Creator1

Some of the authors of the Creator1 blog are cybersecurity experts and cyber threat intelligence experts by day, and based on our subscriber numbers, they should stick to their day jobs. However, because of that, we will be doing a series about cybersecurity, cyber attacks, and APTs/Threat actors our team actually encounters during their daily work.

To understand the basics of a cyber attack we must look at the frameworks available. The two that come to mind for me are the Cyber Kill Chain and the MITRE ATTACK Framework, these were created by Lockheed Martin and the MITRE corporation, respectively. These two frameworks can be used to understand cyber attacks as a concept and individually. The Cyber Kill Chain is used to cover a broad general operation, including before the attack and after the attack. There are 7 steps to the kill chain and they are:

Reconnaissance – Attackers research potential targets, vulnerabilities, discovering third parties, finding new entry points, scanning of targets

Weaponization – After vulnerabilities or entries have been discovered, attackers prepare for their attack by either creating malware, personas, gathering existing tools, etc.

Delivery – Attackers use tooling to gain entry into the system or deliver malicious logic (malware). This can be done in many ways, physically slipping into a building, hands-on-keyboard exploitation of computer systems (this is what people think of when imagining hacking), sending an email with malware attached, logging into a corporate server with compromised credentials (sometimes purchased from leaving or disgruntled employees.)

Exploitation – This is where the attackers are actively exploiting the vulnerabilities identified in the Recon phase. Attackers often conduct lateral movement during this time, this is when the attacker compromises further devices and moves to other areas of the network. An example is compromising a single user via email, and using your access to compromise someone in accounting and then using their credentials to see accounting data that was previously unavailable to the attacker.

Installation – After the attacker is confident in their access and conducted some internal recon and lateral movement, they will begin installing malware and their tools. This is where persistence (an important term) is made by the attacker. The attacker sets up the infrastructure changes, backdoor, malware, or fake users needed in order to continue to maintain dominion of the compromised systems within the target network. Attackers must be careful here, as installing malware is one of the easiest ways for an attacker to get caught. The goal of this section is to prepare for exfiltration of valuable data to the attacker (think credit cards, but it could be anything such as call logs, nuclear secrets, plans for the F-35 changes, etc.)

Command and Control (C2) – Attackers from their own networks (outside of their target’s network usually) will communicate with the malware they installed. Sometimes this can include encrypting data and sending it off at 100 KB sections, or can include just controlling a huge number of computers to do your bidding. This is how DDoS (Distributed Denial of Service) attacks happen. Attacker communicates to 100,000 affected machines to all visit my blog at the same time in order to crash it. This, like all other steps in the attack, have varying levels of complexity.

Actions on Objectives – This is when the attacker can fulfill their objectives, this really depends on the attacker and what they want to do. Some want to deny, degrade, or destroy things in which case they will focus on DDoS, data compromise, etc. If the attacker is an espionage group, their aim will be to gain access and remain silent for as long as possible while expanding access and exfiltrating as much data a possible, this is a common goal for state sponsored APTs. Other FIN actors will be focused on financial gain, this would be credit card data, crypto wallet information, bank information, social security numbers, etc.

It’s important to note that cyber attacks are committed by human beings, and these human beings act very differently depending on their beliefs, goals, means, and much more. So, while the Cyber Kill Chain does a great job at breaking down a generic cyber attack into stages and steps, it doesn’t always necessarily fit into this mold. There is another framework, called the MITRE ATTACK framework that does take a more detailed look at these attacks. In MITRE, you’ll find the approach is more tailored to the actions of each attacker/group. They understand the basics of a cyber attacks and takes a look at groups and attacks based on the behaviors of the groups.

For instance, APT 28 (Fancy Bear, a Russian state sponsored group that is associated with the GRU) has a very different mandate than FIN 7 (this group ran a front company called Combi Security to disguise their operations and often used point-of-sale malware. These groups, fascinatingly enough will actually CHANGE their behaviors in order to avoid detection and focus on changing goals. FIN7 for instance, in 2013-2020 they were focused heavily on carding (stealing card data), but in 2020 shifted towards using REvil ransomware and became a Ransomware as a Service (RaaS) group. While this may sound trivial to most, it’s not. The group had to shift their skill set, infrastructure, personas, the method of attack, the method of entry, even their business model had to change.

The MITRE ATTACK framework may be overwhelming and have some overlapping areas of the Cyber Kill Chain, I personally find MITRE much more useful after you understand the basics. If you venture to MITRE, you will see the term TTPs (Tactic, Techniques, and procedures). TTPs are how an attacker does the cyber attack, not just what things they do as the kill chain explains. I explain TTPs to changing a part on your car, come with me while we change our proverbial tire.

The tactic is the high level area you’re working on, in MITRE, an example will be the lateral movement tactic. This tells you what section of the attack/ where in the kill chain the bad guy is. For our car analogy, it tells you WHERE to work on, so think of lateral movement as a wheel/tire. Okay so we are focusing on this area, the tire (lateral movement). The Technique is what specifically is being done in this section, for lateral movement the technique will be internal spear phishing. The technique tells you WHAT’s being done to the WHERE (so internal spear phishing is being done to conduct lateral movement by the attacker) or (you’re going to remove and replace the tire in your car) the technique is what you will do, the tactic is where/why you will do it.

Lastly we have procedures, this is exactly how an attacker accomplished the goal. For instance, for lateral movement conducted by internal spear phishing, it can be done by sending an internal email from a compromised user to other people in the org. The threat actor HEXANE did this by sending a malware infected documents to executives and HR personnel that all followed a ‘Security Best Practices theme’. You’ll find these attackers are cheeky and charming bastards. This would be the equivalent of the procedural instruction to removing a tire (take of the lug nuts), etc. Procedures are detailed instructions to HOW specifically they accomplish their goals.

now you know the basics of a cyber attack and hopefully it will inform the rest of this series as we begin discussing APTs across the globe!

If you enjoyed this, read the other parts or check out other series here.

We always appreciate likes, comments, and subscribers!