Standard Framework

Reconnaissance

Sophisticated attackers don’t randomly attack organizations. Sophisticated attackers spend a significant amount of time researching their target. An attacker will use the reconnaissance phase to determine whether a target is worth attacking, the objectives of an attack, and the characteristics of the target.

For example, an attacker might spend time examining LinkedIn to determine which staff hold specific roles within an organization. Before they’ve taken any overt action against the target organization, a sophisticated attacker may have a detailed understanding of the structure of an organization’s information systems and security teams. Using tools like LinkedIn, not only could an attacker determine who the senior information systems staff are, but they’d also be able to deduce the likely nature of those systems based on the experience of the staff in question. An organization whose IT department is staffed by professionals that hold an extensive variety of Microsoft certifications likely uses Microsoft products. An organization whose database administrators who all have extensive prior experience working with a specific database product such as MySQL are likely using that product to host their production databases.

During the reconnaissance phase, attackers examine external services, such as web applications provided to customers, web sites as well as email and DNS to determine the characteristics of those services. For example, does an organization host its email infrastructure in Office 365 or is it using an on-premises solution? The answers to these questions will determine the attacker’s strategy as they progress through the kill chain.

An internal red team is at an advantage because they already know which information systems are in use at the organization. An exercise that an internal red team might engage in is trying to ascertain, from external sources such as LinkedIn, as well as other public information, such as DNS registration records and passive monitoring, exactly how much information about the nature of the organization’s information systems could be determined by a diligent investigator who only had access to external sources of data.

Weaponization

Weaponization involves creating, or selecting existing, remote access malware. This malware, when deployed, will allow the attacker to gain a foothold or beachhead in the target organization. The selection of malware will be determined by information gained during the reconnaissance phase and will target vulnerabilities that are likely to exist within the target organization’s information systems infrastructure. For example, the malware selected for attacking a website will be substantially different if the organization’s website is hosted on IIS with a SQL Server backend compared to a website hosted on Apache with a MySQL backend. The better tailored the malware or exploit is to the target organization, the more likely it is to succeed.

Delivery

The delivery phase involves having the target of the attack execute the malware on the target organization’s information systems infrastructure. Some attacks require user intervention for the remote code to execute; other attack types can be performed remotely.

There are a variety of delivery methods that may be leveraged to meet the objectives of the delivery phase that include, but are not limited to:

• Phishing attacks
• Crafted file attacks
• Remote code execution
• Watering hole attacks
• Found USB stick attack
• Exposed VPN credentials

Phishing attacks

A phishing attack uses a specially crafted email sent to users in the hope that they will open the email. Depending on the sophistication of the attack, the user may have to click on a link to trigger the next stage of the attack. There are several varieties of phishing attack that require differing levels of user interaction. Simply opening the email may, in some scenarios, trigger remote code execution. Clicking on a link in the email may download remote code that executes directly on the target’s system or may take the user to a website, which triggers remote code execution.

Another common form of phishing attack involves phishing of credentials. In this type of attack the target user is sent an email that looks legitimate, asking them to navigate to a site where they need to sign in with their organizational credentials to perform a task. For example, an email reminding the user that they must change their email account password that directs them to a site that has been configured to look the same as their normal webmail site. Unless the user is paying attention, it is possible that they may enter their credentials, which end up being harvested for later use by the attacker.

Crafted file attacks

In this type of attack a specially crafted file is emailed to a target user. This file, when opened, executes malicious code that installs the attacker’s software on the recipient’s computer. If the file is crafted well enough, or the configuration of the user’s computer allows untrusted code to run, it’s possible that simply opening the document will trigger the execution of the attacker’s code

Remote code execution

This type of attack involves sending specially crafted data to an information system, such as an application or service running on a server. For example, sending specially crafted traffic to computers running the obsolete SMB1 storage protocol can allow attackers to execute code on those computers. Other types of remote code execution vulnerabilities allow attackers to inject code into a remote system’s memory and have the system execute that code.

Watering Hole attack

An attack where malware is planted on an insecure site that people at the target organization are known to frequent. For example, people at a specific organization may be patrons of a specific golf club. By compromising and planting malware on the golf club’s website it’s possible that the malware hosted on the website might be downloaded and installed on work computers when people within the organization visit the website during office hours.

Found USB stick attack

In this type of attack, USB sticks are dropped casually on the ground outside the front entrance of the building or in areas outside the building where employees are known to frequent, such as the area used for cigarette breaks. Some of the employees will plug these USB sticks into their work computer, which allows the malware to be installed on that computer giving the attacker internal network access.

Exposed VPN credentials

Credential breach websites, such as Troy Hunt’s HaveIBeenPwned.com, provide users with notifications when websites where they’ve created accounts suffer data breaches, which indicate that the credentials of those accounts have been compromised. Those that have investigated the properties of these data breaches have found that many users of third party websites sign up to those websites using work, rather than private, email accounts. As many users that have poor information security practices are likely to use the same password for their work account as they do for third-party websites, attackers that get access to breach data potentially have access to the work credentials of the users that signed up for the breached sites. Of the work credentials that are exposed when sites account databases are breached, it is not unreasonable to assume some will work with organizational VPN systems. So, it is possible that some attackers will gain access to an organization through a VPN because a person within an organization signed up to an external website using their organizational email address and password and those credentials were later exposed.

Exploitation

In this phase, the attacker’s malware code successfully triggers, leveraging the targeted vulnerability. Depending on how well the attacker was able to ascertain the properties of the target information systems, this may occur quickly or may take several tries before the code successfully runs.

Installation

In the installation phase, the original malware code is leveraged to deploy an access point, also known as a back door, through which the attacker can access the compromised beachhead system. This usually occurs through the original malware code downloading and running exploit tools remotely, which eventually provide the attacker with a remote access point into the target organization’s network.

Command and Control

In the command and control phase, the attacker has achieved persistent access to the target organization’s information systems. In reaching this phase the attacker will likely have leveraged the following:

• Lateral movement
• Privilege escalation
• Domain dominance

Lateral movement

It is highly likely that the first system that an attacker compromises isn’t the one that allows the attacker to achieve their objective. Lateral movement is where an attacker begins to compromise other systems on the network, increasing the number of compromised systems as they move laterally towards accomplishing their goal.

An example of lateral movement might be where a member of the accounting team responds to a phishing email and has malware installed on their computer. This malware can extract the cached credentials of a member of the organization’s first level support team as well as to provide the attackers with remote access to the target organization’s network. The attacker is then able to use the credentials of the first level support team to gain access to other systems. In doing so the attackers eventually can capture the credentials of a member of the domain administration team and they are able to leverage these credentials to gain domain dominance.

Privilege escalation

Privilege escalation is the process of an attacker leveraging a compromised unprivileged account, such as that of a standard user or service, into control over an account that is able to perform actions beyond those original privileges. In the previous example the attacker was able to start with access to the computer of a user with no administrative privileges. By running specially crafted software, they were able to capture the credentials of a user that had greater network privileges. Once they had access to these privileges, the were then able to eventually escalate until they had full administrative permissions.

Domain dominance/Administrative privilege

A common goal of the command and control phase is to get administrative privileges, also termed “root privileges,” on the target organization’s information systems. For example, control of an organization’s domain controllers provides domain dominance. Once an attacker has control of an organization’s domain controllers, they most likely can perform any action that they desire on the network. There are exceptions to this rule, but they require separation of administrative privileges and the deployment of technologies such as Just in Time and Just Enough Administration.

Actions on Objective

In this phase, the attacker, or red team in the exercise, carries out its objective. As mentioned earlier, this could be to steal data, deploy ransomware, deploy coin mining software, extort the organization, or destroy systems. The Actions on Objective phase is the attacker’s endgame.