In immediately’s wildly unpredictable risk panorama, the trendy enterprise ought to be aware of the cyber kill chain idea. A cyber kill chain describes the varied phases of a cyberattack pertaining to community security. Lockheed Martin developed the cyber kill chain framework to assist organizations establish and stop cyber intrusions.
The steps in a kill chain hint the everyday phases of an assault from early reconnaissance to completion. Analysts use the framework to detect and stop superior persistent threats (APT).
Organizations can use the cyber kill chain to defend themselves in opposition to many complicated assaults, comparable to final yr’s Uber hack. In the event you recall, again in September of 2022, a risk actor efficiently infiltrated the corporate’s Slack software by convincing an worker to grant them entry. The attacker spammed the workers with multi-factor authentication (MFA) push notifications till they may acquire entry to inner methods and browse the supply code.
This text will stroll you thru the kill chain of this particular assault twice. First, we’ll take the attitude of the attacker, after which we’ll define the prevention methods organizations can take at every step of the chain.
Every step of the cyberattack kill chain
Recon
This primary step is about info gathering. Like in lots of assaults, risk actors use social engineering ways to achieve entry to worker info. Attackers usually collect intelligence from scraping knowledge available from public sources, referred to as open supply intelligence (OSINT). Due to social media and publicly documented on-line actions, attackers can simply profile a corporation or worker.
Weaponize
The following step is actually the preparation stage. The dangerous actor is now armed and able to deploy these compromised credentials and some other related info they should log in to the goal worker’s account.
Supply
Supply is all about set-up: like a boxer’s jabs earlier than touchdown the knockout punch. On this step through the Uber hack, the attacker spammed the worker with push notifications (this may be referred to as MFA fatigue or immediate bombing). Then, he contacted the worker by social media channels, posing as IT, asking them to just accept the notifications so they’d cease.
Exploit
Staying with the boxer analogy, exploit is sort of a proper hook. Within the Uber assault, the attacker gained entry to the worker’s VPN as soon as the MFA fatigue assault was profitable.
Set up
Set up is the place the dangerous actor formally launches the malicious and harmful a part of the assault. Within the Uber hack, the attacker was in a position to scan the community and uncover an influence shell script on a shared drive. The script contained an admin person credential for the corporate’s PAM resolution that supplied the attacker with additional entry to a number of companies.
Callback
For attackers, callback is all about taking management of the goal’s methods to allow them to launch extra assaults. For victims, that is the step during which prevention is far more troublesome. Within the Uber assault, the dangerous actor proceeded to wrangle entry to different inner methods and steal confidential knowledge.
Persist
When attackers attain this stage, they’ve basically gained sufficient rights to repeatedly execute assaults. This will likely come within the type of ransomware, knowledge exfiltration for financial acquire or launching DOS assaults.
How the enterprise can stop assaults at every stage
Recon and weaponize
The methods for Recon and Weaponize prevention are the identical at each phases.
One of the essential prevention methods is eliminating using passwords each time doable. Whereas the password will most likely by no means die, going passwordless is usually a optimistic step in the fitting path. That stated, it shouldn’t be the one authentication methodology. Passwordless ought to be the first issue to be mixed with one other type of authentication.
Including or altering contact data for key staff is one other method to maintain attackers guessing.
Supply
Deploying high-assurance MFA choices like a FIDO2 key, cellular sensible credential or different passkeys is likely one of the finest methods to stop MFA-based assaults. In any case, MFA isn’t foolproof.
One other smart way to make sure an assault just like the Uber hack doesn’t occur in your group is to ship a notification to the person each time the account logs in from a brand new location for the primary time.
Adopting zero belief rules is at all times really useful right here (and at any stage).
Exploit
Utilizing a bodily token is certainly one of many safe authentication strategies. By deploying risk-based adaptive authentication, authentication requests can set off an outlined motion or set of actions primarily based on predetermined threat elements. Doubtlessly malicious requests could set off an electronic mail or SMS notification or be blocked outright. This might (and will) embrace VPN authentication requests.
Very similar to for the supply stage, it’s smart to think about location-based notifications for first-time entry.
Set up
For the set up stage, all the identical prevention methods related to the exploit stage additionally apply. However right here, organizations can bolster security for desktops, servers, hidden folders and different sources by making use of adaptive MFA.
Privileged Entry Administration (PAM) options must also be secured with excessive assurance MFA.
Callback/Persist
Right here is the place real-time monitoring of any suspicious knowledge motion and detecting suspicious habits is crucial. At this stage, dangerous actors are motivated to maneuver and act shortly, and timing for the security workforce is essential. The bottom line is the power to be proactive as a substitute of reactive.
How IBM X-Drive addresses cyberattacks with preparation and execution frameworks
IBM Safety X-Drive cyberattack preparation and execution frameworks construct upon the industry-standard conceptual approaches to analyzing a cyberattack, together with the Cyber Kill Chain, MITRE ATT&CK and Mandiant’s Attack Lifecycle.
The X-Drive cyberattack preparation and execution frameworks present a logical move consultant of assaults immediately and in addition incorporate more and more related phases not usually included in different frameworks.
These frameworks characterize risk knowledge and talk risk intelligence, explaining the complete vary of actions that happen previous to and through an precise compromise.
The method supplies incident responders and risk intelligence analysts with a mannequin they will use to trace knowledge, conduct peer evaluate analysis and talk evaluation with higher readability and consistency. The X-Drive cyberattack preparation and execution frameworks additionally present organizations with a simple and environment friendly method to examine totally different cyberattack risk vectors related to their industries.
Learn extra concerning the X-force cyberattack preparation framework right here.
To schedule a no-cost seek the advice of with X-Drive, click on right here.
In case you are experiencing cybersecurity points or an incident, contact X-Drive to assist: U.S. hotline 1-888-241-9812 | World hotline (+001) 312-212-8034.