The cyber kill chain and MITRE ATT&CK

In this section, we’ll explore two frameworks that are regularly referenced in cybersecurity and Microsoft 365 Defender literature: the cyber kill chain and MITRE ATT&CK. Each of these is useful in its own way for understanding how modern threat actors operate in enterprise-scale attacks and how you can defend against them. You’ll get real-world examples of the malware and threat actors. The components, lessons, and language of each framework will become recurring themes of this book and any defender’s daily toolkit.

Cyber kill chain

A cyber kill chain is a general approach toward breaking a cybersecurity attack down into stages. The term appears to have been first used by Jeffrey Carr in Russia/Georgia Cyber War: Findings and Analysis (2008). However, since then, it has been a registered trademark of Lockheed Martin, which developed it into a seven-stage framework as part of its Intelligence Driven Defense methodology.

In this section, we’ll explore the cyber kill chain model at each stage and gain an understanding of why the approach can be useful in defending against – and further our understanding of – the kind of threats described earlier in this chapter. You’ll find practical examples of how each stage translates to real-world threats and incidents.

Stage 1 – reconnaissance

Would this really be a cybersecurity book without the obligatory Sun Tzu-derived quote of know your enemy?

Indeed, this is what reconnaissance is all about for attackers: knowing you. Attackers might begin with general scans of potential targets using internet-opened ports, or they might begin their observations about you, the victim, in a targeted fashion; particularly if you are a high-risk organization and/or in a high-risk industry.

In this phase of the cyber kill chain, attackers gather public data passively or actively (by touching your environment). To do so, they will employ open source intelligence (OSINT) tools such as Shodan, which is a search engine used to find internet-connected resources. The types of data an attacker looks for during reconnaissance include the following:

• Potential phishing victims, particularly using data from business-based platforms such as LinkedIn. There are scrapers available, such as the Harvester, that will return all the data they can gather from LinkedIn, Twitter, Bing, Google, and other services. In 2021, LinkedIn was alleged to have been subjected to a massive data scraping incident. The records of, approximately, 700 million users with publicly listed but sensitive data, including email addresses and locations, became available for sale on dark markets.
• Lists of known accounts within the environment, using scripts and tools such as UhOh365 (to see whether an Office 365 email address is valid) or onedrive_user_enum (to see whether an account has a OneDrive for Business license/repository associated with it). In the age of the cloud, these can often be run by attackers without the target having any idea, as only the public cloud provider maintains such logs and may or may not act upon them.
• Target applications and services, such as public-facing websites or internet-exposed lines of business applications, that might be susceptible to compromise via weaknesses such as the Log4j vulnerability called Log4Shell. Vulnerabilities are as old as IT itself, but the Log4j vulnerability that was published in 2021 is infamous. Microsoft and others have confirmed widespread scanning for at-risk systems by attackers. What makes Log4Shell so notorious is its mass and cross-platform usage, across thousands of different application vendors. A Cybersecurity and Infrastructure Security Agency (CISA) managed list, at the time of writing, reached almost 400 vendors.
• Enterprise infrastructure that is open to vulnerabilities or attacks, such as open Windows Servers via RDP. Though useful for those maintaining an infrastructure to gain endpoint access, RDP has a prolific history of vulnerabilities. Many scanners exist to find open ports accepting RDP connections, and they won’t take long to find something. Rapid7’s Remote Desktop Protocol Exposure (2017) report found over 4 million endpoints accepting such connections. For Windows devices, many RDP sessions can be established with only a single factor of authentication, which itself may have been leaked online or otherwise compromised.

Stage 2 – weaponization

Through reconnaissance, the attacker hopes to find a weakness. Once it has been identified, they procure, develop, or weaponize resources to take advantage of that weakness. At this stage, the weapons have not yet been used, but the attacker generally knows what they’ll use to, at the very least, try and start their campaign. Here, the bad actor is creating the foundations of the attack.

