## Research done towards understanding the Kill-Chain

##### Model 1: The 8 stages model **


**1. Reconnaissance**

"At the reconnaissance stage, the attacker gathers information about the target organization. They can use automated scanners to find vulnerabilities and weak points that may allow penetration. Attackers will try to identify and investigate security systems that are in place, such as firewalls, intrusion prevention systems and authentication mechanisms."

**2. Intrusion**

"At the intrusion stage, attackers are attempting to get inside the security perimeter. Attackers commonly inject malware into a system to get a foothold. Malware could be delivered by social engineering emails, a compromised system or account, an “open door” representing a gap in security, such as an open port or unsecured endpoint, or an insider accomplice."

**3. Exploitation**

"At the exploitation stage, attackers seek additional vulnerabilities or weak points they can exploit inside the organization’s systems. For example, from the outside, the attacker may have no access to an organization’s databases, but after the intrusion, they can see a database uses an old version and is exposed to a well known vulnerability."

**4. Privilege Escalation**

"In the privilege escalation stage, the goal of the attacker is to gain privileges to additional systems or accounts. Attackers may attempt brute force attacks, look for unsecured repositories of credentials, monitor unencrypted network traffic to identify credentials, or change permissions on existing compromised accounts."

**5. Lateral Movement**

"In the lateral movement stage, attackers connect to additional systems and attempt to find the organization’s most valuable assets. Attackers move laterally from one system to another to gain access to privileged accounts, sensitive data, or access to critical assets. Lateral movement is a coordinated effort that may span multiple user accounts and IT systems."

**6. Obfuscation**

"At the obfuscation stage the attacker tries to cover their tracks. They may try to delete or modify logs, falsify timestamps, tamper with security systems, and take other actions to hide previous stages in the kill chain and make it appear that sensitive data or systems were not touched."

**7. Denial of Service**

"At the denial of service (DoS) stage, attackers attempt to disrupt an organization’s operations. Usually the aim is to draw the attention of security and operational staff and cause a distraction, enabling the attackers to achieve their real goal, which is data exfiltration. DoS can be waged against networks and production systems, including websites, email servers, or customer-facing applications."

**8. Exfiltration**

"At the exfiltration stage, an advanced attacker finally “hits home”, getting their hands on the organization’s most sensitive data. Attackers will find a mechanism, typically some sort of protocol tunneling, to copy the data outside the organization, in order to sell the sensitive data, use it for additional attacks (for example, in the case of customer personal data or payment details), or openly distribute it to damage the organization."


_Note:_


 ** All descriptions for the stages are quoted from [exabeam](https://www.exabeam.com/) and can be found [here](https://www.exabeam.com/information-security/cyber-kill-chain/). Descriptions match the literature standards for the 8-phases model Kill Chain, but all credit for the exact wording goes to the authors cited in the article. 

###### How does the model match our data?

- 1. The classical definition for the first stage of the Kill Chain (KC) is less technical, often referring to actions such as 'gathering information on the target such as employee work schedule, e-mail lists, sponsorships, term targets etc.' This type of information would not be relevant to our data, as the actors are red_team penetration testers, who need not deal with any of those initial exploratory steps. The proposed scheme correctly highlights " Attackers will try to identify and investigate security systems [...] and authentication mechanisms." A considerable amount of such work is being carried out in the Authentication data, for precisely the mentioned purposes. From this perspective, the definition is mostly suited to our project.


- 2. Although logon attempts (eg. NetworkLogon, InteractiveLogon, CachedInteractiveLogon etc.) are sometimes met with failure, which may or may not be indicative of malicious purposes, our red_team actors do not require an intrusion mechanism per se. They are granted a connection attempt at the very least in the Authentication part of the attack, which then transfers into full effect on the Process data. Moreover, "Malware could be delivered by social engineering emails, [...], or an insider accomplice." holds very little relevance to our data. All testers are, in some weaker sense, "insiders". For all our intents and purposes, the intrusion stage appears as an unnecessary extension of the initial reconnaissance stage. We are therefore inclined to merge them into a single stage.


