The Stages of a Cyber Attack (Cyber Kill Chain)

6 Min Read

February 29, 2024

By: Senesh Wijayarathne

The Stages of a Cyber Attack (Cyber Kill Chain)

Know your enemy by comprehending the strategy used by Hackers

Preventing a hacker from breaching your system is more complex than it sounds; there are multiple ways a hacker could breach a system. For us to prevent this, we need to understand how the hacker thinks, plans, and executes. Understanding the tactics and the information the hackers find intriguing should be a prioritized cybersecurity investment and effort. An overview of the stages of a cyberattack (which is also referred to as cyber kill chain) will provide you with an insight into the areas that should be assessed and prioritized in the organization’s strategy regarding cybersecurity.

Five Stages of a Cyber Attack

Phase One: Research and Reconnaissance

The 1st stage of a cyber-attack is where the hacker starts to research their target to collect as much information as possible. This phase can be known as ‘Footprinting’. Understanding the target, its location, types of information that the target holds, how the target is protected, and how the hacker can conduct the attack.

Hackers get Internet Protocol (IP) address details from publicly accessible sources and conduct scans to find out what hardware and software the target firm is utilizing. They verify the domain names using the online registration database maintained by the Internet Corporation for Assigned Names and Numbers (ICANN).

Hacking attempts will be more successful if hackers spend more time learning about the company’s personnel and IT infrastructure. Reconnaissance has been categorized into two types, and they would be Passive Reconnaissance and Active Reconnaissance.

Passive Reconnaissance

Using an open-source platform to gather information about the target without any direct engagement with the target can be known as Passive Reconnaissance. By doing a Passive Reconnaissance for a target, the user will try to collect useful information such as system data, used applications of the organization, employee names and emails, social media details, public records, and most importantly, domain details.

Types of useful information that are gathered by Hackers via Open Sources

Public Records: Hackers will be using publicly available records to gain information about the organization. Public records, such as tax records, are used by attackers to learn more about the inner workings of the organization. Press releases, company stakeholders, and annual reports are also useful for gathering information about the target.
Email Harvesting: Using a combination of collection methods, the attacker will collect email addresses of the organization to be used later in phishing campaigns and to crack login credentials. A combination of collection methods, web crawlers, directory attacks, illegal dark web purchases, or even taking advantage of the commonly used organizational email template ([First_Name]. [Last_Name] @[Oraganization_Name]).
Social Media: LinkedIn, Facebook, Instagram, and X (formerly Twitter) are resources to gather details on your employees, their roles, and clues about their daily routines.
Job Postings: The company’s technologies and applications are briefly described in job advertising, and the attacker can get a good understanding of the criticality of the position. With criticality, the attacker can get an understanding of the weaknesses and vulnerabilities that may exist.
Domain Name Searches: Used to collect domain registration information and details about IP addresses. Online tools such as ‘WHOIS’ could be used in such tasks. Domain structure and weaknesses could be analyzed and used as a target to be exploited.

Active Reconnaissance

When the attacker directly engages with the target organization and its employees or systems to gather information, it is known as Active Reconnaissance. Compared to Passive Reconnaissance, Active Reconnaissance is harder to execute, and the information that will be gathered from it could be directly used to exploit weaknesses in any system of the organization. Typically, Active Reconnaissance will take the form of port or network scanners, and these scans will reveal and expose firewalls, network architecture, intrusion detection programs, or other security mechanisms that are being used to block entry and their weaknesses.

Network Scan: By mapping the topology of the different hosts, servers, routers, and firewalls, the goal is to show how data travels through the network. The attacker makes an effort to locate and associate IP addresses with active hosts or computers that have replied to their queries. They may more precisely target the machines they want to check for ports using this approach.
Port Scan: identifies the services that are accessible on the host ports of the target. There are several ways to do this, but the scan’s primary goal is to ascertain if the port is open, closed, or unresponsive. If a port is open, its answer will provide details allowing an attacker to locate certain services hosted on the port, such as the name and version of an application or the operating system. Versioning of the system name and configuration will provide an attacker with the knowledge they need to look for particular flaws or create new ones.

Phase Two: Weaponization

The completion of the Reconnaissance effort will start the weaponization phase. With the information gathered in the Reconnaissance phase, the attacker will develop techniques to exploit the defenses of the target, taking access to the attacker’s desired information. The kind of weaponization is determined by the hacker’s skills and information gathered in the reconnaissance phase. The next step for the attacker is to ready the stage for the attack by drafting phishing emails, creating, and posting fake websites (Watering Holes), and developing or acquiring malware. The attacker usually starts the attack after sufficient research and preparation have been completed for software and/or hardware vulnerabilities.

Phase Three: Gaining Access

Various points can connect to a network. Employees who click on an attachment in a phishing email and download malware are examples of potential weak points. Other vulnerabilities might arise when staff members are persuaded to divulge sensitive information, such as login passwords, or when one of your systems is improperly set up or patched, allowing an attacker to get past the defenses of your organization. It is possible that the attacker used a sophisticated search engine query to locate a login page on the public web and then used data gleaned from social media and password-cracking tools to guess the username and password. They are currently a part of your network.

Phase Four: Exploitation

The two goals of an attacker who has gained access to a system are to increase their privileges and maintain access. By escalating privileges for themself, a hacker can make modifications to the system that are typically banned for regular users or applications. Once they have gained access to a system, hackers will use a variety of techniques to increase their privileges, including:

Use Valid Accounts: If an attacker managed to obtain the login information for one of your workers during the reconnaissance phase, they might use that knowledge to gain access to administrative accounts. People frequently use the same passwords or use usernames and passwords that are predictable and easy to guess.
Manipulate Access Tokens: A Windows computer controls and enacts access control over individual processes by manipulating access tokens. A malicious actor can generate, copy, or utilize existing tokens in various ways to unlock restricted behaviors like software downloads.
Leverage Windows UAC System: Through a set of default rights, the Windows User Account Control (UAC) mechanism controls access to certain software systems. An approved administrator account must seek and approve any further access. This system contains security flaws, and there are times when apps can execute commands with elevated rights or elevate their own privileges without using the UAC control mechanism. Even in secured folders, hackers use this flaw to launch attacks and carry out file actions.

The hacker will try to continue having access to the systems once they have gained access to the environment. Hackers can continue their presence using a variety of techniques, such as creating new user accounts, changing firewall settings, enabling remote desktop access, or adding a backdoor using rootkits or other malicious files, thanks to the ability to perform privileged commands.

Phase Five: Exfiltration

Once the objective of the hacker is achieved, they will leave the system or network, but a skilled hacker will make sure to cover their tracks. From an attacker’s perspective, this step is very important because they will have covered all their tracks by uninstalling the programs that were used during the attack, deleting any created folders, modify/edit/corrupt/delete audit logs so the attack cannot be traced back to the hacker. When an organization or individual detects an attack on their system or network, they will make future efforts to identify the root of the attack by involving law enforcement.

How can eBuilder Security help you?

A highly qualified team at eBuilder Security will be handling the Penetration Testing to identify vulnerabilities and how they could be exploited by hackers before they identify and do so. Various automated tools and manual testing will be conducted to complete a Penetration Test. Each application and environment are unique, and here at eBuilder Security, we use a unified methodology that addresses the requirements of Penetration Testing. By taking a dual approach of White-Box Testing and Black/Gray-Box Testing, we are determined to find the vulnerabilities and help you mitigate them.