Installation phase in cyber kill chain
The fifth chain of the cyber kill chain is Installation that is introduced by Lockheed Martin. During the installation step, attackers attempt to achieve persistence on the target machine and try to make a C&C channel for the exfiltration and controlling of the data from the target. Persistence is critical for adversaries because if users log off or restart computers in an operating system like windows, running programs are terminated. To restart the malicious programs, we need to exploit again.
In making persistence we have two main categories of persistence strategies which include:
- User Space
User Space is the memory area where the application software is executed and kernel space is strictly reserved for running a privileged operating system kernel, kernel extensions, in addition to other device drivers.
Advanced persistent threats (APT) use some typical persistent strategies such as web shells, registry manipulation, DLL hijacking, Bootkit, task schedulers, etc. These can be used for making persistent access to the target.
For detection of these methods, we have some general ways which include:
- Process monitoring
- Authentication attempt login
- Traffic analysis
- File system monitoring
You should also use other methods for special persistent strategies. For example, for the detection of bootkit, we must perform integrity on master boot record (MBR) and volume boot record (VBR) or report on changes to MBR and VBR as they occur for further analysis.
For detecting persistence in the environment, we have two main strategies. The first is using host-based agents such as ID/PS, Antivirus, EDR tools … to detect typical attacks that occur in persistence with some signatures and indicators. But you can not use this strategy for zero day attacks and complex tactics used in APTs. The other strategy for detecting persistence is finding an anomaly in your environment. For this purpose, you must collect and analyze autorun information from all the hosts in your environment.
Two main problems with this strategy are bigdata and false positive. To solve these problems, we can use SIEMs such as Splunk or ELK to analyze big data and identify our networks and normal traffic to make a powerful baseline for reducing our false positive.
You can also use tools such as Sysinternals Autoruns to detect system changes that could be attempts at persistence, including currently scheduled tasks. Look for changes in a task that do not correlate with known software, patch cycle, etc.
Persistence is not the final phase. After that, adversaries try to create commands and control channels. If you cannot detect and prevent the persistence phase, you must expect to lose some data and information from your environment.
Secure Your Organization’s Mind with Securemind.se