In our previous post, we discussed the first stage of almost all Cyber Attacks: Reconnaissance. Gathering information related to an intended victim is the initial action taken during a campaign against a target. It also sets the tone for the following phases of attack.
Next up: Weaponization.
I recall one incident at school not too long after Home Alone released to theaters. I had been sitting at my desk attentively when something hit the back of my head. That something was wet and sticky. I picked it out of my hair, and my suspicions were confirmed; it was a spitball. I looked over my shoulder, and Joey was waving and mouthed at me “Sorry.”
When I asked him about it at the lunch table, he showed us his new “pen.” It had some wire, and a rubber-band stuck inside it so it would act as a slingshot. When you put the cap back over the top, it looked like a regular pen. Thus a playground weapon could hide in plain sight of a teacher. Unless the teacher knew what they were looking at, you could claim the pen broke, and they would just throw it away leaving you scot-free.
Similarly, the weaponization phase is all about forging something sinister out of the average or commonplace.
Taking a harmless looking PDF or Microsoft Word/Excel files and manipulating built-in features to execute malicious code on assets within the target organization is a typical example of such weaponry.
As we dive just below the surface into the technical realm of this attack model, it’s important to point out that our focus in this series is to demystify cyber attacks. We do this to generate awareness of the relative ease by which threat actors can accomplish each phase. Each post in the Cyber Kill Chain series will explain the elements of a particular stage, highlight some tools an attacker may use, and offer actions you can take in defense.
Overview of Stage Two
During the weaponization phase, an attacker’s goal is to modify something a user will encounter to cause a result that favors the attacker. Attackers change files or binary codes within them in preparation for emailing to the target. They modify websites to execute harmful code once you browse to the site from a benign-appearing link. The point is to maliciously change things you’re used to safely interacting with, and disguise their intent from technical and human means of detection.
Harkening back to our metaphor scenario, Home Alone, there are numerous examples of weaponization present in the movie. Remember the scene when Kevin places the electric iron on the inside of the front door’s knob? At this point in the film, Kevin is preparing for an attack without interacting with his target. He weaponizes stairs, paint buckets, ornaments, and many other commonplace items. He also changes the doorknob to create a red-hot weaponized version of something ordinary.
How does this translate to a more specific real-life example? An attacker works in an environment isolated from the target to gather intelligence. Picture, if you will, a dark basement, lit only by several computer monitors. Next, the attacker does one of two things: (1) use advanced knowledge of coding to generate custom malware and exploit code from scratch or (2) download a handy tool to create a payload and weaponize something like a PDF or Microsoft Word/Excel file based on a pre-written template and pre-written exploit.
Metasploit – used for developing and executing exploit code against a remote target
Luckystrike – helps create shell documents with encrypted code pieces that can infect a network
Veil Framework – generates code that will bypass common anti-virus solutions
There are many weaponization tools available online. Skilled and determined hackers can create custom sophisticated malware by programming it themselves. However, there are “point and click” tools readily open to anyone with access to the internet, such as the three listed above. These programs essentially automate the process of weaponizing files as well as implementing tactics for evading anti-virus and other means of detection/prevention (DEP/NX, ASLR, UAC, and so on..).
Stay on your Guard
As with the Reconnaissance phase, the weaponization actions are mainly undetectable and unpreventable from a defensive stance. Controls aren’t available to prevent threat actors from taking action to weaponize files. You can’t stop people from making spitball pens or deter people from wiring their doorknobs.
That said, there are organizations and business who devote their time to counteract these weapons – we will talk more about those during the later phases and how their tools work to protect you.
In the meantime, an organization can still take measures before the Reconnaissance and Weaponization phases of an attack are in motion.
Preparation is essential to building a proactive security posture. Stakeholders involved in securing IT infrastructure must become aware of how threat actors work to compromise organizations. Vulnerability alerts and threat intelligence feeds can be useful in providing an idea of the direction and form an attack may take. That way, your Disaster Recovery plan can also adapt.
Proactive due diligence and risk management are crucial because attackers start throwing their weaponized punches in stage III- Delivery. The organizations that get knocked out in that step are those that are unaware and ill-prepared.