Let’s Break the Cyber Kill Chain : First, Know the chain! | EN
The “Cyber Kill Chain” defined by Lockheed Martin helps us determine the evidence of an attacker’s attack steps by categorizing them in 7 different stages. In this article series, I will examine the Cyber Kill Chain stages; Then, we will try to break this chain and prevent an attack methodology with Blue Team principles and tools.
Let’s skip the first three steps of Pre-Exploitation, examine the steps to respond actively, and focus on intrusion detection.
Pre-Exploitation: Kill-chain steps 1–4
Post-Exploitation: Kill-chain steps 5–7
Fourth Chain: Exploitation
When we examine the exploitation
- Client-Side Exploitation
- Service-Side Exploitation
Let’s start by dividing it into two.
Client-Side Exploitation
User-side exploitation can also be assumed, or almost any point that comes to mind can be the main point of exploitation. These can be an e-mail, web activity, running a file, opening a PDF or Word document, joining an unknown network, or outdated software and services.
Service-Side Exploitation
There are also cases where a service listening at the main point of server-side exploits is reachable by the attacker. Since Servers communicate more with other devices and services than Clients, many ports are open compared to the client. Too many open ports or Web-based services on a server will whet the appetite of attackers.
How to break the Fourth Chain
- On the Server-side and Client-side, determine user access and authorizations according to “least privilege” and “separation of duties.”
- Apply hardening to various standards (CIS, SOX, PCI-DSS) on the server-side.
- Configure the ports that are open on the server side.
- Limit the applications and services used on the client-side. Whitelists are always better than blacklists!
- Be aware of the listening ports/sockets opened by applications and services on the server-side.
- Monitor the process and parent process that uses an encrypted connection. C:\Public\svchost.exe using encrypted communication is not a real svchost.exe!
Post-Exploitation : Step 5–7
After the Pre-Exploitation phase, our machine is no longer just our machine. The attacker will begin to show their skills at this stage. At this stage, we must understand the steps to be taken and then learn how to prevent them.
Post-exploitation tactics;
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Persistence
Suppose the techniques used by the attacker during the attack (exploit payloads, Web exploit techniques, the port that opens as a listener on the machine, or even the temporary shell it obtains) are repeated multiple times. In this case, it will attract the attention of the institution. And it will increase the likelihood that security devices will capture these techniques. Therefore, as soon as the attacker receives the first temporary bullet, one of his targets will be permanence. If it does not achieve its purpose, other techniques (Lateral Movement, Privilege Escalation etc.) will try to achieve permanence by applying. It may take months and much effort for the attacker, especially to complete the first five steps. Therefore, they will not risk it.The attacker can achieve persistence on the machine by adding registry entries, scheduling a cronjob, creating a backdoor, imitating a legit process, bypassing security agents, etc.
Persistence Techniques; There are more than 50 techniques that you can control over MITER ATT&CK in detail. E.g.;
Account Manipulation (T1098) : “Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.” — MITRE ATT&CK
Sub-headings in this technique;
Additional Cloud Credentials
Exchange Email Delegate Permissions
Add Office 365 Global Administrator Role
SSH Authorized Keys
You can check it at https://attack.mitre.org/tactics/TA0003/.
How to break the Persistence
- It will be of great benefit to us to get the machine’s logs. It is very important to have a SIEM Agent, especially on servers. If your SIEM is not Agent-based, you can collect logs with HIDS (Wazuh). With WEF, you can collect the logs of the event IDs you selected from the clients.
- You can control parent and child processes and design alarms for abnormal processes.
- You must regulate the rights of applications and services on the machines. You should also check the rights of the directories.
- You should monitor socket and port listenings created by processes.
- To analyze C&C Heartbeats, you should base your network traffic. In this way, you can see the peaks in your network and catch abnormal accesses.
- It would be best to make sure that the versions of your EDR, EPP, and XDR products are up to date and in prevention mode
Discovery
When they gain access to the system, the attackers will want to examine the information of the machine they are on and the machines on the network (Which ports are open? Which users can access these machines? etc.).
It will enumerate other systems in the network, users, and groups in the environment and their privileges and permissions. Of course, there will be a lot of communication noise in the network during this process. But sometimes, attackers can fly under the radar and not get caught in your detection systems!
How to break the Discovery
- It would be best to write an alarm using FW logs to detect scans such as inter-machine port enumeration and port sweep in your network.
- You should log authentication attempts to services and applications. When several false attempts occur, you should lock out the user.
