Today, we'll talk about breaking the user 'Kill Chain
.'You've probably heard about the E-bay, Sony and Target breaches. The attackers took advantage of non-trained employees' credentials or used similar ways to break in. It's sad that 75% of attacks occur by using user credentials, which are the main road in for the attackers. The User 'Kill Chain' Process
I decided to make a detailed study about the user 'Kill Chain' process.
Using this method of attack, it's very common for the attackers to get inside the network. After an attacker has compromised specific user or group of users, he/she gets into the network. Once inside, they'll start looking around, deploying scanners, discovering what's out there and leverage different accounts.In many cases, they'll start with lateral movement, then leverage account escalation privileges. They'll use different accounts to access critical assets, including those accounts that have financial reports and those that have information for a company's IP, network topology, employee information and personal information will be compromisedAfter gaining access, the attacker can remain on the network, using to 'remote executions.' He/she can then enter your network at will and extract relevant information from databases and other sources. Tools
Companies can build capabilities into their security systems in order to detect these types of attacks.To detect and disrupt the chain, you need to examine 'abnormal user behavior.' In these cases, users are most the important/relevant aspect in the environment. You'd need to look for all kind of abnormal behavior in your users' firewall, IDS and IPS systems...look everywhere you can.I recommend trustworthy tools like User-Insight Project from RAPID7 and other vendors to analyze the abnormal behavior on your network.Attackers often use phishing methods on the targeted corporation. Hence, we should examine the whole network and check any way the user could be involved in one of these attacks!! The Basic Steps in a Typical Attack:
- A big thanks to RAPID7 and my Cybrary -
- Targeting Corporations
- Phishing Cmails
- Stealing User Credentials
- Remote Network Access
- Anonymization using Proxies or TOR
- Compromised Account Access
- Using Escalated Privileges
- Again deployment of Scanning
- Pass the HASH
- Finally, Access the Assets + EXFILTRATE! ! !