FIGURE 15. CYBER KILL CHAIN

GUÍA DE
CIBERDEFENSA
ORIENTACIONES PARA EL DISEÑO, PLANEAMIENTO, IMPLANTACIÓN Y DESARROLLO DE UNA CIBERDEFENSA MILITAR
31 In the exploitation phase, the payload is activated by exploiting a vulnerability in the target environment (an application, the operating system, or the users themselves) and running malware on the system. Installing malware in the target environment requires end-user involvement by inadvertently enabling it (payload).
141.
In the installation phase, malware is consolidated in the target system and a connection to the outside is established with the installation of a remote access Trojan or aback door and thus maintain persistence within the environment.
142.
In the command and control phase, the attacker, taking advantage of the external communication channel and consolidated malware in the target environment, takes surreptitious control of part of the system to perpetrate new attacks commanded from an operations coordination center established for this purpose.
143.
At this point, traditional cyber defense based on firewalls, intrusion detection systems (IDS, sandbox, and security information and event management (SIEM
24
) are not effective. Only cyber defense based on cyber threat hunting (para. 478) would be effective together with a well-organized group of experts with the necessary authority to carryout mitigation and reaction measures.
144.
In the actions on objectives phase, the attacker, once having taken control of the target’s system, performs actions to achieve the desired effects (cyber effects, para. 145) and takes advantage of the system’s control to spread to other systems and objectives, which would imply performing the cyber kill chain again.
Cyber effects
145.
Cyber effects are the damage or impacts produced by cyber attacks. They can be grouped into two main groups, noisy and silent. Each of them has advantages and disadvantages for both the attacker and the victims. It is necessary to consider all type of effects in any cyber operation (defensive, exploitative and offensive).
146.
Noisy cyber effects are the impacts that are clearly perceptible by the victim, such as denial or degradation of service, unavailability of information to authorized users, perceptible modification of web content, encryption ransomware in order to prevent access and even physical destruction of equipment or facility.
147.
Usually, noisy cyber effects cause significant operational, economic or reputational losses, although short lived, since inmost cases the effects are reversible if there is an effective operations continuity plan (para. Noisy impacts are often quite noticeable, raising alarm and consequently triggering a reaction in the victim that can lead to an investment of additional cyber defense resources to reverse the situation and prevent recurrence.
149.
The cyber kill chain of noisy cyber attacks is usually short lasting. The reconnaissance and weaponization phases are usually short because these attacks tend to not be very sophisticated. The delivery, exploitation and installation phases are usually short because they do not need to avoid early detection given that the effects themselves raise the alarm. The command and control phase is usually short because it does not need an external communication channel. The actions on objectives phase is short because the time between the first attack and detection is immediate.

GUÍA DE

Download 2.54 Mb.

Share with your friends: