Robert Fitzsimons, Sales Engineer at Searchlight Security
The Cyber Kill Chain is one of the more commonly referenced frameworks in cybersecurity. Originally developed by the aerospace and defense company Lockheed Martin, the framework is designed to aid organizations in the identification and prevention of cyber intrusion activity by understanding the different stages of an attack a threat actor takes to achieve their objectives.
According to the framework, there are seven stages in the Cyber Kill Chain:
1. Reconnaissance - Harvesting employee emails addresses and credentials, probing the network in search of vulnerabilities.
2. Weaponization - Coupling the exploit with a backdoor to create a deliverable payload.
3. Delivery - Delivering the weaponized bundle to the victim, for example through email, web, USB or cloud application.
4. Exploitation - Exploiting a vulnerability to execute code on the victim’s system.
5. Installation - Installing malware on the asset.
6. Command and control (C2) - Established a command channel to an external server for remote manipulation of the victim.
7. Actions on objectives - With ‘Hands on Keyboard’ access, intruders accomplish their goals - for example, data exfiltration, ransomware deployment or corporate espionage.
If the actions of cyber threat actors can be identified when they are still early in the Cyber Kill Chain, organizations have a chance to prevent a full blown attack from being executed. For example, if an employee correctly identifies a phishing email and the malicious link is not opened then the chain will be broken at the “Delivery” phase. Most of the security team’s resources and tools are currently focused at this stage or afterwards. For instance, email security tools sit at the Delivery phase, whilst endpoint, network and antivirus security solutions focus on identifying the subsequent activity, such as script exploitation, malware installation, privilege escalation and so on.
Unfortunately, as cybercriminals continue to evolve their capabilities and skill sets to bypass existing security solutions, preventing an attack is not always as simple as not clicking the phishing link. Therefore, to give the best chance of disrupting a cybercriminal's operations, enterprises need to “shift left” and take action as early in the Cyber Kill Chain as they can.
Shifting Left in the Cyber Kill Chain
Let’s look to the “left” of the Delivery phase to see how (and if) an attack could be prevented in Weaponization and Reconnaissance.
It is very difficult for an organization and their security providers to disrupt cybercriminals at the Weaponization phase as this activity will almost certainly be done in their own environment. With no reason for them to connect to the network before the Delivery phase, identifying and disrupting threat actors at this stage is pretty much impossible.
However, looking even further left to Reconnaissance, cyber criminals do create a footprint during this phase on deep web and dark web marketplaces and forums, where they often perform their due diligence, discuss their plan of action, and even buy the tools that they can need to infiltrate a company’s defenses. This exposure creates an opportunity for organizations to take preventative action right at the start of the Cyber Kill Chain.
Intervention at the Reconnaissance Phase
Armed with deep and dark web intelligence - which can provide visibility into the marketplaces, forums and sites where cybercriminals congregate - there are several key opportunities for organizations to identify the early warning signs of attack in the Reconnaissance phase:
Identification of Leaked Credentials
Companies are often completely unaware that their staff’s credentials - including usernames, corporate emails, and passwords - have been published on leak sites or pastebins in the deep and dark web. In some cases, this is the result of third party organizations being breached, where individuals have used their business emails and passwords to create accounts.
Identification of this data can enable security teams to enforce password changes on the compromised accounts to prevent access through exploiting these credentials. It can also inform actions to implement additional layers of authentication if they are not already in place.
Sale of Credentials
Batches of company credentials for sale are commonplace in dark web markets, enabling lower tier criminals to monetize the data they have gathered, whilst the criminals buying the data will often seek to exploit the organization further. Not only can this activity be observed through market listings, but breached credential trading also takes place on dark and clear web forums and via channels such as Telegram and Discord.
This intelligence is valuable in two ways. Firstly, identification of batch credential data can indicate a previous breach, and prompt security teams to conduct a thorough investigation into their networks to identify and patch any vulnerabilities. Secondly, it may also be possible to associate the forum, market, or chat usernames with threat actors, providing an indication of which adversary is targeting the business. In turn, this can enable the security team to alter their risk position and prompt a review of the mitigation approach or incident response playbooks.
Dark Web Traffic
Communications between the corporate network and Tor node is a red flag of criminal activity. Cybercriminals, advanced persistent threat groups, and hacktivists have all utilized Tor in the past to anonymize their activity. From Tor, they are able to scan corporate networks for vulnerabilities, open ports and unsecured systems, helping to identify the most efficient avenue of attack through which they can conduct their operations.
Incoming network activity from Tor nodes to a company's network can indicate possible Reconnaissance activity such as port or vulnerability scanning. The ability to see which ports are being actively targeted at any given time can have a dramatic impact for businesses in helping to prioritize defenses on the most likely paths of attack.
Outgoing traffic from an organization's network towards a Tor server is a potential indicator of an insider threat, or even a compromised device communicating back to Command and Control (C2) servers. Again, this visibility can help security teams to take swift action in disconnecting systems calling out to the dark web and begin their investigations to find the cause.
Combatting Criminal Reconnaissance Through Dark Web Intelligence
Identifying the early warning signs of attack through dark web intelligence aligns not just to the Cyber Kill Chain framework, but also to the Reconnaissance phase of the MITRE ATT&CK framework, including techniques such as Gather Victim Identity Information(T1589) and Gather Victim Network Information (T1590). With this intelligence in hand, businesses can be notified at the earliest opportunity of a potential attack, take the corrective actions required, and put themselves in the best position possible to mitigate malicious activity before adversaries gain initial access to the network. Without it, organizations are literally already two steps behind criminals in the Cyber Kill Chain.