The Cyber Kill Chain model

UFCF7P-15-M - Critical Systems Security

Session Learning
Outcomes
1. Understanding APTs phases
2. Understanding the Cyber Kill Chain
model

2
 • Advanced Persistent Threats (APTs) are sophisticated and targeted
cyberattacks carried out by highly skilled adversaries with specific
objectives.
Advances • Advanced: They are targeted. They may employ more than one
Persistent attack methods and multiple spreading mechanisms to increase the
probability of a successful attack on the target.

Threats • Persistent: They operate in stealth mode for a prolonged period of

(APTs) time ranging from months to years until they reach the final target.
Often, they hide their actions from monitoring software.

3
 Advances Persistent Threats
(APTs): Examples
• SolarWinds: The SolarWinds cyberattack was a significant supply chain attack attributed to
APT29 (Cozy Bear), a Russian-state-sponsored APT group. The attackers compromised the
SolarWinds Orion software platform, used by thousands of organizations for IT infrastructure
management. This enabled the threat actors to infiltrate the networks of multiple high-
profile targets, including U.S. government agencies and Fortune 500 companies.
• Hafnium: Microsoft discovered a Chinese-state-sponsored APT group called Hafnium, which
targeted Microsoft Exchange Server vulnerabilities to gain access to email accounts and
exfiltrate sensitive data. Hafnium is known to target organizations in various sectors,
including defense, healthcare, and higher education.
• UNC2452 / Nobelium: An APT group also involved in the SolarWinds attack, continued its
cyber-espionage campaign targeting various organizations. In May 2021, Microsoft disclosed
that Nobelium had launched a new wave of attacks using the USAID email system to
distribute malicious phishing emails.
• APT41: A Chinese-state-sponsored APT group which targeted various industries worldwide,
including healthcare, telecommunications, and higher education. In 2020, the U.S.
Department of Justice (DOJ) charged five Chinese nationals for their involvement in APT41
activities, including unauthorized access to protected computers and stealing sensitive
information.

https://www.hackerone.com/knowledge-center/advanced-persistent-threats-attack-stages-examples-and-mitigation 4
Advances Persistent Threats (APTs): Steps
1. Reconnaissance: APT attackers begin by gathering information about the target organization, its employees, infrastructure, and security defences.
This may involve scanning publicly available information, social engineering tactics, and probing for vulnerabilities in the target's network.
2. Initial Compromise: Once attackers have identified potential vulnerabilities or entry points, they initiate the attack by exploiting weaknesses in the
target's systems or networks. This may involve exploiting software vulnerabilities, phishing emails, or other tactics to gain an initial foothold in the
target environment.
3. Establishment of Persistence: After gaining initial access, APT attackers take steps to establish persistence in the target environment. This involves
installing backdoors, remote access tools, or other malware to maintain access to the compromised systems even after security measures are
implemented.
4. Lateral Movement: With persistent access to the target network, APT attackers move laterally across the network to explore and compromise
additional systems and resources. This may involve exploiting weak credentials, escalating privileges, or exploiting misconfigured systems to gain
access to critical assets and data.
5. Data Exfiltration: Once APT attackers have compromised the target's systems and achieved their objectives, they begin to exfiltrate sensitive data
from the target environment. This may involve stealing intellectual property, customer data, financial information, or other valuable assets.
6. Covering Tracks: To avoid detection and maintain access to the compromised systems, APT attackers cover their tracks by deleting logs, modifying
timestamps, and obfuscating their activities. This makes it difficult for defenders to detect and respond to the attack.
7. Continued Monitoring and Persistence: Even after exfiltrating data or achieving their objectives, APT attackers may continue to monitor the target
environment for future opportunities or maintain access for future attacks. This allows them to maintain a persistent presence in the target
environment and carry out additional malicious activities over time.

5
Cyber Kill Chain
model

• The Cyber Kill Chain model is a concept

that describes the stages of a
cyberattack, from initial reconnaissance
to data exfiltration.
• The model provides a framework for
understanding and analysing cyber
threats, allowing organisations to better
defend against and mitigate
cyberattacks.

