The “Kill Chain” approach to penetration testing
In 2009, Mike Cloppert introduced the concept that is now known as the “attacker kill chain.” It includes a workflow that hackers use when attacking a system. It does not always proceed in a linear flow as some steps may occur in parallel. Multiple attacks may be launched over time at the same target and overlapping stages may occur at the same time.
The following diagram shows a typical kill chain of an attacker:
A typical kill chain of an attacker can be described as follows:
- Reconnaissance phase – “reconnaissance time is never wasted time”, it is better to learn as much as possible about an enemy before engaging them. For the same reason, attackers will conduct extensive reconnaissance of a target before attacking. In fact, it is estimated that at least 70 percent of the “work effort” of a penetration test or an attack is spent conducting reconnaissance!
Generally, they will employ two types of reconnaissance:
- Passive reconnaissance – This does not directly interact with the target in a hostile manner. For example, the attacker will review the publicly available website(s), assess online media (especially social media sites), and attempt to determine the “attack surface” of the target.One particular task will be to generate a list of past and current employee names. These names will form the basis of attempts to brute force, or guessing passwords. They will also be used in social engineering attacks.
- Active reconnaissance – This can be detected by the target but, it can be difficult to distinguish most online organizations’ faces from the regular backgrounds. Activities occurring during active reconnaissance include physical visits to target premises, port scanning, and remote vulnerability scanning.
- The delivery phase – Delivery is the selection and development of the weapon that will be used to complete the exploit during the attack. The exact weapon chosen will depend on the attacker’s intent as well as the route of delivery (for example, across the network, via wireless, or through a web-based service).
- The exploit or compromise phase – This is the point when a particular exploit is successfully applied, allowing attackers to reach their objective.The compromise may have occurred in a single phase (for example, a known operating system vulnerability was exploited using a buffer overflow), or it may have been a multiphase compromise (for example, an attacker physically accessed premises to steal a corporate phone book. The names were used to create lists for brute force attacks against a portal logon. In addition, e-mails were sent to all employees to click on an embedded link to download a crafted PDF file that compromised their computers.).
- Post exploit: action on the objective – This is frequently, and incorrectly, referred to as the “exfiltration phase” because there is a focus on perceiving attacks solely as a route to steal sensitive data (such as login information, personal information, and financial information); it is common for an attacker to have a different objective. For example, a business may wish to cause a denial of service in their competitor’s network to drive customers to their own website. Therefore, this phase must focus on the many possible actions of an attacker. One of the most common exploit activity occurs when, the attackers attempt to improve their access privileges to the highest possible level (vertical escalation), and to compromise as many accounts as possible (horizontal escalation).
- Post exploit: persistence – If there is value in compromising a network or system, then that value can likely be increased if there is persistent access. This allows attackers to maintain communications with a compromised system. From a defender’s point of view, this is the part of the kill chain that is usually the easiest to detect.