GUÍA DE
CIBERDEFENSAORIENTACIONES PARA EL DISEÑO, PLANEAMIENTO, IMPLANTACIÓN Y DESARROLLO
DE UNA CIBERDEFENSA MILITAR31 In the
exploitation phase, the payload is activated by exploiting a vulnerability in the target environment (an application, the operating system, or the users themselves) and running malware on the system. Installing malware in the target environment requires end-user involvement by inadvertently enabling it (payload).
141.
In the
installation phase, malware is consolidated in the target system and a connection to the outside is established with the installation of a remote access Trojan or aback door and thus maintain persistence within the environment.
142.
In the
command and control phase, the attacker, taking advantage of the external communication channel and consolidated malware in the target environment, takes surreptitious control of part of the system to perpetrate new attacks commanded from an operations coordination center established for this purpose.
143.
At
this point, traditional cyber defense based on firewalls, intrusion detection systems (IDS, sandbox, and security information and event management (SIEM
24) are not effective. Only cyber defense based on cyber threat hunting (para. 478) would be effective together with a well-organized group of experts with the necessary authority to carryout mitigation and reaction measures.
144.
In the
actions on objectives phase, the attacker, once having taken control of the target’s system, performs actions to achieve the desired effects (cyber effects, para. 145) and takes advantage of the system’s control to spread to other systems and objectives, which would imply performing the cyber kill chain again.
Cyber effects145.
Cyber effects are the damage or impacts produced by cyber attacks. They can be
grouped into two main groups, noisy and silent. Each of them has advantages and disadvantages for both the attacker and the victims. It is necessary to consider all type of effects in any cyber operation (defensive, exploitative and offensive).
146.
Noisy cyber effects are the impacts that are clearly perceptible by the victim, such as denial
or degradation of service, unavailability of information to authorized users, perceptible modification of web content, encryption ransomware in order to prevent access and even physical destruction of equipment or facility.
147.
Usually, noisy cyber effects
cause significant operational, economic or reputational losses, although short lived, since inmost cases the effects are reversible if there is an effective operations continuity plan (para. Noisy impacts
are often quite noticeable, raising alarm and consequently triggering a reaction in the victim that can lead to an investment of additional cyber defense resources to reverse the situation and prevent recurrence.
149.
The cyber kill chain of noisy cyber attacks is usually short lasting. The reconnaissance and weaponization phases are usually short because these attacks tend to not be very sophisticated. The delivery, exploitation and installation phases are usually short because they do not need to avoid early detection given that the effects themselves raise the alarm. The command and control phase is usually short because it does not need an external communication channel. The actions on objectives phase is short because the time between the first attack and detection is immediate.