Cybersecurity Kill Chain

Detection & Mitigation

In the mind of an attacker
Gunther Van Landeghem and Liesbeth Kenens

Lecturers Thomas More Geel - IT factory

Passionate about Cybersecurity

“Give Us this Day Our Daily Threads”
Our ‘CyberOps Associate’ course
We’ve been teaching Cisco CyberOps CCNA Cybersecurity Operations and
(CCNA Cybersecurity Operations) before CyberOps Associate are cool courses.
the first release.
It’s an added value for our
Reviewed the first version of the cybersecurity bachelor program.
course.
We’ve enhanced/enriched the course
Teaching for students, but also for
(actually tripled the content) with a
companies, sysadmins and adults.
lot of practical stuff, both on the
Working together with a lot of offensive and defensive security side.
companies.
Focus on practical implementation of a
Providing internships on cybersecurity SOC, Threat hunting and blue and red
for youngsters. teaming.
Goal for this afternoon
Using the Cyber kill chain as a way to look at
the content of the CyberOps Associate course.

Using the Cyber kill chain as an example on how

to create practical exercises.

Give an overview of a SOC and accompanying tools

from the CyberOps Associate in one architectural
IT-scheme.

Demo of a CyberOps lab which can be used as an

achievable implementation of a SOC for students.
Cyber Kill Chain
Developed by Lockheed Martin

Reveals the phases of a cyber attack, identifies

what the adversaries must complete in order to
achieve their objective

To identify and prevent cyber intrusions

Useful in Offensive and Defensive Security

Cyber Kill Chain - Step 1

Offensive: Defensive:

Harvest email addresses Web log alerts

Identify employees on social media Build playbooks for detecting behavior

that indicate recon activity
Collect all public relations
information Prioritize defense around technologies
and people that reconnaissance activity
Discover internet-facing servers
is targeting
Conduct scans of the network to
identify IP addresses and open ports
Cyber Kill Chain - Step 1
CyberOps Demo
● arp, icmp, ipv4, ipv6

● 14.2 Common Network Attacks -

Reconnaissance, Access, and Social
Engineering

● nmap, Angry IP Scanner

Cyber Kill Chain - Step 2

Offensive: Defensive:

Obtain an automated tool to deliver the Ensure that IDS rules and signatures
are up to date.
malware payload (weaponizer).
Conduct full malware analysis.
Select or create a document to present
to the victim. Build detections for the behavior of
known weaponizers.
Select or create a backdoor and command
Collect files and metadata for future
and control infrastructure
analysis.
Determine which weaponizer artifacts
are common to which campaigns
Cyber Kill Chain - Step 2
CyberOps Demo
Logging

Malware Analysis
Cyber Kill Chain - Step 3

Offensive: Defensive:

Direct against web servers Analyze the infrastructure path used

for delivery
Indirect delivery through
Understand targeted servers, people,
● Malicious email and data available to attack

● Malware on USB stick Collect email and web logs for forensic
reconstruction
● Social media interactions

● Compromised websites
Cyber Kill Chain - Step 3
CyberOps Demo
Network Services

Network Infrastructure

Vulnerability Management
Cyber Kill Chain - Step 4

Offensive: Defensive:
Exploit a vulnerability to gain access: Employee security awareness training
● Use software, hardware, or human and periodic email testing
vulnerability
Web developer training for securing
code
● Acquire or develop the exploit
Regular vulnerability scanning and
● Use an adversary-triggered exploit
penetration testing
for server vulnerabilities
Endpoint hardening measures
● Use a victim-triggered exploit
such as opening an email Endpoint auditing to forensically
attachment or malicious weblink determine origin of exploit
Cyber Kill Chain - Step 4
CyberOps Demo

Network security

Chapter 12

Firewall

IDS/IPS

Endpoint Vulnerability Assessment

Endpoint Protection
Cyber Kill Chain - Step 5

Offensive: Defensive:

Install persistent backdoor: HIPS to alert or block on common

installation paths
● Install webshell on web server for
persistent access Determine if malware requires elevated
privileges or user privileges
● Create point of persistence by
adding services, AutoRun keys, Endpoint auditing to discover abnormal
etc. file creations

● Some adversaries modify the Determine if malware is known threat or

timestamp of the malware to make new variant
it appear as part of the operating
system.
Cyber Kill Chain - Step 5
CyberOps Demo

IoC (also a separate course)

OS hardening (also a separate course)

Chapter 3 and 4

Windows and Linux

Monitoring Common Protocols

HIDS
Cyber Kill Chain - Step 6

Offensive: Defensive:

Open channel for target manipulation: Research possible new CnC infrastructures

● Open two-way communications Discover CnC infrastructure though malware

channel to CNC infrastructure analysis

Isolate DNS traffic to suspect DNS servers,

● Most common CNC channels over web,
especially Dynamic DNS
DNS, and email protocols
Prevent impact by blocking or disabling CnC
● CnC infrastructure may be channel
adversary owned or another victim
network itself Customize rules blocking of CnC protocols on
web proxies
Cyber Kill Chain - Step 6
CyberOps Demo

A lot of chapters on network protocol Tunneling CNC traffic over ICMP.

security.
Cyber Kill Chain - Step 7

Offensive: Defensive:

Reap the rewards of successful attack Detect by using forensic evidence:

● Collect user credentials ● Establish incident response playbook

● Privilege escalation ● Detect data exfiltration, lateral movement, and

unauthorized credential usage
● Internal reconnaissance
● Immediate analyst response for all alerts
● Lateral movement through environment
● Forensic analysis of endpoints for rapid triage
● Collect and exfiltrate data
● Network packet captures to recreate activity
● Destroy systems

● Conduct damage assessment

● Overwrite, modify, or corrupt data
Cyber Kill Chain - Step 7
CyberOps Demo

Chapter 1 - The danger

SIEM and log collection

Evaluating Alerts
Working with network security data
Digital Forensics and Incident Analysis
and response
 Security Operation Center

SOCs provide a broad range of services, from monitoring and

management, to comprehensive threat solutions and hosted
security that can be customized to meet customer needs
CyberOps example - Security Onion
Cybersecurity is like an Onion

There are many layers and you have

to peel each one and make sure
there is proper security at every
layer

Is a free and open source intrusion

detection system (IDS), security
monitoring, and log management
solution. It offers full packet
capture, both NIDS and HIDS, but
also includes powerful indexing,
search, visualization and analysis
tools to make sense of those
mountains of data.
CyberOps example - Security Onion
 “As we’ve come to realize, the idea that
security starts and ends with the purchase
of a prepackaged firewall is simply
misguided.”