FIGURE14. TYPES OF ATTACKS

GUÍA DE
CIBERDEFENSA
ORIENTACIONES PARA EL DISEÑO, PLANEAMIENTO, IMPLANTACIÓN Y DESARROLLO DE UNA CIBERDEFENSA MILITAR
30 To detect and repel a cyber attack it is necessary to know how it works and its development process.
131.
The Cyber Kill Chain
22
framework is a model based on seven phases (reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives) aimed at systematizing the identification and prevention of cyber intrusion activities and thus facilitate the detection of an attack and understanding its TTPs tactics, techniques, and procedures. Obviously, it can be used, also, to coordinate and organize cyber attacks.
132.
In the reconnaissance phase, the target is chosen and the information necessary to plan and implement the cyber attack is analyzed that is, the existing public information on the target (on websites, social networks, etc) and that has been made available by its own cyber intelligence services, using open source tools (OSINT
23
) or commercial tools.
133.
Reconnaissance includes passive activities (public network monitoring, obtaining information from open sources, etc) and active activities (i.e., social engineering) aimed at obtaining information about the target
(cyber defense capability, vulnerabilities, network topology, credentials, emails associated with the target, etc.)
134.
In this initial phase, the attacker fingerprints the target to obtain its networks and systems topology, organizational structure, relationships, communications, and affiliations and to identify its vulnerabilities, both technical and human, to later be able to infiltrate and exploit the network.
135.
This phase can take along time, but the time spent in this phase is worth it since the more you know, and the better the knowledge about your opponent, the higher the probability of a conducting successful cyber attack.
136.
In the weaponization phase, the information obtained in the reconnaissance phase, the detailed knowledge of their own resources and the types of effects desired serve to plan the cyber attack, select the most effective tools and assemble the payload (appropriate malware and exploits for exploiting known or unknown vulnerabilities) in the attack vectors
(pdf or word documents, compromised web domains, spoofed emails, usb memory devices, etc.).
137.
It is necessary to use new, modified or redesigned malware to reduce the probability of detection by traditional security solutions that identify known signatures.
138.
In the delivery phase, the payload is transferred to the target environment. It is a critical moment since it is the moment in which the target is contacted and some of the attempts can be detected and rejected, so it is very important to design the attack to leave as little trace (fingerprint) as possible.
139.
In addition, it is necessary to monitor the effectiveness of the intrusion attempts to focus on the most profitable ones.

Download 2.54 Mb.

Share with your friends: