1 Understanding Cyber Attacks: Technical Aspects of Cyber Kill ChainTarun Yadav & Rao Arvind Mallari DRDO, Ministry of Defense, INDIA Third International Symposium on Security in Computing and Communications (SSCC-2015), 11th August 2015, SCMS Kochi, India

2 Introduction Why Cyber Kill Chain? What is Cyber Kill Chain Model?Attacker’s View and Actions APTs, Cyber Espionage Attack Attacker Reconnaissance Weaponize Delivery Target System Exploitation Installation Command & Control Interaction Act on Objective

3 Reconnaissance Methodologies: Target Identification and SelectionTarget Profiling Target Validation Network & System Configuration Active Passive Types: Passive Reconnaissance Active Reconnaissance

4 Weponize Exploits for: PDF, DOC, PPT, MP3, Video Player Software BugsVulnerabilities Exploits Exploits for: PDF, DOC, PPT, MP3, Video Player Attack Attacker Reconnaissance Weaponize Delivery Exploit Payload (RAT) Target System Exploitation Installation Command & Control Interaction Server Client Act on Objective File Download/Upload Keystrokes Capture Screen/Webcam Capture Propagation in network Standalone or Modular

5 Delivery Information from Reconnaissance is used to increase affinityDelivery Methods Attachments Phishing Attacks Drive By Downloads USB/Removable Media DNS Cache Poisoning

6 Exploitation AV Run Time Detection Static DetectionIDS,IPS, Firewall Attack Attacker Reconnaissance Weaponize Delivery Static Detection Target System Exploitation Precondition to Exploit: Must use Vulnerable Software Software should not be Updated Software should not be Not Upgraded Installation Command & Control Interaction Act on Objective AV Run Time Detection (Heuristic and Behavioral Detection)

7 Installation Dropper DownloaderPersistent, Stealthy and Non Attributable Installation Anti-Debugger and Anti-Emulation Anti-AntiVirus Rootkit and Bootkits Targeted Delivery Host-Based Encrypted Data Exfiltration Dropper: The payload is already present at the system in some obfuscated form. Injector if the dropped binary is only done in memory. Downloader: 2 stage process with a stub that initially runs at the target. On successful execution of the stub, the stub contacts the server and downloads a piece of malware and runs it.

8 Command & Control Act on ObjectiveCentralized, Decentralized and Social Network based architectures Unobservable Communication Channel IRC, TCP, HTTP, FTP, TOR etc. Avoiding C&C server Detection DNS Fast Flux, DNS as Medium, Domain Generation Algorithms(DGA) Targeted Attack - Ex-filtrating secret information, Disruption of critical Infrastructure, State sponsored espionage Mass Attack – User Credentials, Financial Frauds, DDoS Attacks, BOTNets Act on Objective

9 Conclusion Presented Attacker’s PerspectiveTrends of attackers in each level Seeing to the future, a defense in depth strategy based on cyber kill chain is to be envisioned. Reconnaissance Weaponize Delivery Target System Exploitation Installation Command & Control Interaction Act on Objective

10 Thank You Contact: [email protected] [email protected]Doubts or Questions?? Contact: