Many of todays attacks can be explained from understanding privilege escalation and the cyber kill chain.
Derived from a military model, the Cyber Kill Chain was first developed by Lockheed Martin to respond to various cyber threats. Made of eight phases, the cyber kill chain is triggered by any common attack vector, such as phishing or malware. Since it was first introduced to the cybersecurity community, the cyber kill chain has evolved to better anticipate and recognize threats.
With each step in the cyber kill chain, the goal is to understand the steps a hacker may take to execute a cyber attack.
As a threat passes down the cyber kill chain, each phase poses an opportunity to stop the threat in its tracks. The cyber kill chain begins with reconnaissance, intrusion, exploitation, privilege escalation, lateral movement, anti-forensics, denial of service, and lastly, exfiltration. The goal is to identify and eliminate threats as early as possible in the chain, preventing disastrous effects.
In this initial phase of a cyber attack, hackers are in search of information they can use to execute their plans. To prevent this, reconnaissance tools scan for vulnerabilities that hackers may use as a point of entry. However, hackers may also search for information in places such as LinkedIn or even be bold enough to call their target asking for more information. Employees should be aware and be cautious when sharing information.
Once the hacker has identified their route of entry, they can begin to launch their attack. Commonly, malware is used and distributed to targets via phishing campaigns, compromised websites, or unsecured wireless networks. In this step, employees can be trained to avoid downloading attachments from unknown sources, following questionable links, and using only secured internet sources.
If the threat can successfully breach the network, hackers can launch the next phase of an attack. Once in, hackers can install additional tools or modify certificates needed to continue with their attack.
Typically through either brute force attacks or using password vulnerabilities, hackers can work their way into accounts with greater access privileges than when they initially got into the system. Through privilege escalation, hackers may be able to access secure data or administrative rights and inflict maximum damage. Image #2: YouAttest detects privilege creep by alerting on security events, including security group privilege changes – allowing reviewers to certify, delegate or revoke. Youattest helps with identifying privilege creeps and provides an insight into who should be alerted of privilege escalation to mitigate risks.
Hackers will also move laterally between systems, another form of privilege escalation. This gives the hacker greater access and range to move throughout the organization, again to access sensitive data and greater access rights.
To hide their actions and avoid detection, hackers employ anti-forensic practices. This may include wiping files modifying information so it appears to have never been touched.
Denial of Service
To prevent authorized users from accessing the resources they need, hackers will launch a denial of service attack. This type of attack may crash systems and suspend access.
Once the hacker is in, their goal will be to get the sensitive information back out. They may ransom it or sell it to the highest bidder. No matter what they do, once they can get it out the data will be out of the control of the organization. Preventing this is one of the prime goals of cybersecurity.
Through understanding the Cyber Kill Chain, organizations can understand how hackers carry out a cyber attack. Vulnerabilities at these points should be eliminated to stop hackers in their tracks before they can cause serious damage.
YouAttest is the only cloud-based IGA platform that deploys in minutes via application SSO to platforms like Okta. YouAttest demonstrated how YouAttest can address privilege escalation via escalation triggers and workflow request and approvals as detail in the YouAttest next webinar: “YouAttest and Access Approval”. Or register at Oktane21 and see us there.