Stage 1-Reconnaissance - Gathering information about targets
Description:- The intruder selects the target, researches it, and attempts to identify vulnerabilities in the target network.
Key Methods:-
- Passive: Website analysis, WHOIS lookup, job listings
- Active: Port scanning, vulnerability scanning, banner grabbing
Defense Strategies:-
- Limit public information
- Disable unused ports/services
- Use honeypots and firewalls
- Modify server error messages
- Implement web analytics
- Utilize threat intelligence
- Deploy Network Intrusion Detection Systems (NIDS)
- Enforce strict information sharing policies
Stage 2 - Weaponization - Selecting tools to exploit weaknesses
Description - The Intruder creates remote access malware
weapons, such as a virus or worm, tailored to one or more vulnerabilities.
Key Methods :-
- Cain and Abel
- SQLMap
- Aircrack
- Metasploit
- Veil Framework
- Social Engineering Toolkit
- Burp Suite
- FatRat
Defense Strategies
- Patch management
- Disable risky features (macros, plugins)
- Implement basic security measures (AV, IPS, email security, audit logging)
- Use Network Intrusion Prevention Systems (NIPS)
- Employ threat intelligence for early detection
- Implement application whitelisting
- Websites
- Phishing emails
- Social media campaigns
- USB devices
Defense
Strategies:-
- Web and DNS filtering
- Phishing awareness training
- Email security measures (SPF, DKIM, DMARC)
- Disable/block USB ports
- Implement content filtering
- Use sandboxing for email attachments
- Deploy anti-malware solutions
Stage 4-Exploitation - Executing the attack
Description - Malware weapon's program code triggers,
which takes action on target network to exploit vulnerability.
Key Methods :-
- SQL injection
- Buffer overflow
- Malware deployment
- Dropper installation
- Downloader installation
Defense Strategies
- Data Execution Prevention
- Anti-exploit tools
- Sandbox environments
- Implement input validation
- Use Web Application Firewalls (WAF)
- Employ runtime application self-protection (RASP)
- Regularly conduct vulnerability assessments
Stage 5- Installation - Injecting payload for
better access
Description - Malware weapon installs an access point
(e.g., "backdoor") usable by the intruder.
Key Methods –
- DLL hijacking
- Meterpreter
- Registry changes
- PowerShell commands
- Web shell installation
- Backdoor implants
Defense Strategies
- Restrict system access (chroot jail, disable PowerShell)
- Use endpoint detection and response (EDR)
- Follow incident response procedures
- Restore or reimage affected systems
- Implement application control
- Use file integrity monitoring
- Deploy privileged access management (PAM) solutions
Stage 6 - Command and Control - Establishing
remote control
Description - Malware enables intruder to have "hands on the keyboard" persistent access to the target network.
Key Methods
- Creating persistent access to target network
- Setting up command and control channels
Defense Strategies
- Monitor for indicators of compromise
- Use application control
- Implement network segmentation
- Deploy Next-Generation Firewalls (NGFW) for C&C
- blocking
- Utilize DNS sinkholes
- Implement traffic analysis tools
- Use deception technology (honeypots, honeynets)
Description - Intruder takes action to achieve their
goals, such as data exfiltration, data destruction, or encryption for ransom
Key Methods
- Data exfiltration
- Lateral movement
- Data manipulation
- System/service disruption
Defense Strategies
- Data Leakage Prevention
- User Behavior Analysis
- Network segmentation
- Implement data encryption
- Use multi-factor authentication (MFA)
- Deploy Security Information and Event Management
- (SIEM) systems
- Conduct regular security audits and penetration testing
Post a Comment