Be part of something bigger, join the Chartered Institute for IT.
Firstly, malware itself isn’t bound or limited by any legislation: criminals can use any tool and any technique. Ali-Mirza says: ‘They can pick up any open source tool, further enhance it and use it as an attack.
‘Hackers are getting more innovative too,’ he continues. ‘But, more importantly, criminals only have to get it right once. Security, by contrast, is a consistent exercise which needs to evolve.’
Echoing this point, Professor Ali Al-Sherbaz explains that, in his opinion, criminals have another huge advantage: they have, to a degree, the luxury of time. When it comes to designing and deploying their software, they can plan, test, iterate and, finally, attack their chosen flaw. Defenders, however, might only have moments to react when they notice a vulnerability being exploited.
Of all the types and families of malware which do daily damage online, ransomware is the kind which steals most headlines. From Wannacry to the Colonial Pipeline attack, to JBS foods and CAN Financial, ransomware attacks have caused havoc.
It’s against this backdrop that Dr Ali Mirza and four others from the School of Computing and Engineering at the University of Gloucester published the paper: Ransomware Analysis using Cyber Kill Chain.
A kill chain is a military concept which describes an attack’s key phases. In armed forces terms, these might be: identify the target; dispatch forces to the target; initiate the attack and destroy the target. Critically, a kill chain can be used for defence too: it can let you understand how you might be able to pre-emptively interrupt or stop your enemy’s attack flowing.
The cyber kill chain framework is a model proposed by Lockheed Martin. It is used in attack modelling and can help organisations identify the different types of threats they may face. Like its military counterpart, the cyber kill chain describes different phases in an attack’s execution:
- Reconnaissance. The attacker gathers details about the target, hoping to discover weaknesses in systems or infrastructure.
- Weaponisation. Malware is developed to specifically exploit the vulnerabilities that have been found.
- Delivery. A decision is made about how the malware will be delivered – email, drive-by, USB stick?
- Installation. The malware arrives on the victim’s system and begins to capitalise on the vulnerabilities. The primary goal is to maintain persistence, which is achieved by creating a stealthy route to the victim machine or network in the form of a backdoor or other ingress that can be used by the attacker to access the network.
- Command and control. The backdoor is utilised to gain control over the network, which can be used for several malicious operations.
- Actions and objectives. The control over the victim network, achieved in the previous phase, is used to fulfil the malicious objectives of the attacker.
‘The cyber kill chain is very effective,’ says Dr Ali-Mirza. ‘It’s not just a one-way thing though – it can be used for both defence and attack. It encourages you to look at the attack from the offensive perspective and then create a defence against it.’
Step one – the most important
From the black-hat hacker’s perspective, the most potent step in a kill chain is reconnaissance. If they get this step wrong, the rest of the attack is unlikely to work.
There are two types of reconnaissance: active and passive. Active sees hackers interact directly with their intended victim. They might map a company’s network, examine a firewall for open ports and deploy research tools like Nmap.
The passive sort of research might see adversaries use tools as seemingly prosaic as Google and LinkedIn. You could see, for example, a company advertising for a new network admin with expertise in a particular tool, technology or system. That technology might have known and exploitable flaws.
Alternatively, a press release might announce the victim has entered into a partnership with a solution supplier and is now, proudly, using some new systems. From there, it’s an easy research job to find the online manual, details about the system’s inner workings and even the default login and password, should there be one.
The key is to sift and search through the information a company and its staff make freely available and look for clues.
The other key part of reconnaissance is being sure about what you’re looking to steal or, in the case of ransomware, what you’re looking to hold hostage. If you lock down the wrong database, the victim won’t pay.
‘Even if you’re going to build a really sophisticated piece of malware and go after a very specific company, you need to identify their assets,’ Ali-Mirza says. ‘If you lock out the wrong thing, the organisation won’t care and, worse still, they’ll know you’re in the system. And now, you’re the target.’ Note how the kill chain is reversed.
Making your moves
‘With the reconnaissance done, the hardest job – the primary task – is to get your foot in the door,’ says Ali-Mirza. ‘You know what they’re running, what network they’re using and then you need to identify that vulnerability. And there will be vulnerabilities. There’s no network which doesn’t have any vulnerabilities. That’s a fact.’
When you know, as a criminal, the exploit you’re targeting, it’s then time to choose your software weapon of choice. You’re entering the weaponization phase of the kill chain.
Here, the attacker’s job can be made much easier thanks to a leaf stolen from the conventional market for software tools: the as-a-service model. ‘The point is, this is a business,’ explains Ali-Mirza. ‘And, as such, [the criminals] are using malware-as-a-service. You can hire the malware. You don’t need any technical understanding. You can hire the malware and attack, without needing to write any code.’
‘They’re using cryptocurrencies too,’ says Professor Ali Al-Sherbaz, explaining the financial underpinnings of the malware-as-a-service model. ‘And this is making the criminals harder to identify and harder to follow. It’s a big market. There are markets that look like eBay where you can buy tools. Ransomware-as-a-service exists. It’s no surprise that some cryptocurrencies are worth thousands with these sorts of [markets existing].’
With the weapon chosen and deployed against the victim, the kill chain offers insight into the next phases and the next successes the criminals need to make before they can achieve their final goal. The malware might need to install itself, open a back-door, establish contact with its makers so it can update itself or receive instructions. And then perhaps it’ll encrypt a specific set of files or exfiltrate a targeted data set.
Return on criminal investment
From a cost perspective (and, by implication, a return on investment view) staying hidden on a network can be the most expensive challenge. Zeus, as we mentioned earlier, evaded contemporary antivirus software. Many of today’s advanced persistent threats (APTs) stay hidden for up to six months. This ability to avoid detection requires, Ali-Mirza explains, considerable technical investment. Criminals also invest in anti-forensics too.
‘When you’ve acquired a piece of code from the infected network or PC, anti-forensics are techniques which stop the analyst from using different tools on it to identify what the next move might be. What the next iteration might look like.’
These defensive techniques could, for example, see a piece of code which can sense when it is inside a virtual environment. If it believes it is, it might refuse to run, behave differently or stay packed. This would limit analysts’ abilities to sandbox the code. Malware writers also deploy anti-debugging techniques to prevent researchers from examining their work.
So, what can organisations learn from the kill chain? Where in the seven steps can we hope to disrupt hackers’ attacks most effectively and efficiently?
‘Firewalls and antivirus all have their place and their significance,’ Dr Qublai Ali-Mirza says. ‘But, to simplify things, humans are the weakest link. All they need is to make one mistake. Cyber awareness [training] should be a common thing in every organisation. It should be small, regular and maybe gamified.’
Thinking back to the kill chain, employees can provide valuable insights for criminals who are at the reconnaissance phase of their attack. ‘Employees are the entry point… Infection, propagation and covert operations [those are all important]. But, infection doesn’t mean how they got into the system. Infection means, what vulnerability did they exploit? Entering the system can vary. It can be through USB sticks, phishing emails… Entering is one thing. The functionality of the malware starts when it runs. Malware, as an executable, could sit on my computer, on my USB stick and do nothing.’
Emphasising the point, he explains that when a user clicks on a bad link in a phishing email or opens an infected PDF – that’s the entry point and that’s the point against which continuous cyber awareness training should be deployed.
Summing up the kill chain process neatly, Dr Qublai Ali-Mirza says: ‘Infection, propagation and covert operations. If you understand these three things, you actually understand the malware. And, more importantly, you can actually secure the system.’