Here at Axiom, we take cybersecurity seriously. As an MSP we feel a strong commitment to work with our clients to educate them on cybersecurity concepts, help them make informed decisions, and implement reasonable measures to safeguard their business.  

But we wanted to do more.  

So, we started discussing some ideas on how we could continue to raise awareness around these topics and to educate folks about the world we live in daily. That’s where this series comes in. We’re here to pull back the veil on the cybersecurity topics we work with to help educate folks about the complexities of the cyber world.  

So, grab a coffee (or beverage of choice) and pull up a chair, because our resident security guy is here to ramble about information security.  

What do hackers actually do?  

For our first article in this series, we want to talk about what exactly hackers do when they compromise an environment. After all, you see in the news how a major company was hacked, or something was offline due to a cyber incident, but what REALLY happened? Fortunately, some smart folks at Lockheed Martin came up with a framework (and yes, it’s the same Lockheed Martin that makes fancy fighter jets.) 

Enter the Lockheed Martin Cyber Kill Chain  

The Lockheed Martin Kill Chain is a standardized approach that all cyber attacks fall under. It’s broken down into several phases.  

Phase 1 – Reconnaissance 

This phase is where the attacker selects their target and researches how to attack them. They may use open source intelligence or social media intelligence (OSINT and SOCMINT respectively) or other methods to better understand their target.  

Phase 2 – Weaponization 

Based on the information discovered in Phase 1, the attacker now selects their method of attack. This is where they craft their phishing emails, prepare their malware, or attempt to exploit a public facing weakness in a target’s information system.  

Phase 3 – Delivery 

Okay this is where things start to get serious. The attacker has selected a target and identified their method of attack. Phase 3 is where the attack begins. This can be a phishing email, malware delivery, a malicious flashdrive, and more. The goal here is for the attacker to get their weapon of choice to their target.  

Phase 4 – Exploitation 

This phase is when the bad stuff really kicks off. The objective here is for the malicious exploit to be triggered to exploit vulnerabilities identified in Phase 1. This opens the door for them to access the environment and to begin further malicious actions.  

Phase 5 – Installation 

In this phase, the attacker is looking to maintain access to the target’s environment. This is where they will attempt to install some form of backdoor in a system. This could be a misused legitimate remote support tool or something more nefarious like a webshell.  

Think of it like this – if a building you’re in has a door that is always locked, but it’s a gorgeous day outside you may want to step outside the building for some fresh air. BUT you don’t want to have to request access each time. You may want to do something to prop the door open.  

Note from the security guy here – please don’t prop those doors open. There’s likely a very good reason why they always lock.  

This is what the threat actor is trying to do in a system they’ve accessed. They want to be able to come and go as they please as they work through the next phases.  

Phase 6 – Command And Control (C2) 

The next phase is called “Command And Control” or C2 for short. In this phase the weapon from Phase 2 communicates with infrastructure the threat actor maintains in order to deliver additional tools, recon the internal network, validate persistence methods, and more.  

Phase 7 – Actions on Objectives 

The final and most serious phase of the kill chain is “Actions on Objective.” In all cyber incidents there’s always a goal of the attacker. It’s at this phase that the attacker is able to take actions depending on what exactly they want to do. This may be theft of sensitive data, destruction of data, extortion, or a further attack. 

It’s at this point that preventions have been bypassed and the damage begins to take full effect.  

So let’s review. 

Almost every cyber incident aligns to this framework. This framework is critical for defenders to identify mitigations and measures to disrupt an attack at each stage.  

At Axiom, we leverage this to help protect our client environments in a way that’s reasonable for each business.  

MITRE ATT&CK 

While the Lockheed Martin Kill Chain is an excellent resource to understand the lifecycle of an incident, cyber incidents are significantly more complicated. 

That’s where the MITRE Organization developed a standard framework of tactics, techniques, and procedures (cyber folks call these TTPs) seen in attacks. This is called the MITRE ATT&CK Framework.  

We’re simply going to touch on this at a VERY high level, because frankly, Adam can ramble about these all year and we kind of need him to get back to work.  

Fortunately for us, and unfortunately for Adam because he really wanted to nerd out on this, the fine folks over at SentinelOne created this handy comparison between the ATT&CK and the Lockheed Kill Chain.  

Source: What is the MITRE ATT&CK Framework? – An Easy Guide (sentinelone.com) 

The key differences between the kill chain and ATT&CK is that in the cyber kill chain, attackers will employ a variety of tactics, techniques, and procedures. These TTPs are outlined in each section of ATT&CK.  

Some procedures here are commonly seen, such as phishing emails being used in initial access, or the disabling of antivirus under Defense Evasion.  

Defenders use ATT&CK to create mitigations against common TTPs that impact an organization. On the other hand, incident responders use this framework when performing their duties to understand how systems were impacted.  

Conclusion 

So what did we learn? 

Well, we went over the common framework that malicious entities follow when attacking a company with the Lockheed Martin Kill Chain. From there, we touched on more of the specifics with the MITRE ATT&CK Framework.  

But if you’re not a security professional like us, this can seem irrelevant. After all, it’s our job as defenders to understand these offensive capabilities to craft a robust defense.  

This leads us to our final point – why all this matters to you.  

In short – to defeat an enemy you must know them, their methods, tactics, and motivations.  

It’s important to contextualize these items when discussing cybersecurity for any organization. As an MSP, there’s a ton of shared responsibility between us and our clients. It’s our job to help those we serve to make informed decisions.  

And that’s why we’re here. We want to present this information that’s at the core of our security practices to you so you can have an informed foundation to your own security posture.