Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/21/2016
10:00 AM
Marc Laliberte
Marc Laliberte
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

A Twist On The Cyber Kill Chain: Defending Against A JavaScript Malware Attack

This slightly modified model is a practical way to keep attackers out of your systems.

Understanding how malware attacks work is vital to defend against them. To ease this process, threat analysts have developed models that map the stages of cybersecurity attacks, allowing defenders to identify areas where they can break the chain and stop the attack. The Cyber Kill Chain is one of these models, developed by Lockheed Martin.

The steps are:

  1. Reconnaissance: Attackers gather information on their target.
  2. Weaponization: Attackers develop their attack payload.
  3. Delivery: Attackers launch their intrusion.
  4. Exploitation: Attackers compromise their target.
  5. Installation: Attackers gain persistence on their target.
  6. Command and control: Attackers issue commands to their payload.
  7. Actions on objectives: Attackers complete their end goal. 

I prefer a slightly modified version of the Cyber Kill Chain model, removing weaponization and adding a lateral movement step between the command and control and actions on objectives steps. Attackers usually compromise the most vulnerable system first instead of going directly to their end objective. After compromising an easy target behind the network perimeter, attackers will move laterally though the network to their actual objective. Weaponization is a step for the attacker, but not something you can defend against, so I don't include it in the model. Lateral movement, however, can be detected and prevented by internal network segregation firewalls.

Here's a practical example. A popular attack method involves renting ad space on websites and posting tainted ads. These ads include JavaScript code that forces Web browsers to make requests to a malicious server without the victim's knowledge. The malicious server hosts an exploit kit that probes the client for known vulnerabilities and then infects the victim's computer. This type of attack is called a "drive-by attack" or a "drive-by download."

Using my version of the modified Cyber Kill Chain, you can map out the stages of a JavaScript drive-by download attack and identify how to protect yourself.

1. Reconnaissance: Drive-by download are meant to infect as many systems as possible. During this step, attackers will attempt to identify frequently visited websites that don't validate ads or are vulnerable to cross-site scripting attacks. If the attackers' goal is to go after you specifically, they'll review your online posts to identify which websites you visit, looking for one that's vulnerable. They also may use a Web exploit kit that automatically probes you to see what browser you use, what plug-ins you're running, and other possible attack vectors. Your best defense is to keep a small digital footprint. The less attackers can find out about you online, the less likely they are to find an attack vector.

2. Delivery: This is where the attacker delivers the malicious payload. In a drive-by download attack, your browser loads the attacker's infected ad. Network-based antivirus protection on your perimeter can often block malicious JavaScript before it reaches the client. To be extra safe, browser plug-ins like NoScript can block JavaScript in its entirely, although this may break some website functionality.

3. Exploitation: Once attackers have identified a vulnerability in your system, they exploit the weakness and carry out their attack. In our example, your browser has loaded the attackers' exploit kit, which has found a vulnerability in your browser and is about to launch their exploit. Perimeter-based intrusion-prevention systems can help by blocking suspicious traffic that matches known attacks. Keeping your browser and plug-ins up to date also goes a long way by reducing exploitable vulnerabilities.

4. Installation: Exploiting a known browser vulnerability usually allows attackers to download and execute malware on your system. Ransomware is the most popular malware now, but attackers can also install remote-access Trojans or other unwanted applications. Good network and endpoint antivirus software can identify these unwanted downloads and quarantine them before the attackers' exploit can install them. Look for solutions that sandbox test downloads. Sandboxing allows antivirus software to identify malicious behaviors by running applications in a controlled environment and can often identify unwanted programs when signature-based detection fails.

5. Command and control: Once installed, malware still needs to call back home to the attackers for further instructions. For example, remote-access Trojans open a command and control connection to allow remote access to your system. Ransomware uses command and control connections to download encryption keys before hijacking your files. If you can stop this connection, you can often stop the attack even after your system has been infected. To do this, lock down your outbound network policy to allow only ports and protocols that are absolutely required by your organization. For the ports and protocols that you allow out, use an application gateway firewall to inspect the connections. URL and reputation filtering can prevent connections to known command and control servers, and that's usually just enough to keep the system under your control.

6. Lateral movement: Once attackers have compromised a system, they will try to move on to a bigger target on your internal network. You never want to be in a position where an attacker has a clear shot at your sensitive databases after compromising an unsuspecting employee's workstation. Segregating your more critical resources from systems with direct internet access makes it harder for attackers to pivot behind your primary defenses. Be sure to use access control systems to restrict critical system access to only those that require it.

7. Action on objectives: The attacker's final goal could be anything from extracting a ransom from you in exchange for decrypting your files to exfiltrating customer information out of your network. In the latter example, data-loss prevention solutions can stop exfiltration before the data leaves your network. In other attacks, endpoint agent software can identify activity that deviates from established baselines and notify IT that something is amiss. Your goal is to detect and stop the unwanted behavior and recover from the attack.

Not every attack will translate seamlessly into the Cyber Kill Chain model. But by understanding it, you can identify areas of improvement for your network perimeter and harden your defenses against an external attacker.

Related Content:

 



Marc Laliberte is a senior security analyst at WatchGuard Technologies. Specializing in networking security protocols and Internet of Things technologies, Marc's day-to-day responsibilities include researching and reporting on the latest information security threats and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13961
PUBLISHED: 2019-07-18
A CSRF vulnerability was found in flatCore before 1.5, leading to the upload of arbitrary .php files via acp/core/files.upload-script.php.
CVE-2019-13962
PUBLISHED: 2019-07-18
lavc_CopyPicture in modules/codec/avcodec/video.c in VideoLAN VLC media player through 3.0.7 has a heap-based buffer over-read because it does not properly validate the width and height.
CVE-2019-10101
PUBLISHED: 2019-07-18
OECMS v4.3.R60321 and v4.3 later is affected by: Cross Site Request Forgery (CSRF). The impact is: The victim clicks on adding an administrator account. The component is: admincp.php. The attack vector is: network connectivity. The fixed version is: v4.3.
CVE-2019-10102
PUBLISHED: 2019-07-18
MailCleaner before c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9 is affected by: Unauthenticated MySQL database password information disclosure. The impact is: MySQL database content disclosure (e.g. username, password). The component is: The API call in the function allowAction() in NewslettersControlle...
CVE-2019-10102
PUBLISHED: 2019-07-18
Open Information Security Foundation Suricata prior to version 4.1.3 is affected by: Denial of Service - TCP/HTTP detection bypass. The impact is: An attacker can evade a signature detection with a specialy formed sequence of network packets. The component is: detect.c (https://github.com/OISF/suric...