Cyberspace is a battlefield without smoke. Any organization or institution is a small and fragile individual in cyberspace. The source of cyber attack cannot be determined, and the time of launching the attack cannot be foreseen. Fortunately, the methods of cyber attacks are similar and regular.
Lockheed Martin’s “Cyber Kill Chain” model, also known as the “Cyber Kill Chain” model, describes seven stages of a complete Cyber attack, as shown in the chart below:
Figure 1: “Network attack chain” model
Reconnaissance: Reconnaissance of targets, make full use of social engineering to understand the target network.
Weaponization: Mainly refers to making targeted attack tools, such as PDF files or Office files with malicious code.
Delivery: Delivery of attack tools to the target system. The commonly used methods include email attachments, websites (horses), and USB disks.
Exploitation: Exploit the application or operating system vulnerabilities of the target system to trigger attack tools.
Trojan Installation: The Installation of remote control programs (tema), allowing an attacker to lurk in the target system for a long time.
Establish Command and Control: Establish a C2 channel with the Internet controller server.
Actions on execution attacks: Perform required attacks, such as stealing information, tampering with information, etc.
“Network attack chain” model that can be any network attack corresponding to the above seven steps, the analysis of each step might use the model of attack methods, can provide network security personnel in each attack link protection concept, to establish a precise and complete network security protection system, reduce the loss of network attack brings to the organization or institution.
1. Reconnaissance
In military confrontation, information is the basis of strategic planning, the premise of a successful move. As the saying goes, “Know yourself and know your enemy, and you can win a hundred battles with no danger of defeat”. In the Battle of Guandu, Cao took advantage of the information advantage to control the battle situation, accurately positioned the weak points of Yuan’s army, launched a surprise attack on the Wuchao granary, and defeated many with a small number of troops. In the network battlefield, the first step of invasion is also to detect the target. The attacker will collect the information of the target from various channels, draw the target portrait and information topology, find the weakness of the target and formulate the invasion strategy.
Examples of common target detection methods are as follows:
Collect sensitive information exposed to the Internet, such as enterprise architecture, employee email, procurement information and leaked files, through Googlehacking or crawler tools;
Collect target Internet asset information, such as online devices, websites, application systems and the services and components they use, through Rayspace, Shodan, Fofa, Zoomeye and other professional cyberspace asset detection tools;
Through webmaster tools, love station, micro-step online and other tools to query the target WHOIS information, including the TARGET related domain name IP and owner information;
You can use tools such as Nmap, Ping, Dnsmap, and Nslookup to collect status information, attribute information, and association information of target cyberspace assets.
Collect source code information of target and its associated system through Github, GitLab, BitBucket and other source code hosting platforms;
Social engineering methods were used to obtain target information through customer service calls, staff infiltration, social work database query, etc.
The methods for attackers to collect target information are far more than those mentioned above. In the face of multi-angle and multi-way information investigation, organizations and institutions can reduce security risks through the following defensive measures:
Do not expose the sensitive information of organizations on public websites, use Internet sensitive information detection tools to regularly detect and process the sensitive information of organizations exposed on the Internet, and converge the information exposure surface;
Configure and harden the server. Disable unnecessary ports and services to avoid exposing server information when errors are displayed on the website. Use the baseline check tool or vulnerability scanning tool to periodically evaluate and harden the server security.
Security protection devices such as WAF, intrusion prevention and firewall are deployed at the network border to effectively resist attacks such as scanners and network crawlers.
Deploy honeypot network, confuse the detection target of attackers, actively identify the identity of hackers, trace the source of the attack on the intruders.
The effective protection in the target detection stage can delay the invasion progress, limit the attacker’s means of attack, increase the cost of invasion and make the attacker retreat from the difficulty.
2. Making tools (Weaponization)
“To do a good job, you must sharpen your tools.” After investigating the target, attackers will combine “traditional weapons”, customize “special weapons” and build targeted “weapons Arsenal” according to the characteristics of the target and the purpose of invasion. Common “weapons” are as follows:
Attack scripts written using Metasploit framework;
Exploit tools in EXP library;
Zombie programs, Trojan horses, network worms and other malicious programs;
Phishing website and weak password database made by using social engineering achievements;
SQLMap, BurpSuite, Chinese kitchen knife, Chinese ant Sword, AWVS, WAPITI and other common attack tools.
Usually, in a targeted attack, intelligent attack scripts may be made, automatic attack can be achieved by calling tool sets, variant malicious programs can be made by using obfuscations, shell and encryption technologies, dynamic detection of Bypass by USING AI technology, and intelligence database pollution can be carried out by using self-learning attack model. In the face of various attack tools, you can take the following measures to enhance security:
Use vulnerability scanning tools to timely discover vulnerabilities in the system and applications, and take repair or protection measures;
Install anti-virus wall and anti-virus software for directional protection against virus transmission;
Use site monitoring tools to target phishing sites;
Enable attack defense policies for products such as the WAF and firewall to block intrusion behaviors such as scanning, injection, denial of service, and brute force cracking.
He who breaks the enemy’s sword takes away his will. Directional defense against attack tools can effectively suppress the intrusion of attackers, leaving them helpless.
3. Delivery
After an attacker to create “Arsenal”, will be put on the “weapon”, the story of the Trojan war is very classic, ancient Greek spy lure king of Troy sending large horse statue to the city, hidden in the large Trojan Greek army launched a surprise attack, in the city fell swoop the kingdom of Troy, which is the origin of the Trojan horse named. Similarly, in cyberspace, the most effective way to break into a system is to deliver malicious code to the target system.
