Attack Lifecycle

The first publication of an "attack lifecycle" was introduced by Lockheed Martin, dubbed the Cyber Kill Chain. It describes each phase an attacker must go through to compromise a target:

  1. Reconnaissance - scout a target and find potential attack vectors.

  2. Weaponisation - develop a malicious payload.

  3. Delivery - develop a means of delivering the payload.

  4. Exploitation - the initial attack of delivering the weaponised payload.

  5. Installation - installing persistent malware on the target.

  6. Command & Control - establish a means of controlling compromised targets.

  7. Actions on Objectives - achieve the operational goal (defacement, data theft, etc).

\

The purpose of which was to provide a framework for informing defensive measures, however by itself it has a few shortcomings. The first being that phases 1, 2 and 3 occur on the attacker's machine, so there's very little one can do to mitigate them. The second being that there is no detail in phase 7 - i.e. once an attacker has compromised one or more targets, how do they actually go about achieving their objective?

Other companies have since attempted to come up with their own versions to better address these. One example is Mandiant's Targeted Attack Lifecycle, which details the following 8 phases:

  1. Initial Reconnaissance - research the target systems and employees to develop a methodology for the intrusion.

  2. Initial Compromise - execute malicious code on one or more targets via the attack vector planned during phase 1.

  3. Establish Foothold - maintain continued control over a compromised system by installing persistent backdoors.

  4. Escalate Privileges - exploit system vulnerabilities or misconfigurations to obtain local admin access to compromised systems.

  5. Internal Reconnaissance - explore the target's internal infrastructure and environment.

  6. Move Laterally - use credentials obtained from phase 4 to compromise additional systems.

  7. Maintain Presence - maintain highly privileged access to domains and systems.

  8. Complete Mission - accomplish the operational objective.

\

Microsoft have also published their take, which includes a pretty flow chart.

\

\

This is a nice visual representation, as it shows the cyclical nature of some of the phases. For example, an attacker may have to compromise and move laterally to multiple machines before obtaining domain admin credentials.

Last updated