The cyberkill chain and how to break it

BitDepth #1382

MARK LYNDERSAY

IN A CONVERSATION with IT professionals on November 2, Marcelo Ardiles, cybersecurity consultant at Hitatchi Systems, explained what he described as the cyberkill chain of a ransomware attack.

Between 2021 and 2022, ransomware attacks rose from 22 per cent of all companies to 35 per cent and are now the greatest threat to companies and organisations.

The term comes from Lockheed-Martin's adaptation of the military breakdown of a successful attack.

Lockheed-Martin breaks out the cybersecurity equivalent of a killchain into seven distinct phases, reconnaissance, weaponisation, delivery, exploitation, installation and action on objective.

During reconnaissance, hackers are looking for information that can be used to break into computer systems.

Techniques include harvesting e-mail addresses and personal information from press releases, contracts, conference attendee lists, reviewing breached and leaked data and through discovery of the company's servers on the internet.

Once an entry point is identified, it is weaponised, usually with an attempt to deliver a decoy document with software embedded in it that will instal a malware payload in the intended target.

Cleverly written and designed phishing e-mail are favoured, an attack vector that represents 70 per cent of the risk associated with compromised systems (unpatched software is second at 56 per cent).

Malware can be hidden on a USB flash drive, and supply-chain attacks bring infected software components from external services and suppliers during a scheduled software update. Websites can also deliver malicious code during browsing, which downloads files to a computer.

While antivirus software will scan downloads, modern malware is often encrypted, and these tools cannot inspect it.

Social-engineering techniques, such as embedding malware in an official-looking document with an accompanying password, increase the confidence of the unwary while bypassing antivirus tools entirely.

Once the code is in the system, it establishes a connection to the infiltrator's computer and transmits information gathered from its initial beachhead.

The initial malware is normally a small package of code that instals a webshell on the computer to establish a back door for communication, which it uses to download a command-and-control tool that will take full control of the compromised computer. To establish persistence on the compromised system, the malware will instal code that launches it on startup and will masquerade as part of a standard operating system installation.

With the command-and-control tool in place, the infiltration will attempt to increase access to more of the computer network.

As it gains greater access, it moves laterally through the network, collecting and exfiltrating data, destroying systems and corrupting or overwriting data.

The end goal of most ransomware attacks is double extortion: first downloading company data, corrupting or deleting available backups, and then locking access for a fee.

How do companies respond to these threats, which are often mobilised with an agility that few IT departments can match?

The most effective intervention happens at the very start of the cyberkill chain, by training employees to understand the nature of cybersecurity threats. This awareness training must be conducted continuously, updating users on new phishing exploits and coaching them in the identification of often persuasive fake e-mails.

Implement multifactor authentication (something you know, something you have) for all users, even managers who complain that it's a hassle that doesn't apply to them.

Network administrators should scan their systems for vulnerabilities and penetration points and fastidiously apply updates and patches to server infrastructure. These preventive efforts should also analyse events and alerts on the network.

Users should have the lowest level of privilege required to do their jobs, and all software installations should be approved and monitored.

Assume that systems are already compromised. Monitor internet traffic, particularly data that is going to unknown URLS or domain name servers and unusual downloads. Continuously update monitoring tools that analyse networks for malware.

Plan for the worst possible scenario and operate on the assumption that you will be hit by a ransomware attack.

Develop an incident-response plan that details the steps to be taken once a compromise is revealed, and then test it, running the exercise regularly. Test backups and the recovery process.

For small and medium businesses, consider, at the very least, a hardware firewall to monitor outgoing and incoming data flows. Firewalla (firewalla.com) offers a range of devices that are designed to simplify this measure of protection, but setting up most firewalls may require a networking professional.

TT businesses could generally benefit from more collaboration on cyberthreat intelligence and private-sector organisations should encourage networking and information-sharing on this aspect of institutional cybersecurity response.

Mark Lyndersay is the editor of technewstt.com. An expanded version of this column can be found there.