6
Cyber Kill Chain model steps

• Reconnaissance: Research, identification and collection of data about the target organization, encompassing its infrastructure, staff,
and security protocols. This process may entail scanning for vulnerabilities, gathering publicly accessible data, and executing social
engineering tactics.
• Weaponization: Once attackers have gathered information about the target, they develop or acquire tools and techniques to exploit
vulnerabilities in the target's systems. This may involve creating malware, crafting phishing emails, or exploiting known software
vulnerabilities.
• Delivery: Attackers deliver the weaponized payload to the target's systems. This can occur through various methods, such as email
attachments, malicious websites, or compromised network connections.
• Exploitation: In this stage, attackers exploit vulnerabilities in the target's systems to gain unauthorized access. This may involve
exploiting software vulnerabilities, misconfigurations, or weak authentication mechanisms to gain a foothold in the target's network.
• Installation: Once attackers have gained access to the target's systems, they install backdoors, remote access tools, or other malware
to maintain persistence and establish control over the compromised systems.
• Command and Control (C2): Attackers establish communication channels with the compromised systems to remotely control them
and exfiltrate data. This may involve using command-and-control servers, remote administration tools, or covert communication
channels.
• Actions on Objectives: In this final stage, attackers achieve their objectives, which may include stealing sensitive data, disrupting
operations, or causing financial damage. This may involve exfiltrating data, modifying or deleting files, or launching further attacks
against other systems.
7
Cyber Kill
Chain model
steps/actions

8
 • Can you identify:
• Examples of reconnaissance in ICS
environments?
Task 1 • Weaponiser examples in ICS?
• The prevalent transmission mechanisms in
ICS?
• Examples of attack against the user and/or
attack against the system?
• Examples of the Installation phase in ICS?
• What is the difference in ICS for the 2 last
phases?

9
 •1. Study the Stuxnet scenario in the following slides.

Task 2 – What •2. What were the vulnerable points in the attack
scenario?

to do? •3. Select another case study of your choice. Propose

and discuss a scenario following the provided
example.
STUXNET Attack scenario

• Primarily written to target an industrial control system or set of

similar systems.

• Its final goal is to reprogram ICSs by modifying code on PLCs to

make them work in a manner the attacker intended and to hide
those changes from the operator of the equipment [6].

11
Stuxnet Attack scenario

• First, the attackers needed to conduct reconnaissance.

• As each PLC is configured in a unique manner, the attackers would first need the ICS’s
schematics. These design documents may have been stolen by an insider or even
retrieved by other malware (early version of Stuxnet or other malicious binary).
• The attackers would have needed to obtain the digital certificates from someone who
may have physically entered the premises of the two companies and stole them.
• The final version of Stuxnet couldn’t have been developed without this knowledge [6].

12
Stuxnet Attack scenario

Attackers would need to setup a

mirrored environment that would
include the necessary ICS hardware,
such as PLCs, modules, and peripherals Weaponisation phase in the cyber kill
in order to test their code. The full cycle chain model (we’ll talk about this in
may have taken six months and five to future lectures).
ten core developers not counting
numerous other individuals, such as
quality assurance and management [6].
Stuxnet Attack scenario

• To infect their target, Stuxnet would need to be introduced into the target
environment. This may have occurred by infecting a willing or unknowing
third party, such as a contractor who perhaps had access to the facility, or an
insider. The original infection may have been introduced by removable drive.

• Once Stuxnet had infected a computer within the organization it began to

spread in search of Field PGs, which are typical Windows computers but
used to program PLCs.
Stuxnet Attack scenario

• Since most of these computers (Field PGs) are non-networked, Stuxnet

would first try to spread to other computers on the LAN through a zero-day
vulnerability, a two year old vulnerability, infecting Step 7 projects, and
through removable drives. Propagation through a LAN likely served as the
first step and propagation through removable drives as a means to cover the
last and final hop to a Field PG that is never connected to an untrusted
network.
Stuxnet Attack scenario

• When Stuxnet finally found a suitable computer (Field PG), one that ran Step
7, it would then modify the code on the PLC. These modifications likely
sabotaged the system.

• Victims attempting to verify the issue would not see any rogue PLC code as
Stuxnet hides its modifications.
17