Remote-access Guide

a cyber kill chain based analysis of remote access trojans

by Jacky Hane Published 3 years ago Updated 2 years ago
image

What is the cyber kill chain and how does it work?

The Cyber Kill Chain is divided into seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives. This article describes what each of these steps entails, including the preventive measures that network defenders can take in each stage.

What is the most critical stage in the cyber kill chain?

Essentially, exploitation is the most critical stage within the cyber kill chain. We often bring up the importance of patch management and keeping up with the latest software updates to close security holes in your organization.

What are today’s cyber threats?

Throughout the past couple of decades, cyber threats have grown drastically in size and complexity. The increasing popularity of the cloud, the development of advanced social engineering techniques, or the rise of Business Email Compromise (BEC) are some of today’s cyber dangers that have rendered traditional security defenses insufficient.

image

What is a cyber attack kill chain?

What is a Cyber Kill Chain? The cyber kill chain is essentially a cybersecurity model created by Lockheed Martin that traces the stages of a cyber-attack, identifies vulnerabilities, and helps security teams to stop the attacks at every stage of the chain.

What are the 7 stages of the cyber kill chain?

The Cyber Kill Chain is divided into seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives.

What is kill chain analysis?

Kill chain analysis is a guide for analysts to understand what information is, and may be, available for defensive courses of action. It is a model to analyze the intrusions in a new way. Most detected intrusions will provide a limited set of attributes about a single phase of an intrusion.

What is an example of the a cyber kill chain?

One example is Lockheed Martin's Cyber Kill Chain framework which was developed as part of the Intelligence Driven Defense model for identification and prevention of cyberattacks and data exfiltration. The term 'kill chain' originates from the military and defines the steps an enemy uses to attack a target.

What is the main purpose of cyberwarfare?

What are the goals of cyberwarfare? According to the Cybersecurity and Infrastructure Security Agency, the goal of cyberwarfare is to "weaken, disrupt or destroy" another nation. To achieve their goals, cyberwarfare programs target a wide spectrum of objectives that might harm national interests.

What is the correct order of the kill chain?

The seven stages (phases) include: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Action on Objectives.

What does the term kill chain mean?

The term “kill chain” comes from a military concept that uses stages to outline the structure of an attack. “Breaking” the opponent's kill chain refers to the ability to block an attack at any stage.

What are the seven 7 steps of the cyber kill chain give one detailed example of one of the steps?

The 7 partial steps (IoC) – briefly explained:Reconnaissance: Search targets. ... Weaponization: Prepare attack. ... Delivery: Start execution. ... Exploitation: Exploiting security vulnerabilities. ... Installation: Persist access. ... Command and Control (CC or C2): Expand remote control. ... Actions on Objectives: Finish attack.

How many kills is a kill chain?

7 playersHow to Unlock All Multiplayer Dark Ops ChallengesDark Ops ChallengeHow to Complete the ChallengeBrutal KillerEarn a Brutal Medal (25 Killstreak)Frenzied KillerEarn a Frenzy Kill medal (5 Rapid kills).Chain KillerGet a Kill Chain (Killed more than 7 players rapidly).10 more rows•Nov 24, 2020

What is a cyber kill chain and its advantages?

The cyber kill chain is a series of steps that trace stages of a cyberattack from the early reconnaissance stages to the exfiltration of data. The kill chain helps us understand and combat ransomware, security breaches, and advanced persistent attacks (APTs).

What is the last stage of the cyber kill chain framework select one?

The Cyber Kill Chain consists of 7 steps: Reconnaissance, weaponization, delivery, exploitation, installation, command and control, and finally, actions on objectives.

What is Phase 4 of the cyber kill chain?

Phase 4: Exploitation At the Exploitation phase, the attacker exploits the vulnerability that has been discovered to carry out their attack. The targeted system is typically compromised and the attack enters the system.

What is cyber kill chain PDF?

Cyber kill chain is a model to describe cyber-attacks so as to develop incident response and analysis capabilities. Cyber kill chain in simple terms is an attack chain, the path that an intruder takes to penetrate information systems over time to execute an attack on the target.

At what stage of the cyber kill chain do you typically use the Nmap command?

Active Reconnaissance uses tools such as NMAP, port scanners and even vulnerability scanners (turned down to the lowest impact setting) to enumerate your external systems, ports and IP addresses.

