How can SOC analysts use the cyber kill chain?

Read Time:6 Minute, 47 Second

This blog was written by an independent guest blogger.

Security Operation Centers (SOCs) offer a robust method of ensuring cybersecurity and safety within an organization. Their demand has continued to grow, specifically with a significant rise in cyber-attacks amidst a looming cybersecurity skills gap. However, despite a typical SOC analyst’s immense training and knowledge, mitigating the increase in cyber-attacks is no easy job. Compared to 2020, cybercrime has risen by 50% in 2021, which ultimately demands the use of robust security models such as the Cyber Kill Chain Model, which can help attain strong cybersecurity for organizations.

Developed in 2011, the Cyber Kill Model is a widely accepted security model that helps SOC analysts and security practitioners attain security from several cyber-attacks. However, despite its usefulness, the model is yet to achieve the proper recognition it deserves.

What is a cyber kill chain?

The cyber kill chain model is a cyber security attack framework that helps explain how a specific cyber-attack is executed. In theory, the framework helps break down the steps taken by threat actors while conducting a successful cyber-attack. According to the model, there are seven stages of a cyber-attack that are:

Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command and control (C2)
Actions on objectives

The cyber kill chain model essentially debunks the traditional castle and moat method of attaining cyber security for organizations. Instead, the model helps identify, analyze and prevent cyber-attacks altogether.

Developed as part of the Intelligence Driven Defense model for identifying and preventing cyber-attacks and data exfiltration, the model is widely accepted and used by various security practitioners. It is recognized as one of the most informative methods for understanding cyber-attacks and places emphasis on both the technology-driven and the social engineering-driven aspects of an attack. A proper understanding of the model can help prevent various attacks such as data breaches, privilege escalation, phishing, malware, ransomware, social engineering, and many more.

How do SOC analysts use the cyber kill chain?

SOC systems are built within organizations to monitor, detect, investigate, and respond to various cyber-attacks. The teams are charged with protecting sensitive data and the organization’s assets, such as personal data, business systems, brand integrity, and intellectual property. Amidst this, the cyber kill chain model can effectively help them identify and mitigate a myriad of cyber-attacks.

The seven stages of the cyber kill model demonstrate a specific goal along with a threat actor’s path. SOC teams can therefore use the Cyber Kill Chain model to understand these attacks and implement security controls to prevent and detect the cyber-attacks before it thoroughly infiltrates the organization’s network in the following method:

1. Reconnaissance

This is the first stage of the cyber kill chain and involves the threat actor researching the potential target before the actual attack. Since the threat actor is on the hunt for vulnerabilities within the organization’s cybersecurity posture, SOC analysts can ensure security through various means.

They can use threat intelligence and network Intrusion Detection System (IDS) to mitigate the attack. Moreover, to minimize the chances of an attack, SOC analysts can also maintain an information-sharing policy and access control and implement security tools such as VPNs or Firewalls.

2. Weaponization

The second stage of the cyber kill chain explains a cyber attack’s preparation and staging phase. The threat actor has not yet interacted with the target. Instead, the attack is under preparation, typically featuring coupling a malicious file or software with an automated exploit called a weaponizer, such as a phishing email.

At this stage, SOC analysts can detect an attack using endpoint malware protection, including proxy filtering, application whitelisting, installing an app-aware firewall, and much more. SOC analysts also deny the attack using a Network Intrusion Prevention System (IPS).

3. Delivery

This is one of the most crucial steps of the cyber kill chain model. This step refers to a threat actor’s tools and techniques to infiltrate a target’s network. Delivery often contains phishing emails with malicious files and prompts that entice the users to open them and install the malware accidentally. The delivery also refers to a hack attack on the software or hardware within an organization.

SOC analysts can use the cyber kill chain model to protect from attacks in various ways. For starters, they can ensure endpoint security by having robust antimalware software within the system. Apart from that, they can also use anti-phishing software that can help users recognize and mitigate these prompts. Another method to ensure security and safety is by deploying the zero-trust security module and using secure firewalls to mitigate hack attacks.

4. Exploitation

This stage of the cyber kill chain model refers to the actual occurrence of the attack. It usually targets an application or operation system vulnerability. At this point, analysts assume that the malicious payload has been successfully delivered to the victim, and the exploitation will trigger the intruder’s code.

With the attack at this stage, SOC analysts can still ensure security by using endpoint malware protection and a host-based Intrusion Detection System (IDS). Moreover, it is also possible to completely mitigate the attack by using patch management and enabling safe password practices. Suppose the SOC team has encountered the attack when it has already compromised a particular area within the network. In that case, analysts can work to contain it through app-aware firewalls and inter-zone Network Intrusion Detection System.