This can take on many forms, including the following:

• Sending phishing messages to discovered users. Once the attacker knows the contact details of privileged users – or even low-hanging fruit – they might pursue email as a weapon to obtain credentials or convince a user to do something that furthers the campaign. In the context of Microsoft 365, tools such as evilginx2 can, in less protected environments, be used for adversary-in-the-middle (AiTM) attacks, where an attacker-owned domain passes traffic to the real Azure AD sign-in page but captures authentication tokens and cookies that can then be used by them.
• Thinking of both physical and network security, if during reconnaissance a Wi-Fi network is within reach of an attacker, tools such as Aircrack-ng might be viable options for network access if the wireless system has been insufficiently secured.
• Malware is an obvious example. What might be less obvious are the methods attackers can take to obfuscate or package these prior to delivery and execution. An interesting case study is Sevagas’s MacroPack tool. MacroPack takes advantage of the fact that Microsoft Office is ubiquitous in the enterprise but is weighed down and exploitable due to a legacy of allowing child processes to spawn through macros. Using the tool, an attacker could generate an Office document that enables execution with an anti-virus bypass. It would then make sense to include this attachment in a phishing email.

Stage 3 – delivery

The weapon has been prepared, and during this stage, the victim receives it – or, hopefully, the defenses intercept it! Like weaponization, at this stage, the attacker has not necessarily detonated their attack, which comes next. Consider the following examples to help you understand exactly what is meant by delivery:

• Thinking once again of physical security, one example is the delivery of a USB device that, if used, initiates the attack. “Surely that’s just too simple,” I hear you cry. Hear me out. In January 2022, the FBI issued a warning to US organizations that the Fin7 APT group was distributing malicious USB devices via courier services. The devices were enclosed with documentation alleging they contained COVID-19 reference materials or retailer gift cards. Instead, they executed the BadUSB attack that would go on to install malware via PowerShell downloads.
• Again, we must discuss phishing emails. During this stage, the email is distributed. Attackers continue to evade email protection capabilities, with email security vendors continually fighting back. The Microsoft 365 Defender Threat Intelligence team published findings in 2021 of a campaign that used encryption techniques to bypass their protection mechanisms. From July 2020 to July 2021, the findings revealed the attackers employed 10 different encoding techniques, making each change as protection systems identified and prevented them. Incredibly, the techniques included the repeated use of morse code, combined with other obfuscation methods.
• One popular way of distributing malware is via the web. The attacker might control the website and has managed to get users there, or might use something such as a watering hole attack to hit targeted industries and groups. This term originates from poisoning the water source: anyone who drinks the water (uses the website) is potentially poisoned (compromised). In one 2014 example reported by Invicea (since acquired by Sophos), Forbes.com was compromised by APT19, which is also known as Codoso. The actor used a combination of zero-day vulnerabilities in Flash and Internet Explorer.

Stage 4 – exploitation

If the previous steps did not see any active exploitation of the victim’s environment, this stage does. Vulnerabilities, be they in software, hardware, or people, are now leveraged by the attacker to gain access as execution begins. Examples to help describe what this stage might include are listed as follows:

• Users, who have had phishing emails delivered, proceed to click on links in them or open the weaponized attachment. Cofense’s Annual State of Phishing Report (2021) revealed that links might be slightly more common than attachments.
• The most media-hyped form of exploitation is the zero-day, with famous examples including Stuxnet (2010) and Sony Pictures (2014). Unlike other vulnerabilities, zero-days do not yet have a patch available. Google’s zero-day In the Wild tracker lists 57 examples of zero-days being detected as the result of an attack in 2021.

Stage 5 – installation

An attacker will want to maintain access to compromised assets; this is also called gaining persistence. To do so, they’ll likely have to install malware and might utilize features of the OS to leverage it, keep it running, and enable a back door.

Examples of the installation stage of an attack are listed as follows:

• The AppleJeus malware, which steals cryptocurrency from victims, creates a scheduled task that runs as SYSTEM whenever a user logs into the OS. As one of the highest privileged account on a Windows device, SYSTEM access is highly desirable for attackers.
• To evade detection, common enterprise tools might be installed. For example, LogMeIn, the remote desktop access tool frequently used by IT support teams, has been used by the espionage group Thrip. The group, and many others, also make use of living off the land (lolbin) approaches. Built-in OS tools such as PowerShell, BITSAdmin, and certutil might raise fewer eyebrows if they show up in telemetry than third-party binaries that are installed later. These tools might also benefit from being signed by a trusted publisher.

