeting their goals and reduce the amount of damage if they are able to stop the attacker during the earlier phases of the Cyber Kill Chain.

The following diagram shows the seven stages of the Cyber Kill Chain that are used by threat actors:

Figure 1.4 – Cyber Kill Chain

As shown in Figure 1.4, you can see each stage flows into the other until the threat actor reaches the last phase where the attacker is successful in their cyber-attack and the cybersecurity professionals were unable to stop the attack. On the blue team side of cybersecurity operations, the security engineers need to ensure the systems and networks are very well protected and monitored for any potential threats. If a threat is detected, the blue team needs to mitigate the threat as quickly as possible, hence the need to understand the Cyber Kill Chain. However, as a penetration tester, we can apply the techniques and strategies used by threat actors corresponding to each stage of the Cyber Kill Chain to achieve our objectives during a penetration test for an organization.

In the next few sections, you will learn about the fundamentals of each stage of the Cyber Kill Chain, how each is used by threat actors, and how penetration testers apply these strategies within their engagements.

Reconnaissance

As with every battle plan, it's important to know a lot about your opponent before starting a war. The reconnaissance stage is focused on gathering a lot of information and intelligence about the target, whether it's a person or an organization. Threat actors and penetration testers use this stage to create a profile of their target, which contains IP addresses, systems' operating systems, and open service ports, running applications, vulnerabilities, and any sensitive resources that may be unintentionally exposed that can increase the attack surface.

Important note

The reconnaissance stage involves both passive and active information gathering techniques, which will be covered in later sections of this book. You will also discover tools and techniques to improve your information skills when performing a penetration testing engagement.

Threat actors will spend a lot of time researching their target to determine the geolocation of any physical offices, online services, domain names, network infrastructure, online servers and web applications, employees, telephone numbers and email addresses, and so on. The main objective is to know as much information about the target. Sometimes this phase can take a long time. As compared to a penetration tester who has a specific time period to perform the entire penetration test, it can take between 1 to 2 days of intensive research before moving onto the next phase.

Weaponization

Using the information gathered from the reconnaissance phase, the threat actor and penetration tester can use it to better craft a weapon, better referred to as an exploit, that can take advantage of a security vulnerability on the target. The weapon (exploit) has to be specially crafted and tested to ensure its success when launched by the threat actor or the penetration tester. The objective of the exploit is to affect the confidentiality, integrity, and/or availability of the target's systems or networks.

An exploit takes advantage of a vulnerability. After that happens, what's next? To be a bit more strategic, threat actors and penetration testers will couple their exploit with a payload. The payload is unleashed after the exploit has compromised the system. As a simple example, a payload can be used to create a persistent backdoor on the target system to allow the threat actor or the penetration tester remote access to the system at any time when the compromised system is online.

Delivery

After creating the weapon, the threat actor or the penetration tester has to deliver the weapon onto the target system. Delivery can be done using the creative mindset of the attacker, whether using email messaging, instant messaging services, or even by creating drive-by downloads on compromised web services. Another technique can be copying the exploit onto multiple USB drives and dropping them within the compound of the target organization, with the hope an employee will find it and connect it to an internal system due to human curiosity.

The following figure seems to show a regular data cable for a mobile phone, however, it's a special type of USB ninja cable, which can be pre-programmed with malicious scripts by a threat actor and execute when connected to a computer:

Figure 1.5 – USB ninja cable

The USB ninja cable can be used by both threat actors and penetration testers as a method of delivering a malicious payload onto their target's system.

The following figure shows a USB rubber ducky, which can be used to deliver payloads:

Figure 1.6 – USB rubber ducky

When both the USB ninja cable and USB rubber ducky are inserted into a computer, they function as a keyboard emulator and execute the payload. This technique allows both threat actors and penetration testers to simply bypass firewalls and antimalware software.

As an upcoming penetration tester, ensure you have multiple methods of delivering the weapon to the target, such that, in the event that one method does not work, you have another, and so on.

Exploitation

After the weapon (exploit) is delivered to the target, the attacker needs to ensure when the exploit is executed, it successfully takes advantage of the security vulnerability on the target system as intended. If the exploit does not work, the threat actor or penetration tester may be detected by the organization's blue team and there is a halt in the Cyber Kill Chain. The attacker needs to ensure the exploit is tested properly before executing it on the target system.

Installation

After the threat actor has exploited the target system, the attacker will attempt to create multiple persistent backdoor accesses to the compromised system. This allows the threat actor or the penetration tester to have multiple channels of entry back into the system and network. During this stage, additional applications may usually install while the threat actor takes a lot of precautions to avoid detection by any threat detection systems.

Command and Control (C2)

An important stage in a cyber-attack is creating Command and Control (C2) connections between the compromised systems and a C2 server on the internet. This allows the threat actor to centrally control a group of infected systems (botnet) using a C2 server that is managed by the attacker. This allows the threat actor to create an army of zombies, all controlled and managed by a single threat actor.

The following diagram shows an example of C2:

Figure 1.7 – C2 operations

The threat actor uses data encryption, encapsulation, and various tunneling techniques to evade threat detection systems within target organizations. Similarly, there is an advanced stage of penetration testing known as red teaming where there are no limitations (rules of engagement) on the methods and techniques used to compromise a target organization, with the objective of simulating the closest thing to a real advanced cyber-attack of a malicious cyber army. However, keep in mind that legal permission is still needed for any type of red teaming engagements.

Actions on objectives

If the threat actor or the penetration tester is able to reach this stage of the Cyber Kill Chain, the organization's blue team has failed to stop the attacker and prevent the cyber-attack. At this stage, the threat actor has completed their objectives and achieved the goals of the attack. In this phase, the attacker can complete the main objective of the attack, whether it's exfiltrating data from the organization and selling it on the dark web or even extending their botnet for a larger-scale cyber-attack on another target organization.

Stopping the threat actor or the penetration tester at this phase is considered to be extremely difficult as the attacker would have already established multiple persistent backdoor accesses with encrypted C2 connections on multiple compromised systems within the target organization. Furthermore, the threat actor will also be clearing traces of any evidence or artifacts that could help cybersecurity professionals to trace the attack to the threat actor.

Having completed this section, you have learned about the various stages of the Cyber Kill Chain and how it helps cybersecurity professionals understand the intentions of threat actors. Additionally, you have learned how penetration testers can implement these strategies within their penetration testing engagements.

You have been reading a chapter from

The Ultimate Kali Linux Book - Second Edition

Published in: Feb 2022Publisher: PacktISBN-13: 9781801818933

A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.

undefined

Unlock this book and the full library FREE for 7 days

Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of

Start free trial

Renews at AU $19.99/month. Cancel anytime

Author (1)

Glen D. Singh

Glen D. Singh is a cybersecurity author, educator and SecOps professional. His areas of expertise are cybersecurity operations, offensive security tactics and techniques, and enterprise networking. He holds a Master of Science (MSc) in cybersecurity and many industry certifications from top awarding bodies such as EC-Council, Cisco, and Check Point. Glen loves teaching and mentoring others while sharing his wealth of knowledge and experience as an author. He has written many books, which focus on vulnerability discovery and exploitation, threat detection, intrusion analysis, incident response, network security, and enterprise networking. As an aspiring game changer, Glen is passionate about increasing cybersecurity awareness in his homeland, Trinidad and Tobago.
Read more about Glen D. Singh

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages