Advanced cyber threats occur in kill chains of up to seven stages. The term "kill chain" is referred to as the ability to stop an attack at any of the stages if the the right defensive measures are deployed. It's important to remember that not all threats need to use every stage. This gives threat actors potentially thousands of ways to create, deploy, and execute an attack.
Let's look at the seven stages and how cyber criminals use them.
Stage 1: Reconnaissance
In this stage, criminals research potential targets and victims by using social media accounts and personal and professional websites. Typically they look for information that can be used to create lures and bait that have links to compromised websites they control. These lures take advantage of social drama and events, deaths, disasters, or just general things of interest.
Stage 2: The Lure
With research in hand from their reconnaissance, criminals create cleverly crafted lures that try to trick users into clicking links that redirect to compromised websites. Often lures are presented via social media posts, e-mails, or fake content that appear to be genuine.
Stage 3: The Redirect
Cyber criminals may use links in their lures that point the victim to genuine and "safe" looking, sometimes even hidden web pages that then attempt to redirect the victim to sites that contain malicious content like exploit kits and code, scripts, and payloads.
Stage 4: The Exploit
Once a victim has fallen for the bait, lure, and clicked on a link to a compromised website, malicious software known as an exploit kit begins to scan the victim's computer to find vulnerabilities or zero-day threats. Weaknesses like these can create an opening for criminals to deliver malware, encryption software, key loggers or other advanced tools that then allow them to "explore" and infiltrate networks.
Stage 5: The Dropper
Once the exploit kit has done it's work and discovered one or more ways of delivering malware, threat actors then deliver a "dropper" from another compromised server that infects the victim's computer(s). Droppers may have software that executes on a system to find and extract valuable data. Some types of droppers may lie dormant for a while and execute at a later date as a way to circumvent detention, and even contain additional payloads to deliver more malware later.
Stage 6: The Call Home
After a dropper has done its job and infected a victim's system, it will call home to a Command-and-Control (referred to as C2) server(s) for further instructions, download additional malware and tools. This is the stage during which an infected system is in direct contact with the attacker. In crypto attacks, this stage is common to when the malware receives encryption keys from the C2 server as a precursor to encrypting a victim's files.
Stage 7: The Breach
This stage is the end-game for most cyber attack, as it completes the data theft, encryption, or compromise. Criminals will steal personally identifiable information (PII), intellectual property (IP), or other valuable data usually for financial gain. In the case of an encryption event, ransomware, the victim's files are encrypted and the victim sees instructions on what's happened and how to recover their files.
Each of these stages has kill chains. To defend against cyber threats, an organization needs three important security requirements:
1. Real-time and In-Line defense that doesn't rely on signatures only and can identify zero-day and advanced persistent threats.
2. Synchronized and integrated web, e-mail and data security powered by deep-learning artificial intelligence.
3. Outbound traffic containment defense to protect against data loss/theft and C2 communications.
Firestorm Cyber offers uncompromising security with all these features and more to help your business defend and protect against advanced cyber threats.
Contact us to learn more!