5. Installation

The installation phase refers to an actual exploit occurring within the target system. In such a situation, the explicit often look for more vulnerabilities to exploit. It may also use privilege escalation to gain additional access to the system and install a backdoor or remote access trojan, which can be used to gain persistence within the system.

To detect the attack at this stage, SOC analysts deploy the use of Security Information and Event Management (SIEM) and a Host-Based Intrusion Detection System (HIDS) to detect attacks. If the attack exploits critical IT infrastructures, SOC teams can contain it by employing Inter-Zone Network Detection System, trust zones, and an App-aware firewall. Additionally, to protect organizations from attack, Cyber Kill Model recommends using strong passwords, multi-factor authentication for endpoints, and privilege separation practices.

6. Command and Control (C2)

This stage of the Cyber Kill Chain Model referred to a server controlled by threat actors and used to send commands to the exploited system or receive stolen data. So far, the activities of these C2 servers have been evident in cloud-based services often used for file-sharing or in webmail. These C2 servers avoid detection by blending in with regular traffic.

When at this stage, SOC analysts can detect and disrupt the attack by utilizing the Host-based Intrusion Detection System (HIDS). SOC analysts can also rely on Network Intrusion Detection System (NIDS) for detection. The Cyber Kill Chain also helps deny the C2 server attack by using network segmentation, Access control lists (ACLs), and firewalls. Additionally, the attack can be degraded through the Trapit scheme and further contained using trust zones and domain name system sinkholes. 

7. Actions on objectives

The final stage of the cyber kill chain model refers to the part of the attack where the threat actor works on its main objectives. It could be distributing malware conducting a Denial of Service (DDoS) Attack, or deploying ransomware as a cyber extortion tool.

At this stage, SOC analysts can utilize endpoint malware protection and data-at-rest encryption to mitigate the attack. SOC analysts can also use the cyber kill chain model to develop a robust incidence response plan and save the organization from significant damages.

Final words

The cyber threat landscape is continuously evolving, and every day new attack vectors are coming up that threat actors use to wreak significant damage. Amidst this, security models such as the cyber kill chain can significantly reduce the load on SOC teams and ensure an organization’s robust cybersecurity infrastructure. As cyber-attacks continue to prevail, the cyber kill chain model offers a powerful method of providing security for many cyber-attacks.

Read More

5 things security pros want from XDR platforms

Read Time:19 Second

According to new research from ESG and the Information Systems Security Association (ISSA) 58% of organizations are consolidating or considering consolidating the number of security vendors they do business with. It’s simply too hard to manage an army of disconnected security point tools, each requiring its own training, implementation, administration, and ongoing support.

To read this article in full, please click here

Read More

xen-4.15.3-2.fc35

Read Time:30 Second

FEDORA-2022-2c9f8224f8

Packages in this update:

xen-4.15.3-2.fc35

Update description:

Linux disk/nic frontends data leaks [XSA-403, CVE-2022-26365,
CVE-2022-33740, CVE-2022-33741, CVE-2022-33742] (#2104747)

update to xen-4.15.3
x86: MMIO Stale Data vulnerabilities (not applied in 4.15.2-5)

x86: MMIO Stale Data vulnerabilities [XSA-404, CVE-2022-21123,
CVE-2022-21125, CVE-2022-21166]

x86 pv: Race condition in typeref acquisition [XSA-401, CVE-2022-26362]
x86 pv: Insufficient care with non-coherent mappings [ XSA-402,
CVE-2022-26363, CVE-2022-26364]

Read More

USN-5505-1: Linux kernel vulnerabilities

Read Time:3 Minute, 55 Second

Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)

Likang Luo discovered that a race condition existed in the Bluetooth
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2021-3752)

It was discovered that the NFC subsystem in the Linux kernel contained a
use-after-free vulnerability in its NFC Controller Interface (NCI)
implementation. A local attacker could possibly use this to cause a denial
of service (system crash) or execute arbitrary code. (CVE-2021-3760)

Szymon Heidrich discovered that the USB Gadget subsystem in the Linux
kernel did not properly restrict the size of control requests for certain
gadget types, leading to possible out of bounds reads or writes. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2021-39685)

It was discovered that the Ion Memory Manager subsystem in the Linux kernel
contained a use-after-free vulnerability. A local attacker could possibly
use this to cause a denial of service (system crash) or execute arbitrary
code. (CVE-2021-39714)

Eric Biederman discovered that the cgroup process migration implementation
in the Linux kernel did not perform permission checks correctly in some
situations. A local attacker could possibly use this to gain administrative
privileges. (CVE-2021-4197)