Stage 6 – command and control (C2)

By this stage, tools and malware have been deployed, and the attacker will proceed to use those as a command channel for continuing their attack over the network. They will be “phoning home” between your environment and theirs.

Let’s look at some examples to understand precisely what is meant by the command and control (C2) stage:

• Arguably, Cobalt Strike is the most well-known C2 framework. The service is intended for legitimate use by red teams but is often used by attackers who have unauthorized versions of it, including one instance of using a legitimate business to disguise their purchase. This list includes APTs such as Codoso, SeaLotus, Nobelium, and Wicked Panda. Beacons are deployed to victim endpoints, establishing connectivity to a team server, which the attacker then operates with the Cobalt Strike client.
• Mature environments will likely monitor inbound and outbound network traffic, with abnormalities being identified or prevented. Therefore, the use of web protocols is common, as HTTP(S) is less likely to be subjected to proactive controls or be flagged in comparison to rarer protocols. The Octopus trojan has been used to spy on users and steal their data. Its communication with the C2 server was achieved using GET and POST requests over HTTP.
• Common ports aren’t always used. Described by Europol as the world’s most dangerous malware, Emotet has gone through several iterations. Although it has connected to C2s using standard HTTP(S) ports, it has also been known to use ports such as 20, 7080, 8443, and 50000.

Stage 7 – actions on objectives

The final stage sees our adversary use all the advantages and access they have hitherto accumulated for the execution of their objectives. They are in a position to accomplish their goals, whatever they are, that is, espionage, data exfiltration, ransomware execution, supply chain infiltration, and more:

• HIDDEN COBRA, also known as Lazarus Group and Guardians of Peace, has been linked to the infamous attack on Sony Pictures in 2014. The group, politically associated and motivated, exfiltrated sensitive data such as email and feature films and employed destructive techniques in the compromised environment.
• The Colonial Pipeline system, which supplies the Eastern United States, faced a crippling ransomware attack in 2021, with the group DarkSide identified as the attackers. Claiming to be apolitical and purely financially motivated, the group received 75 bitcoins in ransom, though most of these were recovered within one month.

Application of the cyber kill chain

Don’t consider the cyber kill chain linear. That is, attacks don’t always start at the first stage and then cleanly and obviously move sequentially through stages until they reach the last. For example, the installation stage is common when faced with ransomware gangs or APTs. However, many sensitive data theft attacks do not need to deploy persistence software; with credential compromise against exposed databases, often no malware deployment is necessary. Similarly, the stages are not particularly easy to differentiate: lines blur.

Approach each stage with the following list of thoughts and questions in mind, and you'll be able to use what you learn throughout this book to help protect your environment:

• What is my organization currently doing to proactively defend against this?
• What capabilities do I currently have to respond to this?
• What defenses are being managed to stop escalation from this stage to the next?
• What are the assets, services, and inventory I need to prioritize against this?

MITRE ATT&CK

MITRE ATT&CK dives far deeper into technical techniques than the cyber kill chain. If we consider the cyber kill chain a decentralized, high-level approach to tackling cybersecurity, we can consider ATT&CK a centralized, low-level knowledge base (KB) of attacker methodology. Starting in 2013, MITRE made this KB universally available, at no cost, at attack.mitre.org. This online resource provides hundreds of referenced examples of techniques and groups using them.

To give you a sense of its scale, ATT&CK’s Matrix for Enterprise, which encompasses common enterprise platforms such as Windows, macOS, Office 365, and Google Workspaces, has 14 top-level tactics and over 200 techniques, not to mention the sub-techniques!

Microsoft 365 Defender heavily leverages the MITRE ATT&CK framework in its incident response capabilities that operators can report on or quickly become aware of any potential threats. Therefore, it’s an important topic to familiarize yourself with as you try to master Microsoft 365 Defender.

