Search

COVID-19 CYBER AND FRAUD PROTECT - Kill Chain


This advice has been collated by EMSOU and is intended for wider distribution within the East Midlands Region to raise awareness among businesses and the public. Advice and information is changing daily as we navigate our way through the COVID-19 pandemic, so please ensure you only take information from reputable sources. If you require any further information, assistance or guidance please contact the EMSOU Protect Team or your local Force protect team.

Today’s topic is the “Kill Chain” The term kill chain was originally used by the military to describe the structure of an attack which begins with identifying a target and ends with its destruction. The term was later adopted by Lockheed Martin to describe how an organisation’s network might be attacked. Reconnaissance: Assess the organisation from the outside-in, to identify targets and tactics. Tactics used may include scanning networks for known vulnerabilities and using open source intelligence (corporate websites, news reports and social media profiles). Intrusion & Exploitation: Attackers can exploit identified vulnerabilities to penetrate the network and/or use what has been discovered to socially engineer an attack - manipulating staff to; click a link, download malware, visit an infected website, or plug in a malicious USB. Expansion & Entrenchment: Once access had been gained, the attackers move laterally to other systems and accounts (privilege escalation), to obtain access to high value data or better control of the network. Purpose built penetration tools are ‘noisy’ so many attackers will ‘live off the land’ and use inbuilt functions, such as PowerShell, and tap into file systems (NFS and SMB) which pass information over the network unencrypted. Exfiltration & Damage: Attackers will; steal data piecemeal or en masse, deploy a payload such as ransomware or a logic bomb, biding their time for maximum effect. Covering your tracks: Attackers will purge log files, delete temporary files and software, plant ‘false flags’ and encrypt drives to confuse and delay any form of forensic investigation. Why it matters? The Kill Chain emphasises the need for defence in depth employing a multi layered approach involving technical, procedural and physical controls: • Logical controls (vulnerability scanning; host hardening, segmentation, anti-malware) • Administrative controls (policies; procedures, standards, training) • Physical controls (gates, doors, badges, signage, equipment disposal etc.) The kill chain illustrates how large the attack surface is for an organisation and the time and commitment a cybercriminal will invest in attacking your organisation. Crucially, the average amount of time an adversary will spend in the network before launching an attack - known as the dwell time - is 6 months.


When preventative controls fail, an organisation’s survival will depend on:

• Detective controls: to identify, flag and trace intrusions.