Excellence in Software Engineering
BLOG | Security
Understanding Cyber Kill Chain Model to Stop Advanced Persistent Threats
26 June 2019

Author : Altuğ AŞIK, Expert Software Engineer – Cyber Security

The term “Advanced Persistent Threat” (APT) was used to describe state-sponsored cyberattacks designed to steal data and exploit infrastructures. Today, the term is used to describe the attacks targeted at organizations for monetary gain or espionage.

Advanced Persistent Threat is a sophisticated attack with the following characteristics:

Advanced: The techniques used to conduct the stealthy attack require advanced skills and knowledge in order to exploit the vulnerabilities of victim organization’s systems. Social engineering techniques are frequently used to attack and infiltrate the organization.

Persistent: Duration of the attack is rather long (up to months) whereas the attack involves an external command and control server that monitors and extracts data from the victim organization.

Threat: The process is managed by people rather than automated code. Organized and well-funded attackers have specific objectives and motives.

Cyber Kill-Chain

The attackers execute the following steps to carry out their vicious plans:

  1. Reconnaissance: Information is gathered studying targets through their public websites, following their employees on social media and using other OSINT (Open Source Intelligence) techniques.
  2. Weaponization: Attackers analyze the information they have gathered and determine their attack methods.
  3. Delivery: Delivery is accomplished through drive-by download from a website, targeted phishing attack or infection through an employee-owned device through a secure VPN.
  4. Exploitation: Once delivered, the malicious code is triggered to start exploiting organization’s systems.
  5. Installation: Once a single system is infected, the malicious activity has the potential to spread rapidly and hide its existence from security devices through a variety of methods, including tampering with security processes.
  6. Command and Control (C&C): To communicate and pass data back and forth, attackers set up command and control channels between infected devices and themselves.
  7. Exfiltration: Captured information is sent to attacker’s home base for analysis, further exploitation or fraud.

 

The Problem

The attack should be detected and prevented before spreading over the whole organization. Starting with the initial infection, attackers tend to leave tracks at every single step, such as malicious documents and executable files, which can be found in the filesystem or several other tracks in memory and registry in case of fileless malware attacks. Anomalies in network traffic can be detected while the attackers are communicating with their C&C servers as well. Following these tracks during the attack and employing effective protection, various attack methods can be blocked. The key is using fast, machine learning based security platforms that is trained with parameters like these tracks, as early as possible in the cyber kill chain.

The problem here is to integrate detection, prevention and removal phases of the attack. The detection process can be achieved by machine learning based platforms. However, these platforms are not smart enough to accomplish prevention and full removal of the damage yet. Experienced human security professionals are still needed for incident response and recovery.

Automation and speed is required to cope up with APT attacks. Therefore, security systems are required which are not only capable of detecting attack information in automated fashion but are also capable of using this intelligence to generate the right response to stop malicious actions before they cause substantial damage. Fully integrated automation for detection and handling is essential to enhance defense against advanced persistent threats.

 

Published online digital magazine: http://www.btc.co.uk/Articles/index.php?mag=Security&page=compDetails&link=9464

Past Articles

Secure Coding

Secure Coding

It is hard to withstand ever-expanding attacks with old coding habits. Many attacks on corporate applications come from inside the network, thus rendering such protection mechanisms as firewalls useless. It has become imperative that the application is capable of protecting itself. All security issues are rooted in the code itself. The starting point of the secure coding concept is based on the idea of avoiding security errors in the first place instead of fixing them. So, what should be done to gain secure coding skills?

Common Criteria provides a wealth of information about IT security

Common Criteria provides a wealth of information about IT security

Setting up a multilingual full functional support team in a short timeframe is not easy. It requires well-planned transition and efficient team selection process. There are more incompetent support advocates compared to excellent ones and also transition process planning requires unique experience and has lots of technical and business risks to overcome.

Redefining Perfection with Secure Software Development Approach

Redefining Perfection with Secure Software Development Approach

Making software security a focal point in the process of designing, developing and delivering software applications is crucial for the ultimate success of these applications. Developing party needs to create trust in the user regarding the protection of critical assets and operational reliability. Therefore, software security becomes a fundamental requirement of software applications. Many companies started to meet software security requirements in accordance with the secure software development framework it has developed, which consists of a rule set defined within the software and security teams. This rule set are defined taking into account various international standards and industry best practices.

Navigation