Lin Ma discovered that the NFC Controller Interface (NCI) implementation in
the Linux kernel contained a race condition, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2021-4202)

Sushma Venkatesh Reddy discovered that the Intel i915 graphics driver in
the Linux kernel did not perform a GPU TLB flush in some situations. A
local attacker could use this to cause a denial of service or possibly
execute arbitrary code. (CVE-2022-0330)

It was discovered that the PF_KEYv2 implementation in the Linux kernel did
not properly initialize kernel memory in some situations. A local attacker
could use this to expose sensitive information (kernel memory).
(CVE-2022-1353)

It was discovered that the virtual graphics memory manager implementation
in the Linux kernel was subject to a race condition, potentially leading to
an information leak. (CVE-2022-1419)

Minh Yuan discovered that the floppy disk driver in the Linux kernel
contained a race condition, leading to a use-after-free vulnerability. A
local attacker could possibly use this to cause a denial of service (system
crash) or execute arbitrary code. (CVE-2022-1652)

It was discovered that the Atheros ath9k wireless device driver in the
Linux kernel did not properly handle some error conditions, leading to a
use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-1679)

It was discovered that the Marvell NFC device driver implementation in the
Linux kernel did not properly perform memory cleanup operations in some
situations, leading to a use-after-free vulnerability. A local attacker
could possibly use this to cause a denial of service (system) or execute
arbitrary code. (CVE-2022-1734)

It was discovered that some Intel processors did not completely perform
cleanup actions on multi-core shared buffers. A local attacker could
possibly use this to expose sensitive information. (CVE-2022-21123)

It was discovered that some Intel processors did not completely perform
cleanup actions on microarchitectural fill buffers. A local attacker could
possibly use this to expose sensitive information. (CVE-2022-21125)

It was discovered that some Intel processors did not properly perform
cleanup during specific special register write operations. A local attacker
could possibly use this to expose sensitive information. (CVE-2022-21166)

It was discovered that the USB Gadget file system interface in the Linux
kernel contained a use-after-free vulnerability. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2022-24958)

赵子轩 discovered that the 802.2 LLC type 2 driver in the Linux kernel did not
properly perform reference counting in some error conditions. A local
attacker could use this to cause a denial of service. (CVE-2022-28356)

It was discovered that the 8 Devices USB2CAN interface implementation in
the Linux kernel did not properly handle certain error conditions, leading
to a double-free. A local attacker could possibly use this to cause a
denial of service (system crash). (CVE-2022-28388)

Read More

Ransom Lockbit 3.0 / Code Execution

Read Time:18 Second

Posted by malvuln on Jul 06

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022
Original source:
https://malvuln.com/advisory/38745539b71cf201bb502437f891d799_B.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Ransom Lockbit 3.0
Vulnerability: Code Execution
Description: The ransomware apparently now requires a password to execute
as noted by “@vxunderground” E.g. “-pass db66023ab2abcb9957fb01ed50cdfa6a”.
Lockbit looks…

Read More

Ransom Lockbit 3.0 / Local Unicode Buffer Overflow (SEH)

Read Time:18 Second

Posted by malvuln on Jul 06

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022
Original source:
https://malvuln.com/advisory/38745539b71cf201bb502437f891d799.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Ransom Lockbit 3.0
Vulnerability: Local Unicode Buffer Overflow (SEH)
Description: The ransomware apparently now requires a password to execute
as noted by “@vxunderground” E.g. “-pass…

Read More

EQS Integrity Line: Multiple Vulnerabilities

Read Time:24 Second

Posted by Giovanni Pellerano on Jul 06

EQS Integrity Line: Multiple Vulnerabilities

Name Multiple Vulnerabilities in EQS Integrity Line
Systems Affected EQS Integrity Line through 2022-07-01
Severity High
Impact (CVSSv2) High 8.8/10, score: (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Vendor EQS Group AG (https://www.eqs.com/)
Advisory
http://www.ush.it/team/ush/advisory-eqs-integrity-line/eqs_integrity_line.txt
Authors Giovanni…

Read More

CVE-2022-30550: Privilege escalation possible in dovecot when similar master and non-master passdbs are used

Read Time:25 Second

Posted by Aki Tuomi via Fulldisclosure on Jul 06

Affected product: Dovecot IMAP Server
Internal reference: DOV-5320
Vulnerability type: Improper Access Control (CWE-284)
Vulnerable version: 2.2
Vulnerable component: submission
Report confidence: Confirmed
Solution status: Fixed in main
Researcher credits: Julian Brook (julezman)
Vendor notification: 2022-05-06
CVE reference: CVE-2022-30550
CVSS: 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)

Vulnerability Details:
When two passdb…

Read More