- You should monitor the Jump Server logs.
- You should monitor the logs of transitions between VLANs.
- You should monitor the audit logs of Network, Security, and Service applications. In addition, you must confirm any changes made to these applications.
Execution
While maintaining persistence in the system, the attacker will execute the malware that it has prepared to exploit a vulnerability in the system or create a backdoor. This software or application will create a process in the background. This process will execute many processes and perform their operations in this case.
How to break the Execution
- The PIDs of the running processes and the information of the parent process they created should be constantly checked. Many IOCs can also be used for this. We have to compare the hashes obtained from malicious IOCs with the hashes of newly created processes and detect the malicious processes.
- By creating Whitelists, we should only allow the execution of applications that we allow on the Servers.
- By updating the policy on all endpoints, we should only allow the execution of applications with certificates signed by certification bodies we approve.
- You should make sure your EDR and EPP are always up to date and in prevention mode.
Privilege Escalation ( All hail the King!)
As attackers move to different machines and VLANs on the network, they must elevate their privileges. Here, an attacker attempts to obtain root rights through a process with high privileges or exploits a vulnerability.
Its target is services or processes with admin/root rights. These need to tamper with themselves or the directories below it with write and execute privileges. There are ready-made tools for this; Linenum.py, pspy, etc. Attackers can use services with root/admin rights to open root/admin shell.
For example, in a shell with User authority in Linux, if the following services have the right to run with root authority, some examples of commands to obtain a root shell are;
Tar:
tar -cf /dev/null /dev/null — checkpoint=1 — checkpoint-action=exec=/bin/sh
apt-get:
apt-get changelog apt !/bin/sh
gcc
gcc -wrapper /bin/sh,-s .
How to break the Privilege Escalation
- We should review the rights that apps and services have.
- If there is no need, we should not run applications and services with Administrator and root privileges.
Credential Access via Dumping
Attackers use it to collect credentials found on a compromised machine. In this way, users and services are accessed by using this information when switching between VLANs and machines or accessing services.How to break the “Credential Access via Dumping”
How to break the Credential Dumping
- Attackers run applications like mimikatz while collecting Credentials on Endpoints. Therefore, we must add the hashes of these applications to our IOC repository and generate an alarm when run.
- With the help of NIDS (Snort, Suricata, Zeek), we should catch the traces of credential dumping tools such as Cain & Abel.
- We can capture Pass the Hash, Pass the Ticket, and Golden/Silver Tickets attempts using the servers’ windows event logs.
- We need to ensure that Kerberos tickets are monitored with the help of alarms.
Lateral Movement
Attackers use Lateral Movement to enrich and use their credential information, elevate their rights, or switch to a VLAN they cannot access on the network. Attackers can make lateral movements until they get the data they want or reach the targeted user/machine.When the correct credentials are reached, RDP, WMI, Powershell, VNC, and SSH are among the directly targeted services.
E.g., A recent attack by the PARINACOTA group, known for the Wadhrama ransomware, also uses multiple methods for lateral movement. One of these methods is first to gain access to an internet-facing server via RDP brute-force, then proceed by scanning ports 3389 (RDP), 445 (SMB), and 22 (SSH), looking for additional vulnerable machines on the network.
How to break the Lateral Movement
- Our Network should never be flat. There should always be separate VLANs (VLAN Segmentation should be used).
- Jump Server must be used when switching from one Network to another.
- Users should be prevented from using service accounts.
- The use of interactive shell connection ports such as RDP, SSH and Telnet should be limited.
Collection ve Exfiltration
When attackers access a VLAN or connect to a machine, they will constantly try to gather information. This information can be screenshots, customer data, financial data, mail dumps, database query outputs, DB records, and personal data.
Attackers will plan data leaks based on the targeted data’s size, structure, and source. In particular, the attacker will choose a port to extract data in a way that does not cause large transfers and is unobtrusive. Then, it will attempt to extract data from this port in a fragmented and inexplicable manner with unexpected timing.
How to break Collection and Exfiltration
- The download and upload values of your network should be monitored. An alarm should be generated if users and endpoints download and upload large amounts of data.
- Users’ access to data should be limited. The principle of Least Privileges must be applied.
- Access to PII and PHI data should be highly restricted. In addition, this data should be encrypted as much as possible.
- The storage conditions of PII and PHI data should be kept as determined by the regulators.
We have come to the end of this article. Thank you for reading. I hope you like it. In my next article, we will do in-depth analysis. And this time, we will destroy the chain!
