What is Kill Chain Model?
Kill Chains have been used for many years in the defence industry to describe the phases of an activity and help outline what each phase does, how to enter those phases, and how to exit them. Kill Chains are an adapted, action-focused version of the value chain analysis that Michael Porter popularized in the 1980s. What these types of analysis, or kill chains, are good at is helping us understand the process of getting our task, penetrating a target network/system in this case, done. Lockheed Martin is credited with having crafted their concept of a Cyber Kill Chain to the intrusion game, with the paper Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chain. It includes the following activities in that particular order-
- Command and Control
Common tools for web, wired, and wireless attacks
There is no doubt about the fact that Kali Linux 3 is one of the most versatile distributions. In addition to providing flavours for a staggering number of platforms and architectures, it has made it simple for testers to pick and choose subsets of the full distribution for their needs. The base image for ARM platforms (such as the Pi) include a pretty small subset of applications, and it is likely that you may need a few more to meet your goals. These tools referred to as meta packages, enable us to quickly grab the software packages and their dependencies for the particular job.
Other meta packages (GPU, Forensics, PWTools, VoIP, and SDR) do exist but are of limited use in the penetration testing use case. These tool sets would more likely be of use in other exercises such as incident response, data recovery, and intensive cryptographic solutions.
Mapping your tools to the Penetration test Kill Chain
When a penetration test is conducted, you try to mimic the actions an actual intruder or attacker would use to gain illicit access or otherwise compromise target systems. In this article, we’ll discuss how to plan your penetration test, mimic the Cyber Kill Chain that is often used to break down how hackers compromise their targets.
In light of the Penetration test Kill Chain, it is helpful for us to understand what types of penetration test may be called upon to conduct, as it can have a great impact on the result of the kill chain model that we referred above.
White box testing refers to one being given all of the information that would be normally gathered in the Recon phase, and as such, moves quickly and typically in the open (i.e. no stealth required). This type of test is required when one is working as an employee or consultant against a new project’s deliverables, testing a new web server or guest tenant, for instance, but without intensive Recon and maybe even Weaponize phases. If Recon is done here, it may be through more open methods such as interviews and in-person inspections or audits.
Black box testing is more cloak-and-dagger and includes attacking without prior knowledge and therefore the Recon and weaponize phases are essential, and subsequent phases hinge on those findings. Black box testing may be part of a Red Team or adversarial penetration test, usually done without warning most operators and helps to capture real-time responses and behaviour from the target’s users and equipment.
Gray box testing, as may seem obvious, falls somewhere in the middle, and therefore has varying levels of information and disclosure to different portions of the target and the team operating it. In the case of a Gray box test, you may be able to narrow down your early phase efforts to merely fill out the picture.
The type of test and the requirements of the customer will dictate which tools we actually need. If you can apply your requirements to the Penetration test Kill Chain, it will assist you in staying focused and efficient. Unnecessary activities may be a waste of time and customer’s money, but they can also generate noise that may give us away. If it is a black box test, getting caught would be bad for a couple of reasons. Some customers may allow it to continue, but in those where you are conducting Red Team operations (mock attacks, rather than focused project-based testing), your reputation may suffer a lot. The customers are the ones who miss out, however – they come away from the engagement without being truly tested, and as a result, they have wasted their funding and may have to go without an understanding of the security vulnerabilities their systems may possess. They may even mistake your failures for a false sense of security that prevents them from moving to improve their architecture and continually pursue a secure environment.
In the next post, we shall look into some of the tools commonly used to perform a penetration test kill chain and some other techniques to disguise your Raspberry Pi while performing penetration tests.