Breaking the User ‘Kill Chain’

March 29, 2016 | Views: 3925

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Today, we’ll talk about breaking the user ‘Kill Chain.’

You’ve probably heard about the E-bay, Sony and Target breaches. The attackers took advantage of non-trained employees’ credentials or used similar ways to break in. It’s sad that 75% of attacks occur by using user credentials, which are the main road in for the attackers.


The User ‘Kill Chain’ Process

I decided to make a detailed study about the user ‘Kill Chain’ process.

Using this method of attack, it’s very common for the attackers to get inside the network. After an attacker has compromised specific user or group of users, he/she gets into the network. Once inside, they’ll start looking around, deploying scanners, discovering what’s out there and leverage different accounts.

In many cases, they’ll start with lateral movement, then leverage account escalation privileges. They’ll use different accounts to access critical assets, including those accounts that have financial reports and those that have information for a company’s IP, network topology, employee information and personal information will be compromised

After gaining access, the attacker can remain on the network, using to ‘remote executions.’ He/she can then enter your network at will and extract relevant information from databases and other sources.



Companies can build capabilities into their security systems in order to detect these types of attacks.

To detect and disrupt the chain, you need to examine ‘abnormal user behavior.’ In these cases, users are most the important/relevant aspect in the environment. You’d need to look for all kind of abnormal behavior in your users’  firewall, IDS and IPS systems…look everywhere you can.

I recommend trustworthy tools like User-Insight Project from RAPID7 and other vendors to analyze the abnormal behavior on your network.

Attackers often use phishing methods on the targeted corporation. Hence, we should examine the whole network and check any way the user could be involved in one of these attacks!!


The Basic Steps in a Typical Attack:

  1. Targeting Corporations
  2. Phishing Cmails
  3. Stealing User Credentials
  4. Scanning/Enumerations/Discovering
  5. Remote Network Access
  6. Anonymization using Proxies or TOR
  7. Compromised Account Access
  8. Using Escalated Privileges
  9. Again deployment of Scanning
  10. Pass the HASH
  11. Finally, Access the Assets + EXFILTRATE! ! !


– A big thanks to RAPID7  and my Cybrary –

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. I have a few questions. When they use the stolen credentials if there was limited permissions granted to the user would this serve as a block stopping the hacker from accessing the server? Is security for accessing a site stronger or equal to the limits a program can place on the user rights?

  2. Good job! Despite the spelling & grammar issues.

  3. You need to do a spell and grammar check, before submitting your essay.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?