- 3. The nature of the attacks the red_team actors could've deployed given their acquired rights, their method of infiltration and all other factors remain unknown to our team, provided the description and traffic flow. Thus, we may at no point confidently declare that an actor was seeking insight into a particular vulnerability given a single event or a set of events. Nonetheless, it is highly anticipated that this is how an usual attack would be carried out. In our case, however, the exploitation stage very likely consisted entirely of a search for further channels of access - by this we understand that an actor would, once they have trespassed, look into ways to communicate further as to maximizing the damage done. The penetration testers were mostly challenging the IDS's in place from LANL. For our purposes, this is to be understood as something close to a  privileges escalation phase.


- 4. This crucial stage exists, beyond reasonable doubt, within our data. It likely comes in both the form of Authentication as well as Processes and we suspect it will be among the hardest stages to positively identify, being easily confused with anything from reconnaisance to the actual lateral movement. The part of the description stating "[...] change permissions on existing compromised accounts." is perhaps not so relevant to our cause. We have little to no way of verifying such claims within Authentication, though some of the processes or parent processes within the Process dataset may prove more indicative of privilege escalations. On the other hand, the goal to "monitor unencrypted network traffic to identify credentials" is how this stage would otherwise be identified within the Authentication dataset.


- 5. Lateral movement is another of the stages that unequivocally feature in an attacker's method that leaves tracks to follow on. Similarly to stage 4, however, most events that could suggest lateral movement may also be part of trivial research instead. This makes lateral movement a difficult stage to set a verdict on, as the key to success lies in placing events into context rather than examining them individually. The sentence "Lateral movement is a coordinated effort that may span multiple user accounts and IT systems." is perhaps the perfect summary for the situation we're facing within the Authentication data, where certain suspicious users exhibit 'hopping' behaviour - where they attempt the same authentication type multiple times on different destination devices. Nevertheless, as we have already mentioned, we must proceed with caution in these cases as well. If those attempts are met with consecutive failures, it may be the case that the actor is merely trying to infiltrate and gets spotted by the IDS. In that case, a penetrator would often look for other points of entry. This is notably similar to a lateral movement scenario, except there the actor would not be met with failures. 


- 6. There are two main problems in considering this stage of the kill chain. We'll start with the one that explicitly adresses our data: there is little to no evidence sustaining the idea that attacker's were trying to cover their tracks. Indeed, this often happens (except when the attack is meant to be evident, eg. DDoS) in real hacking scenarios. However, the team was more involved in the infiltration itself rather than covering traces of where the attack originated. Not only can those be tracked to some reasonable degree, but the blue team was always aware of attacks going on. No one was actively working on stomping the infiltration stages of the operation, the only defendant being the automated DS. Secondly, considering a separate obfuscation stage seems a bit outdated. The only sense in which this action takes place within our data is usernames being anonymized in the Process data, after having infiltrated succesfully through the Authentication stage. However, the planning that goes into that action arguably takes place way before the lateral movement. Having taken control over a device at the 4th stage (Privilege escalation), one may use their means to anonymize any further activity. Thus, actions need to be traced back to the original actor from stages 1-3, which leaves the blue team the only real option of detecting the primary intrusion step. In this sense there is an argument against the 8 phases model, according to our team's shared opinions. 


- 7. Within our somewhat synthetic environment, there is no place for this stage to play out, unfortunately. All the tests were carried out in a controlled setting, where the productivity and work schedule of the blue team colleagues suffered no disruption or change. The DoS stage is often highlighted as the most obvious and essential stage of the entire operation. While that remains true in real settings, there's no need to further justify why it wouldn't make an appearance in a controlled penetration testing.


- 8. The final stage of the kill chain can positively be identified exclusively in the Process dataset. It consists of processes which exclusively transfer data to ourside sources, and/or those that 'leak' the data in a spam-like manner. This is well captured by the description: "[...] copy the data outside the organization, [...] or openly distribute it to damage the organization." The red team testers are likely mimicking this interaction, once again, being particularly interested in whether such action is possible against the IDS meant to prevent exfiltration. If this procedure leaves any distinguishable characteristics, they are likely to be picked up without worry of confusing the events as belonging to another stage of the kill chain. 