Cyber Kill Chain:

The Cyber Kill Chain is the phases or stages of a targeted attack. Each stage presents an opportunity to detect and
react to an attack.

Total seven stages are there which we can follow to detect and defend. Below are the seven stages:

1) Reconnaissance (Identifying Targets): Reconnaissance is a set of processes and techniques (Foot

printing, Scanning & Enumeration) used to covertly discover and collect information about a target
system. During reconnaissance, an ethical hacker attempts to gather as much information about a
target system as possible.

Attacker Defender
 Collect website visitor logs for alerting
 Harvest email addresses
and historical searching.

 Collaborate with web administrators to

 Identify employees on social medianetworks
utilize their existing browser analytics.

 Collect press releases, contract awards,  Build detections for browsing

conference attendee lists behaviors unique to reconnaissance.

 Prioritize defenses around particular

 Discover internet-facing servers technologies or people

based on recon activity.

2) Weaponization (Prepare the Operation): Intruder creates remote access malware weapon, such as
a virus or worm, tailored to one or more vulnerabilities.

Attacker Defender
 Obtain a weaponizer,
either in-house or  Conduct full malware analysis – not just what payload it drops, but
obtain through public how it was made.
or private channels

 For file-based exploits,

select “decoy”  Build detections for weaponizers – find new campaigns and
document to present to new payloads only because they reused a weaponizer toolkit.
the victim.

 Select backdoor implant

and
 Analyze timeline of when malware was created relative to when it
appropriate command
was used. Old malware is “malware off the shelf” but new malware
and
might mean active, tailored operations.
control infrastructure
for operation
 Designate a specific
“mission id” and embed  Collect files and metadata for future analysis.
in the malware

 Compile the backdoor

 Determine which weaponizer artifacts are common to which PT
and weaponize the
campaigns. Are they widely shared or closely held?
payload

3) Delivery (Transfer malware): This is the stage where attacker transfer the weapon to the target
system. It can be transferred in many ways.

Attacker Defender
 Adversary controlled delivery:  Analyze delivery medium – understand upstream
Direct against web servers infrastructure.

 Understand targeted servers and people, their roles and

 Malicious email
responsibilities, what information is available.

 Malware on USB stick  Infers intent of adversary based on targeting.

 Leverage weaponizer artifacts to detect new malicious

 Social media interactions
payloads at the point of Delivery.

 “Watering hole” compromised

 Analyze time of day of when operation began.
websites

 Collect email and web logs

for forensicreconstruction.
Even if an intrusion is detected
late, defenders must be able to
determine when and how
delivery began.

4) Exploitation (Gain access to a victim): Malware weapon's program code triggers, which takes
action on the target network to exploit a vulnerability. Here the victim feels all the anomaly
behaviors.

Attacker Defender
 Software, hardware,
 User awareness training and email testing for employees.
or human vulnerability

 Acquire or develop zero

 Secure coding training for web developers.
day exploit

 Adversary triggered
exploits for server-  Regular vulnerability scanning and penetrationtesting.
based vulnerabilities
  Victim triggered exploits:
Opening attachment of  endpoint hardening measures: Restrict admin privileges
malicious email

 Victim triggered exploits:

 Endpoint hardening measures: Use MicrosoftEMET
Clicking malicious link

 Endpoint hardening
Custom endpoint rules to
block shellcode execution

 Endpoint process auditing to forensicallydetermine origin of


exploit.

5) Installation (Establish Beachhead at the victim): Malware weapon installs access point (e.g.,
"backdoor") usable by the intruder. The attacker makes sure that his entry into the system is always
open for the further fulfillment and this technique is called persistent.

Attacker Defender
 HIPS to alert or block on common
 Install webshell on web server
installation paths, e.g. RECYCLER.

 Understand if malware
 Install backdoor/implant on client victim requires administratorprivileges or
only user.

 Create point of persistence by adding services,  Endpoint process auditing to

AutoRun keys, etc. discover abnormal file creations.

 Some adversaries “time stomp” the file to make

 Extract certificates of any signed
malware appear it is part of the
executables.
standard operating system install.

 Understand the compile time of

 malware to determine if it is old or
new.

6) Command and Control (Remotely control the implants): Malware enables an intruder to have
"hands on the keyboard" persistent access to a target network. The connection will be Bot to C2
and vice versa and also commands will be sent by C2 and executed on the victim machine.

Attacker Defender
 Discover C2
 Open two-way communications channel to C2
infrastructure thorough
infrastructure
malware analysis.
  Harden network:
 Most common C2 channels are over the web, DNS, Consolidate the number
and email protocols of internet points of
presence

 Harden network:
 C2 infrastructure may be adversary owned or Require proxies for all
another victim network itself types of traffic (HTTP,
DNS)

 Customize blocks of C2

protocols on web proxies.

 Proxy category blocks,

 including “none” or
uncategorized” domains.

 DNS sink holing and


name server poisoning.

 Conduct open
source research to

discover new adversary
C2 infrastructure.

7) Action on objectives (Achieve the mission's goal): With hands-on-keyboard access, intruders
accomplish the mission’s goal. What happens next depends on who is on the keyboard.

Attacker Defender
 Establish incident
response playbook,
 Collect user credentials
including executive engagement
and communications plan.

 Detect data exfiltration, lateral

 Privilege escalation movement, unauthorized credential
usage.

 Immediate analyst response to all

 Internal reconnaissance
CKC7 alerts

 Forensic agents pre-deployed to

 Lateral movement through environment
endpoints for rapid triage.

 Network package capture to

 Collect and exfiltrate data
recreate activity.
  Conduct damage assessment with
 Destroy systems
subject matter experts.


 Overwrite or corrupt data

 Surreptitiously modify data

Conclusion: Attacking a target is *easy but defending is the toughest job only if you are not strong
enough. defending side always analysis is very important. Recognizing the attacks with the
known patterns, new techniques, and the way of thinking should match the attacker intentions. If
you are only well enough to defend then you will have half security and another half will be how
you have planned to prevent. So the conclusion is that prepare to defend and learn to prevent.

Reference: https://www.lockheedmartin.com

38- What is the Three-way handshake? How can it be used to create a DOS attack?

The three-way handshake is a cornerstone of the TCP suite: SYN, SYN/ACK, ACK. SYN is the
outgoing connection request from client to server. ACK is the acknowledgement of the server back
to the client, saying that yes I hear you, let’s open a connection. SYN/ACK is the final connection,
and allows the two to speak. The problem is that this can be used as a very basic type of Denial of
Service Attack. The client opens up the SYN connection, the server responds with the SYN/ACK,
but then the client sends another SYN. The server treats this as a new connection request and
keeps the previous connection open. As this is repeated over and over many times very quickly,
the server quickly becomes saturated with a huge number of connection requests, eventually
overloading its ability to connect to legitimate users.