0
1
00:00:11,870 --> 00:00:17,060
Welcome everyone to other video of expert malware analysis and reverse engineering course
1

2
00:00:17,300 --> 00:00:25,670
And in this video we are going to give a detailed introduction to the cyber kill-chain model.
2

3
00:00:25,670 --> 00:00:32,020
The term Kill-chain was originally used as a military concept related to the structure of an attack consisting of the target
3

4
00:00:32,030 --> 00:00:39,710
identification, force dispatched to the target, decision and order to attack the target and finally destruction
4

5
00:00:39,710 --> 00:00:41,550
of the target.
5

6
00:00:41,620 --> 00:00:48,640
Also, the same idea is used in terms of breaking the open and scale chain in order to build a defensive
6

7
00:00:48,640 --> 00:00:50,550
strategy against it.
7

8
00:00:50,600 --> 00:00:57,530
Lockheed Martin adopted the same kill-chain model in cybersecurity and we call it as the cyber Kill-chain
8

9
00:00:57,530 --> 00:00:59,340
model.
9

10
00:00:59,560 --> 00:01:01,990
So what exactly this model consists of.
10

11
00:01:02,400 --> 00:01:08,560
So it consists of seven different stages of intrusion which is called intrusion Kill chain.
11

12
00:01:08,830 --> 00:01:16,720
It consists of reconnaissance,  weaponization, delivery exploitation, installation, command and control &
12

13
00:01:16,780 --> 00:01:18,120
action on objectives.
13

14
00:01:18,310 --> 00:01:24,100
We have briefly seen some details about cyber kill chain in our previous interaction videos as well
14

15
00:01:24,610 --> 00:01:30,250
here will slightly go into much more details of this step and we'll try and understand how this is critical
15

16
00:01:30,310 --> 00:01:38,670
to any cybersecurity professional as it is very useful in day to day analysis of threats and attacks.
16

17
00:01:38,690 --> 00:01:41,300
That was the intrusion part of the kill chain.
17

18
00:01:41,480 --> 00:01:50,280
If you look at the lower part of this diagram you'll see that there are defeating steps as well which
18

19
00:01:50,280 --> 00:01:55,210
are to detect, deny, disrupt, degrade, deceive and destroy.
19

20
00:01:55,410 --> 00:02:00,470
So if you are an attacker you are basically following the instruction chain the top seven steps.
20

21
00:02:00,480 --> 00:02:05,610
And if you are a defender you are basically following the lower seven steps or you are basically using
21

22
00:02:05,610 --> 00:02:17,490
the 7 D's to kind of detect or destruct any ongoing attack or campaign. So let go into a much more detail explanation
22

23
00:02:17,520 --> 00:02:25,500
of all the steps one by one. So we start with the Reconnaissance and at Weaponization stages. So in Reconnaissance
23

24
00:02:25,980 --> 00:02:32,850
the attacker basically does an extensive research on the target to try and identify the servers, the
24

25
00:02:32,850 --> 00:02:39,480
machines, the versions of softwares, the employees, their email ids, their contacts and things like that.
25

26
00:02:39,510 --> 00:02:44,700
This is basically the information gathering stage where the attackers collect as much information as
26

27
00:02:44,700 --> 00:02:52,460
possible. In the Weaponization stage, the attack uses the collected information from reconnaissance as its
27

28
00:02:52,680 --> 00:02:55,040
next step towards building the attack.
28

29
00:02:55,790 --> 00:03:01,560
The attacker basically starts thinking about the right mode for victimizing the target.
29

30
00:03:02,030 --> 00:03:03,580
Then comes the delivery phase.
30

31
00:03:03,770 --> 00:03:11,310
So once the attacker has identified his weaponization stage, the next attack vector would be to deliver the
31

32
00:03:11,330 --> 00:03:13,580
weaponized item to the target.
32

33
00:03:14,030 --> 00:03:16,150
For example spam emails.
33

34
00:03:16,310 --> 00:03:22,220
Let's say the attacker in the weaponization phase was able to figure out the e-mail id of few HR's
34

35
00:03:22,280 --> 00:03:24,370
working in an organization.
35

36
00:03:24,380 --> 00:03:30,420
The attacker then decides to create a weaponized malicious e-mail and delivered it to all those H.R.
36

37
00:03:30,420 --> 00:03:31,880
departments.
37

38
00:03:32,120 --> 00:03:37,500
That particular e-mail would contain an attachment that would have an exploit inside it.
38

39
00:03:37,640 --> 00:03:41,340
That's where the exploitations bit face comes into action.
39

40
00:03:41,900 --> 00:03:48,020
So in the exploitation phase compromising the target in order to get unauthorized access and an elevated
40

41
00:03:48,020 --> 00:03:53,780
privilege off the system that is compromised. Once the exploitation is done,
41

