As mentioned on my recent LinkedIn update, this is the first blog article in the series. The mission of this series is to provide more insight on Kill Chain phases with Target perspective – meaning, the kill chain is for an Attacker/Advresary and its activities, however there are very few documentation or approaches out there with regards to what Targets should be doing. Yes, Lockheed Martin did provide a very good article with regards to Intelligence driven network defense but we need to ask ourselves how practical is to apply the model in our organisation. Consider following course of action matrix by Lockheed Martin, there will be lot of organisations which are not able to perform most of the actions and even if they do or can, there is not much documentation to how to implement these actions appropriately.
Mission of the blog is to understand what other steps attackers/adversaries take and as a target what we are suppose to do. At the end of series, the goal will be to create hybrid (that also matches with Kill Chain) phases of attacker/adversaries.
Every attacker/adversary has an INTENT and MOTIVE to perform an attack. From highly sophisticated to script kiddies they have certain objectives. This means the attacker first need to find their targets. So for me the first phase should be Target Determination or Determining a target, that fits attackers/adversaries objectives. We can distribute attackers/adversaries into two groups :
- Insiders – Disgruntled ex-employee/employees,
- Outsiders – Nation State attackers, cyber criminals, script kiddies, hacktivists etc.
Few motivations :
- Financial gain
- Fame or generate vouches – Require to gain trust of underground or group of hackers
- Damage or disrupt services
- Cyber espionage
- Personal grievances.
- Political motivation
Intentions are sometimes hard to prove, but mostly our adversaries will have malicious intentions.
And thus, before selecting a target, they will definitely decide a or multiple targets that fits into their motivations or lets say objectives. Only after deciding a Target, they will perform Reconnaissance or Target Profiling. Now, where the attackers/adversaries look is depending on the target. Target can be a single entity or an organisation or a nation/country.
Single entity as a target – For example a CEO. Intention is to get close and get as much as information that can be collected for that person.
- Social media and social mentions.
- Target habits with regards to their lifestyle.
Organisation as a target
- Social media and social mentions.
- Technical information about the organisation. This fits into applications facing externally.
- Known and publicly announced breaches.
- Information about the organisation data dump on public/private web.
Nation/Country as a target – This is politically motivated and intentions are mostly malicious towards harming the nation or a country. Recent example – NotPetya malware attack to Ukraine. Here, attackers/adversaries understood their target and profiled them and launched the attack.
In all cases, the better an attacker/adversary profiles their target the better the attack will be.
Question is how can a Target use this. Compared to an organisation, adversaries have to actually gather a lot information before an attack about an target, however an organisation knows all that information but is not using the information for their own benefits.
“Charity begins at home and intelligence begins with your logs”
This means when attackers/adversaries spend days, weeks or months to collect information about their target, as an organisation for example, you already have this information but, not using to gain tactical advantage over our adversaries. So what should a targets do ?
- Should know type of information available publicly and understand the risk and how it can be used by an attacker and type of attacks that can leverage these information.
- Must know type of information available in underground/private forums or websites and understand he risk and how it can be used by an attacker and type of attacks that can leverage these information.
- Must action on any successful breaches and data exfiled. If email address were seen on pastebin don’t just change credentials but also understand that these email addresses can be used for phishing or spoofing. Ideal is to change email address and convert the breached one into honeypot email addresses. This will help understand type of attackers targeting your organisation.
- It is ideal to know how your security controls are responding to inbound reconnaissance attempts. The information that they send back can also be used to map the network or understand type of device that is stopping adversaries. For example inbound scan blocked by firewall and responding with ICMP network unreachable message.
- Websites such as Google and Shodan can be used to collected lot of information about a target and therefore should be monitored. Especially accidental upload by internal employees. Eg – Employee uploading an excel sheet with organisation data on VT, just to make sure there is no malware. Pro-actively monitoring this can assist us to contact respective parties to take the data offline before entities with malicious intent get there hands on.
Red team assessment are very good place to start with mentioned points above. Organisation can also engage their security operations or security service providers to perform these actions. Frequency depends on organisations capability to invest in resources.
With this I will end part 1.
Have a good weekend!