Which of the following is the first phase in the attacker kill chain process?

There are several core stages in the cyber kill chain. They range from reconnaissance (often the first stage in a malware attack) to lateral movement (moving laterally throughout the network to get access to more data) to data exfiltration (getting the data out).

What can Trojans do with their C2s?

Using these (commonly used) ports, Trojans can communicate with their C2s, download payloads, and upload exfiltrated data. Analysis of network traffic using tools such as Wireshark can assist in the identification of malicious ports and reviewing of payloads associated with the traffic for potential data exfiltration.

What are the three dimensions of banking Trojans?

In developing a banking Trojans defence taxonomy, we consider three dimensions, namely: detection , prevention and remedial actions [109] – See Fig. 4. The first level of our taxonomy comprises different types of defences, and the second level is constructed based on how a specific defence type can be applied. Detection techniques can run at the host or at the network [110], while prevention techniques are classified as host-based, network-based and user training. Finally, remedial actions are divided into defensive and offensive activities; each linked to different techniques [36].

What is evolutionary computational intelligence?

While evolutionary computational intelligence approaches are a viable approach to designing intelligent and effective malware detection and mitigation solutions, having a features taxonomy can help inform the design of such approaches by reducing the impreciseness, subjectivity, and knowledge uncertainty in decision making process.

What is host based preventive?

Host based preventive solutions generally include AV (e.g. anti-spyware) [48], [85], and cryptographic solutions such as access control schemes. For example, an attribute based encryption (ABE) scheme allows users to define access to a specific piece of data depending on pre-defined attributes in the policy [128].

What is detection technique?

Detection techniques provide opportunities to identify a malicious attack in its early stages, namely: during reconnaissance, weaponization or delivery [20], [31]. Detection can be conducted at the host or network level.

What is MITB in phishing?

Trojans use MITB (Man-In-the-Browser) or MITM (Man-In-The-Middle) techniques to extract data [21], [105], [106], [107]. In MITB, a Trojan redirects the victim to a phishing website that is controlled by the adversaries to harvest credentials such as username and password [105], [106]. An MITM adversary goes further by intercepting communications from victims and responses from server and establishing an interactive process for collecting user data [107], [108].

What is keystroke logging?

In Keystroke logging, an adversary covertly records user keystroke as they are being typed either through a software program or a hardware device or even by monitoring electromagnetic emissions. Malware designers can deploy software key loggers either as a payload or a client-side exploit [89], [90], and can be implemented in the kernel, hypervisor or memory.

What is cyber kill chain?

What is the Cyber Kill Chain Model? “Kill Chain” is a concept that was first adopted by the military to describe the actions used by an adversary to attack and destroy a target. In essence, it relates to what an assault would look like from a military perspective and describes all stages that attackers go through.

How does the Cyber Kill Chain Work?

Next, I will break down each of the kill chain stages, as per the analysis shown in the Technical Aspects of the Cyber Kill Chain research paper, authored by Tarun Yadav.

What are the threats to cyber security?

For this reason, cybersecurity prevention and mitigation methods were compelled to keep pace with these ever-growing threats.

What is the most critical stage of the cyber kill chain?

Essentially, exploitation is the most critical stage within the cyber kill chain.

What is the next step after cyber weapons are shipped?

After the cyber weapon is shipped, the next step is executing the exploit with the aim of silently installing the payload and executing it.

How many stages are there in Cyber Kill Chain?

The cyber kill chain consists primarily of 7 stages.

What is cyberspace identification?

Cyberspace identification primarily means crawling the World Wide Web (e.g. websites, conferences, blogs, social relationships, mailing lists, and network tracing software) to obtain information about the target. In later phases of the cyber kill chain, data collected from reconnaissance is used to plan and distribute the payload.

Abstract

Malware such as banking Trojans are popular with financially-motivated cybercriminals. Detection of banking Trojans remains a challenging task, due to the constant evolution of techniques used to obfuscate and circumvent existing detection and security solutions.

Keywords

Dennis Kiwia is a certified Information Security Professional (CISSP) with more than five years’ experience in field of IT systems. He has acquired a lot of experience in cyber security through working in different sectors including financial and telecommunications.

image
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9