Risk Management And The Attack Kill Chain

Risk Management And The Attack Kill ChainThe attempt to keep yourself secure online or offline can be confusing and tedious, but it is necessary. Keeping a secure platform is a process of patience, thoughtful planning, and auditing. But doing so can allow you can create a full risk report. When it comes down to the bare bones of security, most find it is not about the tools you use. It begins with understanding of the systems you use and the unique threats you face and how you can counter those threats. The process of threat modeling and risk management in computer security, is a finding a potential event that could undermine your efforts to defend your system. You can counter the threats you face by determining what you need to protect and from whom you need to protect it. I recommend taking a method used by Red-Team and Blue-Team players.There are certain advantages of following a methodology:

A methodology identifies parts of the process that can be automated. This allows the attackers to focus on creative techniques to find and exploit vulnerabilities.

The results are repeatable, allowing them to be compared over time or to cross validate one attackers results against another, or to determine how the security of the target has reacted over time.

A methodology is predictable in terms of time and requirements, allowing assets to be controlled.

Here is a breakdown of a threat model or how to take audit and assess your risks. To start let us look at a basic What/Who/How flow.

What do I have that is worth protecting?

Who do I want to protect it from?

How likely is it that I will need to protect it?

How bad are the consequences if I fail?

How much trouble am I willing to go through to prevent these consequences?

Once completed you can gauge what kind of security you are going to need. The purpose of this is to create a necessary amount of security based on the amount of risk. High Risk, High Security. Then mark your calendar for a date in the future. This will prompt you to review your threat model and check back in to assess whether it is still relevant to your situation.A similar line of thinking is performed by the attackers perspective using the Attack/Kill Chain. These methodologies all encompass and are integrated in a framework that views the network from the perspective of an attacker, the "Kill Chain" or the "Attack Chain". The Kill Chain approach to an attack that includes the steps taken by a attacker when they are attacking a system. It does not always proceed in a linear flow as some steps may occur in parallel. Multiple attacks may be launched over time at the same target, and overlapping stages may occur at the same time. How attackers apply these steps when exploiting systems, the following shows a typical kill chain of a attacker:

Reconnaissance: Passive or Indirect (and) Active or Direct

Delivery of Exploit

Post Exploit: Action on the objective (and) Persistence

A typical kill chain of a attacker can be described as follows:Reconnaissance: Passive or Indirect (and) Active or Direct

Reconnaissance phase

Reconnaissance time is never wasted time, adopted by most military organizations acknowledges that it is better to learn as much as possible about an enemy before engaging them. In military operations, reconnaissance or scouting is the exploration outside an area occupied by friendly forces to gain information about natural features and other activities in the area. Attackers will conduct extensive reconnaissance of a target before attacking. This phase should be 2/3 of an attack.

There are two types of reconnaissance:

Passive reconnaissance

This does not directly interact with the target in a hostile manner. The attacker will review the publicly available website(s), assess online media, and attempt to determine the "attack surface" or scope of the target. One particular task will be to generate a list of past and current target names and aliases, going as far as likes, hobbies, and individual traits of a target. All details need to be aggregated to allow a proper systematic approach. This information can be later used to form the basis of a brute force attack, or in other words, a systematic guessing of passwords. They will also be used in social engineering attacks. This type of reconnaissance is difficult, if not impossible, to distinguish from the behavior of regular users.

Active reconnaissance

This can be detected by the target but, it can be difficult to distinguish most online organizations faces from the regular backgrounds and nigh impossible for a singular target to discover, unless particularly vigilant. Activities occurring during active reconnaissance include physical visits to target premises, port scanning, and remote vulnerability scanning.

Delivery of Exploit

The delivery phase

Delivery is the selection and development of the weapon that will be used to complete the exploit during the attack. The exact weapon chosen will depend on the attackers intent as well as the route of delivery.

The exploit phase

This is the point when a particular exploit is successfully applied, allowing attackers to reach their objective. The compromise may have occurred in a single phase, or it may have been a multi-phase compromise. Multi-phase attacks are the norm when a attacker targets an organization though can be used on a individual target.

During the Post Exploit phase we can also look the following steps to create a repeatable Kill Chain during this phase by the following.

Collect: Enumeration, more enumeration, and some more enumeration.

Process: Sort through data, analyze, and prioritize.

Search: Know what to search for and where to find the exploit code.

Adapt: Customize the exploit so it fits. Not every exploit works for every system out of the box.

Try: Get ready for trial and error.

Post Exploit: Action on the objective (and) PersistenceDuring the Post Exploit phase we can also look the following steps to create a repeatable Kill Chain during this phase by the following.

Post exploit

This is frequently, and incorrectly, referred to as the "ex filtration phase" because there is a focus on perceiving attacks solely as a route to steal sensitive data; it is common for a attacker to have a different objective. This phase must focus on the many possible actions of a attacker. One of the most common exploit activity occurs when, the attackers attempt to improve their access privileges to the highest possible level (vertical escalation), and to compromise as many accounts as possible (horizontal escalation). If there is value in compromising a network or system, then that value can likely be increased if there is persistent access. This allows attackers to maintain communications with a compromised system. From a targets point of view, this is the part of the kill chain that is usually the easiest to detect due to increased activity within the system.

Kill chains are models of a attackers behavior when they attempt to compromise a system. As a model, it can incorporate any and all attack vectors until their objective is complete. Unlike the methodologies, however, it ensures a strategic level focus on how a attacker approaches the system. This focus on the attackers activities will serve as guide on how one must think when attacking a system.