Phishing Kill Chain Analysis

In the current landscape of cyberattacks, identity systems have emerged as the primary attack target. Cybercriminals compromise legitimate credentials, using them to evade detection and perform malicious actions.

To protect your identity system, it's important to understand how attacks are carried out. Applying the Lockheed Martin Cyber Kill Chain as a framework, we'll identify the stages of a typical phishing attack that lead to credential theft through session hijacking.

Lockheed Martin Cyber Kill Chain

Reconnaissance

In this initial stage, the adversary gathers information about a target organization, its internal systems, and potential security vulnerabilities.

Attackers will identify individuals with privileged access, such as system administrators and C-suite members.

Example scenario

An adversary identifies that an e-commerce company is utilizing a specific banking app, which is accessible through the company's SSO system. Authenticating into the SSO requires a password and push notification through the a mobile app. The adversary spots that the SSO authentication lacks phish-resistance.

With a plan to exploit this vulnerability for financial gain, the adversary begins collecting email addresses of key personnel - notably those in the finance department, the CFO, and IT members with administrative access to the SSO.

How do you break the kill chain at this step?

Collect website visitor logs to determine access from known malicious IPs and build detections for unique browsing behaviors designed to identity browsing behavior characteristics of reconnaissance. Prioritize defenses around particular technologies based on recon activity.

Check out how Beyond Identity can directly break the kill chain at the Reconnaissance step below.

Weaponization

At this stage, the adversary prepares the tools and payloads needed to exploit an identified vulnerability, typically using phishing tactics.

The adversary crafts convincing email and other messages designed to lure the victim into taking action, such as clicking on a malicious link or attachment.

Example scenario

Having identified the vulnerability in the SSO system, the adversary creates a fake SSO phishing page. This page will capture not only passwords, but also session cookies upon authentication.

The adversary also prepares a script that will alert and enable them to impersonate the victim as soon as the session cookie is captured, bypassing authentication.

How do you break the kill chain at this step?

While we are unable to detect weaponization as it occurs, we can make inferences by analyzing malware artifacts. Detecting weaponizer artifacts (phishing kits, malware kits) often leads to the establishment of the most robust and enduring defense mechanisms.

Delivery

At this stage, the adversary launches their phishing operation. They begin dispersing crafted phishing emails and messages to the targeted individuals within the organization.

The emails and messages may appear to come from a trustworthy sources and typically contain a prompt to click on a malicious link or attachment.

Example scenario

With the targets identified, the adversary crafts and delivers the following phishing messages:

1. An email masquerading as a security alert, urging the target to "reset their compromised account password".
2. A text message, seemingly from the CEO, directed at the finance team to check if a recent purchase went through
3. An email offering a gift card redemption as part of an employee benefits scheme.

How do you break the kill chain at this step?

Email Security: Implement advanced email security solutions to filter out malicious attachments and links. Use email authentication mechanisms like SPF, DKIM, and DMARC to prevent email spoofing.

Endpoint Protection: Use endpoint security software to detect and block malicious payloads that may be delivered through email attachments or links.

Employee Training: Educate employees on the nature of phishing attacks and run simulated phishing exercises.

Exploitation

In this step, the victim interacts with the phishing content, typically by clicking on a malicious link. This leads them to a fraudulent site where they are prompted for their credentials.

Unsuspectingly, the victim inputs their credentials and authenticates. Although the login experience may look and feel legitimate, the adversary has successfully hijacked their session in the background.

Example scenario

A member of the IT team is lured by a phishing email, and enters their credentials on the fake SSO page.

The adversary is alerted and steals the session cookie from the phished authentication.

How do you break the kill chain at this step?

Implement multi-factor authentication solutions that are phish-resistant. This way, even if a user falls for a phishing attempt, the authentication will be deemed as malicious and access will be denied. Your authentication process should recognize and stop any unsafe access from occurring.

Check out how Beyond Identity can directly break the kill chain at the Exploitaition step below.

Installation

After the successful exploitation of a victim for their session cookie, the adversary uses the session cookie to assume the identity of the phished victim.

Example scenario

Using the stolen session cookie from the phished authentication, the adversary injects the cookie into their browser, impersonating the IT admin was phished.

How do you break the kill chain at this step?

Intrusion Detection and Response (ITDR): ITDR systems can detect malicious activities and indicators of compromise by analyzing traffic, endpoints, and user behaviors. Once a threat is identified, ITDR systems can respond by isolating infected devices, blocking malicious traffic, or preventing the execution of unauthorized applications.

Security Information and Event Management (SIEM): SIEM solutions aggregate and analyze logs and data from various sources across your infrastructure. This centralized visibility helps in identifying suspicious patterns that may indicate a phishing attack in progress

Command and Control

At this stage, the attacker establishes a link to a system under their control, typically referred to as a Command and Control (C2) server.

This connection allows the attacker to maintain persistence within the compromised environment, enabling ongoing control and coordination of malicious activity.

Example scenario

Operating under the guise of the compromised IT admin's session, the adversary has a plethora of options at their disposal.

They could directly execute their primary objective to transfer corporate funds illicitly. But also with the privileges of an IT administrator, they can disrupt access for legitimate users and plant backdoors for future access.

How do you break the kill chain at this step?

Endpoint Detection and Response (EDR): Deploy advanced EDR tools that continuously monitor endpoints for signs of compromise, such as unauthorized session cookies or unusual account activities.

Network Monitoring:
Employ network monitoring and intrusion detection systems (IDS) to detect unusual or unauthorized network traffic patterns.

Firewalls:
Configure firewalls to block outgoing connections to known malicious IP addresses and domains.

Check out how Beyond Identity can directly break the kill chain at the Command and Control step below.

Actions on Objectives

With a session hijacked and an established Command and Control center, the adversary can perform actions on objectives. This can include additional unauthorized access to systems, data exfiltration, or further lateral movement within the network.

This adversary typically goes between this stage and the previous stage, establishing further Command and Control centers to perform additional actions on objectives.

Example scenario

The adversary, given access to the financial application, initiates a large transfer to an offshore account.

With the primary objective achieved, the adversary can go back to the previous step (Command and Control) and perform additional malicious activity on the target organization.

How do you break the kill chain at this step?

Incident Response Plan: Develop and rehearse an incident response plan to quickly and effectively address breaches.

Data Backup and Recovery Plans: Regularly back up data and have a robust recovery plan to minimize damage from malware attacks.

Beyond Identity can directly break the kill chain at the
Reconnaissance, Exploitation, and Command and Control steps

Prevent Reconnaissance
Our device trust capabilities ensure that your security controls are in place and functioning, including firewalls and intrusion detection and prevention systems to effectively block any unusual or unauthorized probing attempts from suspicious sources.
Prevent Exploitation
Our FIDO2 certified zero trust authentication is phish-resistant by design using device-bound cryptographic keys and meets the highest level of NIST assurance level for authentication. Our authentication protocol recognizes and denies unauthorized access, even if your users fall for phishing.
Prevent Command and Control
Our continuous device posture evaluation quickly detects and responds to abnormal activities and risk changes related to a compromised device. We also leverage data and actions from your existing security integrations (EDR, MDM, ZTNA, etc.) to actively respond to risks and threats directly on the device.

Default Header

Default Subheader