Introduction to the Cyber Kill Chain

00:01

Hey, everyone, welcome back to this course in this video. We're gonna talk briefly about the cyber kill chain from Lockheed Martin. So we're just gonna talk about some of the steps in the Lockheed Martin Cyber kill chain.

00:11

So the steps we have our reconnaissance weaponization delivery, and we're gonna talk about each of these individually, we've got exploitation, installation,

00:20

the command and control. And then finally, the actions on objectives. So once the Attackers actually get in, maintain a foothold, then it's OK. Now, let's go ahead and complete our actual objective. It might be stealing data. It might be destroying data, corrupting data, lots of different things that might be

00:37

so. Let's talk about reconnaissance. Our reconnaissance is as we

00:41

no. From a previous lesson when we talked about re Kon as a step in pen testing methodology, Reconnaissance is just gathering that information, right? So what kind of information can the adversary potentially gather? Well, things like I p addresses, email, information, host or network information could be also identifying different vulnerabilities.

01:00

The attacker may also be identifying employees over on social media that might be good targets for social engineering attacks.

01:08

Also, there might be looking for information around any contracts awarded. So

01:14

the adversary might be looking at press releases because a lot of companies, when they get a contract like a major contract,

01:19

they'll put out a press release basically just saying Hey, look at us. We landed a contract with Company X, so that might be a way that the attacker could either get in through the third party, that that the other person on that contract, or the order that they may be able to use that as a conversation piece

01:38

for social engineering. They might be able to contact someone that works with the company on social media

01:42

and say, Hey, congrats on the contract, Great job. And then they could build a report from there and then exploit that relationship

01:49

weaponization. So the attacker is basically gonna use a weapon, Isar. And so all that does is that it's a tool that couples malware with on an exploit into basically a delivery herbal payload.

02:01

It could be they get it from a public or private channel, right? So buying it on a marketplace or they may just write their own,

02:09

and then once they've got that, the Attackers going to select the delivery method. It could be, um, in the sense of like a phishing email. It could be that they create a document that this malware lives in. And then that's gonna be what the employee or the victim opens up and it installs, um, our on the device.

02:28

Next we have delivery. So this is where the adversary has actually launched the malware to the target. So it could be

02:32

through things like phishing attacks, where they embedded in a document. It could also be three USB drop attacks where they take a USB, put them our on it, maybe put an image file or something, and drop that in a parking lot with some keys on it. So it looks like it's somebody dropped their keys and then do gooders as I call them. We'll go and pick it up in the parking lot, go inside.

02:51

You know, ask around. Usually, like who's is this? Everyone says, No, it's not mine.

02:54

They'll plug it in. Maybe there's a file on there that could help them identify who it is and poof. Now there's Mauer on theknot phonies. Device could also be through social media, right? Could I could send you a document and say, Hey, are you having trouble? Uh, maybe I target your sales team member, right? And I say, Hey, if you're having trouble with sales, this step by step guide, always help me, right?

03:15

So they

03:15

Oh, thanks so much for sharing right. They click it, they opened it

03:19

unsuspecting. It's a step by, you know, a little step by step guide or some tips on sales or whatever. I just create something. But in there I've embedded malware, right and they don't even know. And it's now downloaded on the company machine

03:30

and things like watering hold attacks. So if I know that

03:32

people that a certain company always

03:36

order their food from a Chinese restaurant at lunchtime, then I can actually just go ahead and create a watering hole attacks. So instead of them going to the actual Chinese website and create a mirror site, I can create a site that looks like it, or I can also just embed malware on that website and

03:52

every time they go there to order their food, I'm downloading malware in the background on their machine

03:55

exploitation. So to get access, the attacker has to exploit, right, they have to exploit the vulnerability. Um, it could be a zero day exploit. They may use something that's previously unknown. They might also a lot of times just use, uh, they might just exploiting vulnerability, right? A common one that's out there because a lot of organizations still

04:15

are not patching their vulnerabilities effectively

04:17

installation. So the attacker wants to maintain the access, right? So once you've done all this work to

04:23

exploit that vulnerability, all that someone really has to do is put a patch in place and fix their vulnerability, right? And then, poof, you lose access. However, if you install something like a back door, you can potentially maintain persistent access. And that's what the attacker wants to do, right? They want to install that backdoor backdoor. That may also do things like

04:43

doing time storm

04:44

where they change the time on the file. So it makes it look like the Mauer is actually part of like the operating system installed. So they basically put it at a previous time commanding controls. This is where the Mauer opens the channel communication back to the control. Essentially right. So

05:00

think of it. And if you ever watch Star Trek the next generation? Think of it like the Borg ship.

05:04

Ah, Borg ship or the border themselves were tied into what was called the collective, and so they would send information back to the collective and the collective would send information to them That's in in that. In that example, that's what the command and control is, right. There's the attacker system and it's sending

05:24

information or instructions back to the victims system. And the victim system is sending potentially information or whatever

05:30

back to the command control server, then the actions on objectives. So again, this could vary. It could be things like harvesting log in credentials to be used for a privileged escalation attacks. It could be performing internal reconnaissance. It could be a lateral movement throughout the target

05:47

environment. Right, So maybe I compromise one system, and then I wanna move laterally through

05:51

to compromise as many systems I can could be extra illustrating data, so data theft could be destroying data. Right? Or destroying systems. Maybe I do end up doing a DDOS attack and break your system. Right brick brick. Your Web server could be corrupting the data, right? Overriding the data

06:08

or otherwise modifying the data. So a lot of different things they might do once they're in and they've established a foothold.

06:14

So just a quick quiz question here in what stages the kill chain would attacker provide a U. S. B to the victim

06:19

with the exploitation of weaponization or delivery?

06:24

All right, so if he gets delivery, you are correct, right? So, again, thinking through, especially in that example, I deliver the U. S. B. So I go drop into the parking lot. I'm delivering it. Kind of like a FedEx or U S ups, right? I deliver it to the parking lot and then some unsuspecting person takes that plugs it in and poof. Now the organization has malware just like magic.