To get you started, let’s take a look at those top-level tactics. Each top-level tactic has an ID prefixed with TA, and each technique has an ID prefixed with T. Sub-techniques append a technique with another ID. For example, T1566.002 is the Spearphishing Link sub-technique of the Phishing technique:

• TA0043 Reconnaissance: You’ve already learned about this as part of the cyber kill chain. This is the tactic that represents techniques related to information gathering about the victim, including T1598 Phishing for Information and T1594 Search Victim-Owned Websites.
• TA0042 Resource Development: Attackers need resources to achieve their objectives. Botnets require masses of victim infrastructure, and general infiltration will need either exploits or credentials. This tactic covers the acquisition of such resources, using techniques such as T1583 Acquire Infrastructure and T1586 Compromise Accounts.
• TA0001 Initial Access: How do attackers get their foot in the door? Lots of ways! There are currently nine documented techniques for this tactic, including T1200 Hardware Additions and T1195 Supply Chain Compromise.
• TA0002 Execution: This refers to execution in the computing sense, that is, executing malware. But how does that malware get executed? This tactic lists techniques for that execution, be they automated or manual, such as T1053 Scheduled Task/Job and T1204 User Execution.
• TA0003 Persistence: How do attackers remain in the environment after compromise? Often, this is one of the first things a successful, long-term attack tries to achieve: persistence. There might be ways involving coding and programs, or it might be a case of simply adding another user, as covered in techniques such as T1037 Boot or Logon Initialization Scripts and T1136 Create Account.
• TA0004 Privilege Escalation: Defenders must put far greater controls around elevated privileges (that is, admin rights) than standard privileges. This is because elevated privileges allow far more control over the environment: deletion, access to control other rights, and more. This tactic includes techniques attackers use to “jump up” from lower privileged rights to higher privileged rights, in several ways, such as T1484 Domain Policy Modification and T1068 Exploitation for Privilege Escalation.
• TA0005 Defense Evasion: Attackers want to remain as quiet, hidden, and uninterrupted as possible. Defenders want the opposite: stop attackers from doing what they shouldn’t and create as much noise as possible. The tactic of defense evasion encompasses a massive 40 techniques to get past our defenses, including T1222 File and Directory Permissions Modification and T1562 Impair Defenses.
• TA0006 Credential Access: Why break down the door when you can just grab the keys? Credentials protect account access, and accounts control what a user can and can’t do. By compromising the credentials, attackers gain access in a way that is often less detectable, due to potentially less need for malware and actions that can fly under the radar. This could be achieved by techniques such as T1003 OS Credential Dumping and T1111 Two-Factor Authentication Interception.
• TA0007 Discovery: As we established in our review of reconnaissance, knowledge is power. Discovery is a tactic used by attackers to further their understanding of your environment. There are currently 29 documented techniques for this due to the sheer diversity and vastness of resources and services that exist in the modern enterprise. For example, techniques that could be used include T1069 Permission Groups Discovery and T1007 System Service Discovery.
• TA0008 Lateral Movement: Like Spider-Man swinging from one surface to the next, attackers use the lateral movement tactic to continue their journey across your environment: springing from one resource to the next. Insecure Windows domain-joined devices are particularly vulnerable to a plethora of lateral movement techniques, due to their trust relationships and credential management, with notable examples being T1563 Remote Service Session Hijacking and T1550 Use Alternate Authentication Material.
• TA0009 Collection: These tactic group techniques are used to gather information that helps the attacker achieve their objectives. This includes the steps taken, such as T1114 Email Collection and T1056 Input Capture.
• TA0011 Command and Control: You learned about C2 as part of the cyber kill chain, and MITRE ATT&CK also includes it as a tactic. C2 techniques are used by attackers to communicate with the resources they have compromised, and they might do so using examples such as T1071 Application Layer Protocol and T1573: Encrypted Channel.
• TA0010 Exfiltration: This is closely associated with TA0009 Collection. Here, we have techniques for the theft of data, be it over the network or physically, with automatic processes or manual intervention, as demonstrated in examples such as T1020 Automated Exfiltration and TA1567 Exfiltration Over Web Service.
• TA0040 Impact: The Impact tactic refers to interfering with or destroying services, such as in the Sony attack (2014), but also controlling and changing processes, including destructive tactics to clean up traces of their malicious activities. Notable techniques here are T1486 Data Encrypted for Impact and T1565 Data Manipulation.

Now you’re aware of what the MITRE ATT&CK framework is and the tactics and techniques that it encompasses. The MITRE ATT&CK framework is referenced consistently throughout Microsoft 365 Defender, so you’ll see it again in this book and in your use of the service.

Next, we’ll explore Microsoft’s role in the cybersecurity world.