Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/21/2016
10:00 AM
Marc Laliberte
Marc Laliberte
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

A Twist On The Cyber Kill Chain: Defending Against A JavaScript Malware Attack

This slightly modified model is a practical way to keep attackers out of your systems.

Understanding how malware attacks work is vital to defend against them. To ease this process, threat analysts have developed models that map the stages of cybersecurity attacks, allowing defenders to identify areas where they can break the chain and stop the attack. The Cyber Kill Chain is one of these models, developed by Lockheed Martin.

The steps are:

  1. Reconnaissance: Attackers gather information on their target.
  2. Weaponization: Attackers develop their attack payload.
  3. Delivery: Attackers launch their intrusion.
  4. Exploitation: Attackers compromise their target.
  5. Installation: Attackers gain persistence on their target.
  6. Command and control: Attackers issue commands to their payload.
  7. Actions on objectives: Attackers complete their end goal. 

I prefer a slightly modified version of the Cyber Kill Chain model, removing weaponization and adding a lateral movement step between the command and control and actions on objectives steps. Attackers usually compromise the most vulnerable system first instead of going directly to their end objective. After compromising an easy target behind the network perimeter, attackers will move laterally though the network to their actual objective. Weaponization is a step for the attacker, but not something you can defend against, so I don't include it in the model. Lateral movement, however, can be detected and prevented by internal network segregation firewalls.

Here's a practical example. A popular attack method involves renting ad space on websites and posting tainted ads. These ads include JavaScript code that forces Web browsers to make requests to a malicious server without the victim's knowledge. The malicious server hosts an exploit kit that probes the client for known vulnerabilities and then infects the victim's computer. This type of attack is called a "drive-by attack" or a "drive-by download."

Using my version of the modified Cyber Kill Chain, you can map out the stages of a JavaScript drive-by download attack and identify how to protect yourself.

1. Reconnaissance: Drive-by download are meant to infect as many systems as possible. During this step, attackers will attempt to identify frequently visited websites that don't validate ads or are vulnerable to cross-site scripting attacks. If the attackers' goal is to go after you specifically, they'll review your online posts to identify which websites you visit, looking for one that's vulnerable. They also may use a Web exploit kit that automatically probes you to see what browser you use, what plug-ins you're running, and other possible attack vectors. Your best defense is to keep a small digital footprint. The less attackers can find out about you online, the less likely they are to find an attack vector.

2. Delivery: This is where the attacker delivers the malicious payload. In a drive-by download attack, your browser loads the attacker's infected ad. Network-based antivirus protection on your perimeter can often block malicious JavaScript before it reaches the client. To be extra safe, browser plug-ins like NoScript can block JavaScript in its entirely, although this may break some website functionality.

3. Exploitation: Once attackers have identified a vulnerability in your system, they exploit the weakness and carry out their attack. In our example, your browser has loaded the attackers' exploit kit, which has found a vulnerability in your browser and is about to launch their exploit. Perimeter-based intrusion-prevention systems can help by blocking suspicious traffic that matches known attacks. Keeping your browser and plug-ins up to date also goes a long way by reducing exploitable vulnerabilities.

4. Installation: Exploiting a known browser vulnerability usually allows attackers to download and execute malware on your system. Ransomware is the most popular malware now, but attackers can also install remote-access Trojans or other unwanted applications. Good network and endpoint antivirus software can identify these unwanted downloads and quarantine them before the attackers' exploit can install them. Look for solutions that sandbox test downloads. Sandboxing allows antivirus software to identify malicious behaviors by running applications in a controlled environment and can often identify unwanted programs when signature-based detection fails.

5. Command and control: Once installed, malware still needs to call back home to the attackers for further instructions. For example, remote-access Trojans open a command and control connection to allow remote access to your system. Ransomware uses command and control connections to download encryption keys before hijacking your files. If you can stop this connection, you can often stop the attack even after your system has been infected. To do this, lock down your outbound network policy to allow only ports and protocols that are absolutely required by your organization. For the ports and protocols that you allow out, use an application gateway firewall to inspect the connections. URL and reputation filtering can prevent connections to known command and control servers, and that's usually just enough to keep the system under your control.

6. Lateral movement: Once attackers have compromised a system, they will try to move on to a bigger target on your internal network. You never want to be in a position where an attacker has a clear shot at your sensitive databases after compromising an unsuspecting employee's workstation. Segregating your more critical resources from systems with direct internet access makes it harder for attackers to pivot behind your primary defenses. Be sure to use access control systems to restrict critical system access to only those that require it.

7. Action on objectives: The attacker's final goal could be anything from extracting a ransom from you in exchange for decrypting your files to exfiltrating customer information out of your network. In the latter example, data-loss prevention solutions can stop exfiltration before the data leaves your network. In other attacks, endpoint agent software can identify activity that deviates from established baselines and notify IT that something is amiss. Your goal is to detect and stop the unwanted behavior and recover from the attack.

Not every attack will translate seamlessly into the Cyber Kill Chain model. But by understanding it, you can identify areas of improvement for your network perimeter and harden your defenses against an external attacker.

Related Content:

 



Marc Laliberte is a senior security analyst at WatchGuard Technologies. Specializing in networking security protocols and Internet of Things technologies, Marc's day-to-day responsibilities include researching and reporting on the latest information security threats and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.