Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/21/2016
10:00 AM
Marc Laliberte
Marc Laliberte
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

A Twist On The Cyber Kill Chain: Defending Against A JavaScript Malware Attack

This slightly modified model is a practical way to keep attackers out of your systems.

Understanding how malware attacks work is vital to defend against them. To ease this process, threat analysts have developed models that map the stages of cybersecurity attacks, allowing defenders to identify areas where they can break the chain and stop the attack. The Cyber Kill Chain is one of these models, developed by Lockheed Martin.

The steps are:

  1. Reconnaissance: Attackers gather information on their target.
  2. Weaponization: Attackers develop their attack payload.
  3. Delivery: Attackers launch their intrusion.
  4. Exploitation: Attackers compromise their target.
  5. Installation: Attackers gain persistence on their target.
  6. Command and control: Attackers issue commands to their payload.
  7. Actions on objectives: Attackers complete their end goal. 

I prefer a slightly modified version of the Cyber Kill Chain model, removing weaponization and adding a lateral movement step between the command and control and actions on objectives steps. Attackers usually compromise the most vulnerable system first instead of going directly to their end objective. After compromising an easy target behind the network perimeter, attackers will move laterally though the network to their actual objective. Weaponization is a step for the attacker, but not something you can defend against, so I don't include it in the model. Lateral movement, however, can be detected and prevented by internal network segregation firewalls.

Here's a practical example. A popular attack method involves renting ad space on websites and posting tainted ads. These ads include JavaScript code that forces Web browsers to make requests to a malicious server without the victim's knowledge. The malicious server hosts an exploit kit that probes the client for known vulnerabilities and then infects the victim's computer. This type of attack is called a "drive-by attack" or a "drive-by download."

Using my version of the modified Cyber Kill Chain, you can map out the stages of a JavaScript drive-by download attack and identify how to protect yourself.

1. Reconnaissance: Drive-by download are meant to infect as many systems as possible. During this step, attackers will attempt to identify frequently visited websites that don't validate ads or are vulnerable to cross-site scripting attacks. If the attackers' goal is to go after you specifically, they'll review your online posts to identify which websites you visit, looking for one that's vulnerable. They also may use a Web exploit kit that automatically probes you to see what browser you use, what plug-ins you're running, and other possible attack vectors. Your best defense is to keep a small digital footprint. The less attackers can find out about you online, the less likely they are to find an attack vector.

2. Delivery: This is where the attacker delivers the malicious payload. In a drive-by download attack, your browser loads the attacker's infected ad. Network-based antivirus protection on your perimeter can often block malicious JavaScript before it reaches the client. To be extra safe, browser plug-ins like NoScript can block JavaScript in its entirely, although this may break some website functionality.

3. Exploitation: Once attackers have identified a vulnerability in your system, they exploit the weakness and carry out their attack. In our example, your browser has loaded the attackers' exploit kit, which has found a vulnerability in your browser and is about to launch their exploit. Perimeter-based intrusion-prevention systems can help by blocking suspicious traffic that matches known attacks. Keeping your browser and plug-ins up to date also goes a long way by reducing exploitable vulnerabilities.

4. Installation: Exploiting a known browser vulnerability usually allows attackers to download and execute malware on your system. Ransomware is the most popular malware now, but attackers can also install remote-access Trojans or other unwanted applications. Good network and endpoint antivirus software can identify these unwanted downloads and quarantine them before the attackers' exploit can install them. Look for solutions that sandbox test downloads. Sandboxing allows antivirus software to identify malicious behaviors by running applications in a controlled environment and can often identify unwanted programs when signature-based detection fails.

5. Command and control: Once installed, malware still needs to call back home to the attackers for further instructions. For example, remote-access Trojans open a command and control connection to allow remote access to your system. Ransomware uses command and control connections to download encryption keys before hijacking your files. If you can stop this connection, you can often stop the attack even after your system has been infected. To do this, lock down your outbound network policy to allow only ports and protocols that are absolutely required by your organization. For the ports and protocols that you allow out, use an application gateway firewall to inspect the connections. URL and reputation filtering can prevent connections to known command and control servers, and that's usually just enough to keep the system under your control.

6. Lateral movement: Once attackers have compromised a system, they will try to move on to a bigger target on your internal network. You never want to be in a position where an attacker has a clear shot at your sensitive databases after compromising an unsuspecting employee's workstation. Segregating your more critical resources from systems with direct internet access makes it harder for attackers to pivot behind your primary defenses. Be sure to use access control systems to restrict critical system access to only those that require it.

7. Action on objectives: The attacker's final goal could be anything from extracting a ransom from you in exchange for decrypting your files to exfiltrating customer information out of your network. In the latter example, data-loss prevention solutions can stop exfiltration before the data leaves your network. In other attacks, endpoint agent software can identify activity that deviates from established baselines and notify IT that something is amiss. Your goal is to detect and stop the unwanted behavior and recover from the attack.

Not every attack will translate seamlessly into the Cyber Kill Chain model. But by understanding it, you can identify areas of improvement for your network perimeter and harden your defenses against an external attacker.

Related Content:

 



Marc Laliberte is a senior security analyst at WatchGuard Technologies. Specializing in networking security protocols and Internet of Things technologies, Marc's day-to-day responsibilities include researching and reporting on the latest information security threats and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15132
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
CVE-2019-15133
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
CVE-2019-15134
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
CVE-2019-14937
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
CVE-2019-13069
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a 127.0.0.1 service.