Understanding how malware attacks work is vital to defend against them. To ease this process, threat analysts have developed models that map the stages of cybersecurity attacks, allowing defenders to identify areas where they can break the chain and stop the attack. The Cyber Kill Chain is one of these models, developed by Lockheed Martin.

The steps are:

I prefer a slightly modified version of the Cyber Kill Chain model, removing weaponization and adding a lateral movement step between the command and control and actions on objectives steps. Attackers usually compromise the most vulnerable system first instead of going directly to their end objective. After compromising an easy target behind the network perimeter, attackers will move laterally though the network to their actual objective. Weaponization is a step for the attacker, but not something you can defend against, so I don't include it in the model. Lateral movement, however, can be detected and prevented by internal network segregation firewalls.

Here's a practical example. A popular attack method involves renting ad space on websites and posting tainted ads. These ads include JavaScript code that forces Web browsers to make requests to a malicious server without the victim's knowledge. The malicious server hosts an exploit kit that probes the client for known vulnerabilities and then infects the victim's computer. This type of attack is called a "drive-by attack" or a "drive-by download."

Using my version of the modified Cyber Kill Chain, you can map out the stages of a JavaScript drive-by download attack and identify how to protect yourself.

1. Reconnaissance: Drive-by download are meant to infect as many systems as possible. During this step, attackers will attempt to identify frequently visited websites that don't validate ads or are vulnerable to cross-site scripting attacks. If the attackers' goal is to go after you specifically, they'll review your online posts to identify which websites you visit, looking for one that's vulnerable. They also may use a Web exploit kit that automatically probes you to see what browser you use, what plug-ins you're running, and other possible attack vectors. Your best defense is to keep a small digital footprint. The less attackers can find out about you online, the less likely they are to find an attack vector.

2. Delivery: This is where the attacker delivers the malicious payload. In a drive-by download attack, your browser loads the attacker's infected ad. Network-based antivirus protection on your perimeter can often block malicious JavaScript before it reaches the client. To be extra safe, browser plug-ins like NoScript can block JavaScript in its entirely, although this may break some website functionality.

3. Exploitation: Once attackers have identified a vulnerability in your system, they exploit the weakness and carry out their attack. In our example, your browser has loaded the attackers' exploit kit, which has found a vulnerability in your browser and is about to launch their exploit. Perimeter-based intrusion-prevention systems can help by blocking suspicious traffic that matches known attacks. Keeping your browser and plug-ins up to date also goes a long way by reducing exploitable vulnerabilities.

4. Installation: Exploiting a known browser vulnerability usually allows attackers to download and execute malware on your system. Ransomware is the most popular malware now, but attackers can also install remote-access Trojans or other unwanted applications. Good network and endpoint antivirus software can identify these unwanted downloads and quarantine them before the attackers' exploit can install them. Look for solutions that sandbox test downloads. Sandboxing allows antivirus software to identify malicious behaviors by running applications in a controlled environment and can often identify unwanted programs when signature-based detection fails.

5. Command and control: Once installed, malware still needs to call back home to the attackers for further instructions. For example, remote-access Trojans open a command and control connection to allow remote access to your system. Ransomware uses command and control connections to download encryption keys before hijacking your files. If you can stop this connection, you can often stop the attack even after your system has been infected. To do this, lock down your outbound network policy to allow only ports and protocols that are absolutely required by your organization. For the ports and protocols that you allow out, use an application gateway firewall to inspect the connections. URL and reputation filtering can prevent connections to known command and control servers, and that's usually just enough to keep the system under your control.

6. Lateral movement: Once attackers have compromised a system, they will try to move on to a bigger target on your internal network. You never want to be in a position where an attacker has a clear shot at your sensitive databases after compromising an unsuspecting employee's workstation. Segregating your more critical resources from systems with direct internet access makes it harder for attackers to pivot behind your primary defenses. Be sure to use access control systems to restrict critical system access to only those that require it.

7. Action on objectives: The attacker's final goal could be anything from extracting a ransom from you in exchange for decrypting your files to exfiltrating customer information out of your network. In the latter example, data-loss prevention solutions can stop exfiltration before the data leaves your network. In other attacks, endpoint agent software can identify activity that deviates from established baselines and notify IT that something is amiss. Your goal is to detect and stop the unwanted behavior and recover from the attack.

Not every attack will translate seamlessly into the Cyber Kill Chain model. But by understanding it, you can identify areas of improvement for your network perimeter and harden your defenses against an external attacker.

Related Content: