Attacks/Breaches

9/21/2016
10:00 AM
Marc Laliberte
Marc Laliberte
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

A Twist On The Cyber Kill Chain: Defending Against A JavaScript Malware Attack

This slightly modified model is a practical way to keep attackers out of your systems.

Understanding how malware attacks work is vital to defend against them. To ease this process, threat analysts have developed models that map the stages of cybersecurity attacks, allowing defenders to identify areas where they can break the chain and stop the attack. The Cyber Kill Chain is one of these models, developed by Lockheed Martin.

The steps are:

  1. Reconnaissance: Attackers gather information on their target.
  2. Weaponization: Attackers develop their attack payload.
  3. Delivery: Attackers launch their intrusion.
  4. Exploitation: Attackers compromise their target.
  5. Installation: Attackers gain persistence on their target.
  6. Command and control: Attackers issue commands to their payload.
  7. Actions on objectives: Attackers complete their end goal. 

I prefer a slightly modified version of the Cyber Kill Chain model, removing weaponization and adding a lateral movement step between the command and control and actions on objectives steps. Attackers usually compromise the most vulnerable system first instead of going directly to their end objective. After compromising an easy target behind the network perimeter, attackers will move laterally though the network to their actual objective. Weaponization is a step for the attacker, but not something you can defend against, so I don't include it in the model. Lateral movement, however, can be detected and prevented by internal network segregation firewalls.

Here's a practical example. A popular attack method involves renting ad space on websites and posting tainted ads. These ads include JavaScript code that forces Web browsers to make requests to a malicious server without the victim's knowledge. The malicious server hosts an exploit kit that probes the client for known vulnerabilities and then infects the victim's computer. This type of attack is called a "drive-by attack" or a "drive-by download."

Using my version of the modified Cyber Kill Chain, you can map out the stages of a JavaScript drive-by download attack and identify how to protect yourself.

1. Reconnaissance: Drive-by download are meant to infect as many systems as possible. During this step, attackers will attempt to identify frequently visited websites that don't validate ads or are vulnerable to cross-site scripting attacks. If the attackers' goal is to go after you specifically, they'll review your online posts to identify which websites you visit, looking for one that's vulnerable. They also may use a Web exploit kit that automatically probes you to see what browser you use, what plug-ins you're running, and other possible attack vectors. Your best defense is to keep a small digital footprint. The less attackers can find out about you online, the less likely they are to find an attack vector.

2. Delivery: This is where the attacker delivers the malicious payload. In a drive-by download attack, your browser loads the attacker's infected ad. Network-based antivirus protection on your perimeter can often block malicious JavaScript before it reaches the client. To be extra safe, browser plug-ins like NoScript can block JavaScript in its entirely, although this may break some website functionality.

3. Exploitation: Once attackers have identified a vulnerability in your system, they exploit the weakness and carry out their attack. In our example, your browser has loaded the attackers' exploit kit, which has found a vulnerability in your browser and is about to launch their exploit. Perimeter-based intrusion-prevention systems can help by blocking suspicious traffic that matches known attacks. Keeping your browser and plug-ins up to date also goes a long way by reducing exploitable vulnerabilities.

4. Installation: Exploiting a known browser vulnerability usually allows attackers to download and execute malware on your system. Ransomware is the most popular malware now, but attackers can also install remote-access Trojans or other unwanted applications. Good network and endpoint antivirus software can identify these unwanted downloads and quarantine them before the attackers' exploit can install them. Look for solutions that sandbox test downloads. Sandboxing allows antivirus software to identify malicious behaviors by running applications in a controlled environment and can often identify unwanted programs when signature-based detection fails.

5. Command and control: Once installed, malware still needs to call back home to the attackers for further instructions. For example, remote-access Trojans open a command and control connection to allow remote access to your system. Ransomware uses command and control connections to download encryption keys before hijacking your files. If you can stop this connection, you can often stop the attack even after your system has been infected. To do this, lock down your outbound network policy to allow only ports and protocols that are absolutely required by your organization. For the ports and protocols that you allow out, use an application gateway firewall to inspect the connections. URL and reputation filtering can prevent connections to known command and control servers, and that's usually just enough to keep the system under your control.

6. Lateral movement: Once attackers have compromised a system, they will try to move on to a bigger target on your internal network. You never want to be in a position where an attacker has a clear shot at your sensitive databases after compromising an unsuspecting employee's workstation. Segregating your more critical resources from systems with direct internet access makes it harder for attackers to pivot behind your primary defenses. Be sure to use access control systems to restrict critical system access to only those that require it.

7. Action on objectives: The attacker's final goal could be anything from extracting a ransom from you in exchange for decrypting your files to exfiltrating customer information out of your network. In the latter example, data-loss prevention solutions can stop exfiltration before the data leaves your network. In other attacks, endpoint agent software can identify activity that deviates from established baselines and notify IT that something is amiss. Your goal is to detect and stop the unwanted behavior and recover from the attack.

Not every attack will translate seamlessly into the Cyber Kill Chain model. But by understanding it, you can identify areas of improvement for your network perimeter and harden your defenses against an external attacker.

Related Content:

 



Marc Laliberte is an information security threat analyst at WatchGuard Technologies. Specializing in network security technologies, Marc's industry experience allows him to conduct meaningful information security research and educate audiences on the latest cybersecurity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.