Generally, malicious code transmission can be divided into physical transmission and network transmission.
The physical transmission | Malicious codes are transmitted to target hosts through physical media such as USB flash drives, peripherals, and hard disks |
---|---|
Network transmission | Victims were induced to download malicious files through phishing emails, horse websites and instant messaging software |
Table 1 Transmission mode of malicious code
You can take the following measures to prevent the transmission of malicious codes:
Install host protection software to detect malicious code transmission from physical media;
Deploy network border protection products to detect and block the transmission of viruses and malicious programs;
Deploy mail security gateway products to identify malicious files and dangerous links in E-mail boxes and effectively prevent malicious attacks from E-mail.
Improve the awareness of network security protection, have the basic ability to identify network fraud.
According to relevant reports, 19.8% of computers around the world detected at least one malware attack in 2019. In 2020, spam accounted for 50.37 percent of email traffic, 18,445,643 malicious attachments were detected, and anti-phishing software blocked 43,489,8635 visits to fraudulent websites. The huge data shows that malicious code is particularly rampant in the network, and the awareness of network security protection of computer users in the whole network still needs to be improved.
4. Exploitation
After the malicious program is transmitted to the target system, the attacker will take advantage of the vulnerabilities existing in the target system or application to execute the malicious code contained in the malicious program. The security vulnerabilities commonly used include SQL injection, XSS, weak password, arbitrary file upload, arbitrary code execution, buffer overflow, etc. In addition, most malicious programs themselves have deceptive characteristics, will induce computer users to take the initiative to run malicious programs, malicious code execution.
After malicious programs have been transmitted to the host, you can use the following defense measures:
Install anti-virus software to intercept and kill malicious software;
Using sandbox tools, check the security of unknown files, dynamic analysis of file behavior, in-depth identification of file harm;
Deploy security protection products to defend against common security vulnerabilities and intercept remote commands that execute malicious codes.
If the attack has progressed to the stage of triggering tools, it indicates that the attacker has nearly succeeded in invading the target system, which means that the target system is in jeopardy and may be accessed by the attacker at any time.
5. Installation of Trojan
After obtaining the control authority of the target system, the attacker will install Trojan horses in the target system and implant the back door. The back door program usually has strong concealment and is difficult to be discovered by normal users. The function of embedding backdoor program is to enable the attacker to keep the control authority of the target system for a long time. Even after the target system fixes the vulnerability, the attacker still has the connection mode of the target system.
A simple backdoor may have access to one or more accounts. A complex backdoor may have access to a specific system connection mode. You can take the following measures to detect and protect the backdoor programs:
Monitor system logs, manage and audit sensitive operations such as registry modification, security configuration adjustment, account addition, permission table modification, and remote tool installation.
Use vulnerability scanning tools, regularly check whether the system is implanted in the back door, timely check the back door program, repair the back door vulnerabilities;
Periodically back up the system status so that the system can be restored to the normal state after being invaded.
6. Establish Command and Control
Target system after being implanted into the back door, the attacker will begin to establish a target system and the control of the server connection channel, has completely fall to this step means that the target system, the attacker has complete control over the target system, the fall of the host has become the attacker’s chicken, the attacker can use at any time the stronghold for lateral seepage, expand the attack, Or launch an immediate attack.
If the attacker has “hand on the keyboard”, the intruder has few defense methods. You can take the following measures to detect and prevent the attack:
Deploy professional deadwood creep detection products to check zombie hosts and controlled assets in the network, and cut off the communication between the lost hosts and the botnet;
Illegal out-link detection products are deployed at the network boundary to identify abnormal communication in the network and block unauthorized connections in time.
For critical systems, whitelist mechanism should be adopted for access control.
7. Execute Actions on Objectives.
After the first six stages of attack, attackers can, based on commercial or political intentions, start to interfere with the confidentiality, integrity and availability of the target system, information theft, destruction, encryption and other activities, or use the lost host as a springboard to invade other systems in the network.
At this point, the loss of the victim has been inevitable, but organizations and institutions can still take preventive measures in advance, in the face of the offensive timely launch emergency response, effectively control the victim surface, alleviate the intensity of the attack, reduce the loss.
The information system adopts hierarchical and domain-based security management to do a good job of security isolation between network domains and access control between levels to prevent the spread of attacks.
Establish a sound data security management system, deploy data leakage prevention products, strictly control data access rights, prevent data theft;
Establish a sound network security emergency response mechanism, for sudden network security incidents can quickly locate threats, alleviate and eradicate attacks, timely repair services;
A DISASTER recovery plan is available for critical services and is able to recover from irreversible damage.
conclusion
With the rapid development of information technology, innovative technologies and emerging industries rapidly integrate into the information age, but also increase the vulnerability of the network space, provide more means of attack for hackers, traditional security protection ideas seem to be a little confused.
Automated attack and defense based on artificial intelligence (AI) and machine learning (ML) will become the mainstream form of network security confrontation, and the gradual implementation of extended detection and response (XDR) and threat intelligence (TI) technologies provide a powerful help for accurate detection and rapid response. The practical application of network Asset Attack Surface Management (CASSM) and Intrusion and Attack Simulation (BAS) also provides more ideas for enterprise security operation. In-depth study of industrial application scenarios and exploration of network security innovation technology are effective ways to improve the security capability of cyberspace. reference
The last
Want to learn network security and do not know how to learn friends, I can view private learning materials · strategy
【Check out network security learning materials】