In this series, we are looking through the Unified Kill Chain. In the first part, we looked at what came before the current model. In the second, we looked briefly at the entire chain. In this part, we will look in-depth at the first stage: Initial Foothold.
The Initial Foothold stage is almost guaranteed to be the longest of all the stages, as well as the hardest to detect and counter. To fail to plan is to plan to fail, after all, and any attacker worth their salt will certainly be planning their approach meticulously.
The first, and most likely most time-consuming, step is Reconnaissance. During this, the attacker attempts to collate as much information on their target as they can. This can be active, in which they probe the target’s systems in order to identify running services, points of access and as much of the network layout as they can, or passive, in which they search for open source intelligence online. For example, looking for employees on LinkedIn. This can give the attacker an idea of the organisational structure of their target, give them some handy names to drop in order to make their social engineering attempts more convincing and maybe even some usernames (how many organisations do you think use a common format like firstname.lastname for logins?).
The next steps of this stage depend on what the attacker discovers during their reconnaissance. If they find that a target device is running a vulnerable piece of software, for example, they may work on (or buy) an exploit that targets the vulnerability. After Weaponisation comes Delivery, which may or may not incorporate Social Engineering, such as crafting a spear phishing email that will induce a user to execute the exploit. This is the Exploitation step, where the attacker’s exploit will (they hope) successfully grant them control.
If so, a savvy attacker will begin looking at ways of maintaining Persistence—many cyber attacks are long-term affairs, and the attacker doesn’t want to have to re-exploit their way in each time, nor to run the risk of their previously-discovered vulnerability being patched or their social engineering targets getting suspicious. Depending on the technical ability of their target, the attacker may also have to contend with Defence Evasion here, doing everything they can to both avoid automated defence tools that might destroy their foothold, and automated monitoring tools that might record their intrusion.
The final likely step of this first stage is Command & Control, in which the now-persistent attacker sets up a secure means by which they can communicate with any malware/backdoors they have installed. In the event of a targetted attack, there is every chance that the Initial Foothold stage may be repeated multiple times, either as exploits fail or persistence proves hard to come by.
In the next part of this series, we shall look in-depth at the second stage of the chain: Network Propagation: Office Environment.