42
00:03:53,780 --> 00:03:56,590
The next phase is the installation of the malware.
42

43
00:03:56,930 --> 00:04:02,510
So the malware will now sit onto the system in order to start performing the command and control and
43

44
00:04:02,510 --> 00:04:08,660
the command and control is basically the exfiltration of data, stealing of critical information from
44

45
00:04:08,660 --> 00:04:13,910
the infected machine, from the infected network all the way out to its own control.
45

46
00:04:13,910 --> 00:04:16,320
server.
46

47
00:04:16,490 --> 00:04:19,480
So this is how the attack is layered
47

48
00:04:19,520 --> 00:04:22,670
for all the seven steps of the cyber kill chain.
48

49
00:04:22,790 --> 00:04:29,150
Similarly we have the proactive defense and mitigation steps as well.
49

50
00:04:29,150 --> 00:04:35,120
So in the kill chain, if you look at the first three, three and a half steps. if we just divide the
50

51
00:04:35,120 --> 00:04:40,790
exploitation into let's say two halfs, then the first three and a half steps basically tells you how you
51

52
00:04:40,790 --> 00:04:44,190
can proactively detect and mitigate any threat.
52

53
00:04:44,210 --> 00:04:47,150
That's where most of the security tools work upon.
53

54
00:04:47,180 --> 00:04:49,340
For example you can have spam filters,
54

55
00:04:49,340 --> 00:04:54,470
You can have anti-viruses, to basically proactively detect and mitigate the threats that happened 
55

56
00:04:54,470 --> 00:04:55,710
in the environment.
56

57
00:04:55,940 --> 00:05:00,930
For the latter three and a half steps you basically do a containment and incidents response.
57

58
00:05:00,950 --> 00:05:03,390
This means that the attack has already happened.
58

59
00:05:03,470 --> 00:05:05,570
The network is already infected.
59

60
00:05:05,570 --> 00:05:11,150
Now you try and contain it and you try to understand how that incident happen.
60

61
00:05:11,150 --> 00:05:13,380
What was the reason for that infection.
61

62
00:05:13,400 --> 00:05:17,650
Where else did that infection flow from the particular machine where it happened.
62

63
00:05:20,060 --> 00:05:29,070
So here is a brief diagram of the example of a spam attack mapped on the cyber kill-chain.
63

64
00:05:29,150 --> 00:05:35,630
If you see a spam email arrives on to the victim machine that contains a zip file. The zip file inside
64

65
00:05:35,630 --> 00:05:43,190
contains a document file. The doc file can contain multiple different exploits based on which of them work
65

66
00:05:43,250 --> 00:05:44,160
on the compromised.
66

67
00:05:44,180 --> 00:05:50,870
So once the exploitation happens the malware gets installed onto the system and after that installation
67

68
00:05:51,020 --> 00:05:54,500
the malware begins communicating with its command and control.
68

69
00:05:54,730 --> 00:06:00,420
So this is how the entire attack is mapped with the cyber kill chain model.
69

70
00:06:00,440 --> 00:06:06,770
This is going to be very helpful for us throughout this course because our analysis is also going to start in the
70

71
00:06:06,770 --> 00:06:13,160
same way. We will first look at a spam e-mail then we'll go ahead we'll look into its attached document. Once
71

72
00:06:13,160 --> 00:06:14,330
we analyze the document,
72

73
00:06:14,330 --> 00:06:20,150
We are going to extract its features. It might contain an exploit or it may directly try and install a malware.
73

74
00:06:20,500 --> 00:06:25,730
Then we are going to understand those exploits, we are going to understand those malware and then we
74

75
00:06:25,730 --> 00:06:28,540
are going to see how their malware sits into the system.
75

76
00:06:28,540 --> 00:06:33,100
How it elevates its privilege and later on how it performs the command and control.
76

77
00:06:33,140 --> 00:06:39,410
So this is the overall structure the overall course design and this is how cyber kill chain basically
77

78
00:06:39,410 --> 00:06:42,770
maps the entire attack onto a single model.
78

79
00:06:43,220 --> 00:06:46,690
So that was a introduction for cyber kill chain.
79

80
00:06:46,730 --> 00:06:50,470
There is a lot of information available on Google as well.
80

81
00:06:50,480 --> 00:06:55,040
I would highly encourage you all to just go ahead and read more about cyber kill chian and how different
81

82
00:06:55,040 --> 00:07:01,160
organizations are using it to build up their defense, to build up their proactive detection strategies
82

83
00:07:01,190 --> 00:07:02,500
around this model.
83

84
00:07:02,930 --> 00:07:04,190
That's all for this video.
84

85
00:07:04,190 --> 00:07:04,970
Thanks everyone.