In today’s wildly unpredictable threat landscape, the modern enterprise should be familiar with the cyber kill chain concept. A cyber kill chain describes the various stages of a cyberattack pertaining to network security. Lockheed Martin developed the cyber kill chain framework to help organizations identify and prevent cyber intrusions.
The steps in a kill chain trace the typical stages of an attack from early reconnaissance to completion. Analysts use the framework to detect and prevent advanced persistent threats (APT).
Organizations can use the cyber kill chain to defend themselves against many complex attacks, such as last year’s Uber hack. If you recall, back in September of 2022, a threat actor successfully infiltrated the company’s Slack application by convincing an employee to grant them access. The attacker spammed the employees with multi-factor authentication (MFA) push notifications until they could gain access to internal systems and browse the source code.
This article will walk you through the kill chain of this specific attack twice. First, we’ll take the perspective of the attacker, and then we’ll outline the prevention strategies organizations can take at each step of the chain.
Each step of the cyberattack kill chain
Recon
This first step is about information gathering. Like in many attacks, threat actors use social engineering tactics to gain access to employee information. Attackers typically gather intelligence from scraping data readily available from public sources, called open source intelligence (OSINT). Thanks to social media and publicly documented online activities, attackers can easily profile an organization or employee.
Weaponize
The next step is essentially the preparation stage. The bad actor is now armed and ready to deploy these compromised credentials and any other relevant information they need to log in to the target employee’s account.
Delivery
Delivery is all about set-up: like a boxer’s jabs before landing the knockout punch. In this step during the Uber hack, the attacker spammed the employee with push notifications (this can be called MFA fatigue or prompt bombing). Then, he contacted the employee through social media channels, posing as IT, asking them to accept the notifications so they would stop.
Exploit
Staying with the boxer analogy, exploit is like a right hook. In the Uber attack, the attacker gained access to the employee’s VPN once the MFA fatigue attack was successful.
Install
Install is where the bad actor officially launches the malicious and dangerous part of the attack. In the Uber hack, the attacker was able to scan the network and discover a power shell script on a shared drive. The script contained an admin user credential for the company’s PAM solution that provided the attacker with further access to multiple services.
Callback
For attackers, callback is all about taking control of the target’s systems so they can launch more attacks. For victims, this is the step in which prevention is much more difficult. In the Uber attack, the bad actor proceeded to wrangle access to other internal systems and steal confidential data.
Persist
When attackers reach this stage, they’ve essentially gained enough rights to continuously execute attacks. This may come in the form of ransomware, data exfiltration for monetary gain or launching DOS attacks.
How the enterprise can prevent attacks at each stage
Recon and weaponize
The strategies for Recon and Weaponize prevention are the same at both stages.
One of the most crucial prevention strategies is eliminating the use of passwords whenever possible. While the password will probably never die, going passwordless is typically a positive step in the right direction. That said, it shouldn’t be the only authentication method. Passwordless should be the first factor to be combined with another form of authentication.
Adding or changing contact info for key employees is another way to keep attackers guessing.
Delivery
Deploying high-assurance MFA options like a FIDO2 key, mobile smart credential or other passkeys is one of the best ways to prevent MFA-based attacks. After all, MFA is not foolproof.
Another great way to ensure an attack like the Uber hack doesn’t happen in your organization is to send a notification to the user whenever the account logs in from a new location for the first time.
Adopting zero trust principles is always recommended here (and at any stage).
Exploit
Using a physical token is one of many secure authentication methods. By deploying risk-based adaptive authentication, authentication requests can trigger a defined action or set of actions based on predetermined risk factors. Potentially malicious requests may trigger an email or SMS notification or be blocked outright. This could (and should) include VPN authentication requests.
Much like for the delivery stage, it’s wise to consider location-based notifications for first-time access.
Install
For the install stage, all the same prevention strategies relevant to the exploit stage also apply. But here, organizations can bolster security for desktops, servers, hidden folders and other resources by applying adaptive MFA.
Privileged Access Management (PAM) solutions should also be secured with high assurance MFA.
Callback/Persist
Here is where real-time monitoring of any suspicious data movement and detecting suspicious behavior is critical. At this stage, bad actors are motivated to move and act quickly, and timing for the security team is crucial. The key is the ability to be proactive instead of reactive.
How IBM X-Force addresses cyberattacks with preparation and execution frameworks
IBM Security X-Force cyberattack preparation and execution frameworks build upon the industry-standard conceptual approaches to analyzing a cyberattack, including the Cyber Kill Chain, MITRE ATT&CK and Mandiant’s Attack Lifecycle.
The X-Force cyberattack preparation and execution frameworks provide a logical flow representative of attacks today and also incorporate increasingly relevant phases not typically included in other frameworks.
These frameworks characterize threat data and communicate threat intelligence, explaining the full range of activities that occur prior to and during an actual compromise.
The process provides incident responders and threat intelligence analysts with a model they can use to track data, conduct peer review research and communicate analysis with greater clarity and consistency. The X-Force cyberattack preparation and execution frameworks also provide organizations with an easy and efficient way to compare different cyberattack threat vectors relevant to their industries.
Read more about the X-force cyberattack preparation framework here.
To schedule a no-cost consult with X-Force, click here.
If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.