arXiv:1606.03184v1 [cs.NI] 10 Jun 2016 rnsa ahse ftecbrkl hi.Teppr nswi ends 4. papers The section chain. in kill techn remarks cyber the the concluding discusses of 3 is step section each chain, at process trends kill cyber chain of phases kill the cyber Technologies the details. technology. much of a into going stage than without Kill explained each rather Cyber process at since involved a software is application Chain or systems chain. operating kill cyber the o of methodologies stage and each trends at recent attacker the the surveys and chain name: kill a espionage cha Chain cyber multi-stage Kill to this culminating The given events organization. has of the community of research elements security multiple horizont across and movement vertical involving complex, presence more att becoming undetected multi-staged now These and infrastructure. wi persistent cyber technologies targeted a the and establishing tools at who aim sophisticated adversaries an to by access conducted easy attacks have targeted of emergence itne omn Control & Command sistence, cybe cyber-attack. a This a a an help target. of to to available stage the options every intends the at on realize paper to attack This researcher security cyber-attacks. an an in techniques informat execute methodologies, involved penetrate the to to categories broadly takes time paper intruder a over to an a response that is model systems incident terms path simple a the develop in is chain chain, to kill securit Cyber chain as capabilities. organizati cyber analysis kill so on of Cyber cyber-attacks effects field governments. describe disruptive the and massive in enterprises have research attacks of Such interest the creased aelnso hto natce.Ec hs fkl hi in analyze. chain and kill tackle of the to phase area on Each research think attacker. vast one an a the of help is that study itself can of to knowledge lines importance This same utmost chain. defensi of develops kill is who cyber it cyber analyst a security measures[3], of a counter actions for offensive So analyzing attacker[1]. and ki Cyber modeling analysts understanding is Inherently malware chain manner. chained and a in investigators work forensic team,digital Keywords Abstract h ae sognzdit etos eto introduces 2 Section sections. 4 into organized is paper The of irrespective general in attacks about talks paper The the is organizations by faced problems leading the of One ye ilcani oe o nietresponse incident for model a is chain kill Cyber hsppram npoiigapie ntecyber the on primer a providing on aims paper This . Rcn rnsi agtdcbratcshsin- has cyber-attacks targeted in trends —Recent — eonisne A,Epot ye tak Per- Attack, Cyber Exploit, RAT, Reconnaissance, e hia set fCbrKl Chain Kill Cyber of Aspects Technical I C II. eeomn raiain INDIA Organisation, Development .I I. cets,DfneRsac and Research Defence Scientist, mi:[email protected] Email: YBER NTRODUCTION au Yadav Tarun K ILL C HAIN h Cyber The csare acks attack n ttacker tools d ons, ical ion nd ve th th to in in al y. ll r f - ics h ol n ehooisue yteatce tea at attacker do the them by of used most technologies but and attacks tools recent the w.r.t. discuss detail in chain phases kill 7 of consists 1. each mainly Fig. subvert for in chain to shown mitigation Kill defenders as Cyber and the [5][6][8] phases. defenses help at the developing also problems of will by easier it phase and will and mutually each smaller approach time tackle into same layered to the a attack analysts Such the complicated layers. enable or the stages breakdown nonexclusive to response work the for difficult and multipl more destructive only it not analyze. making more to to also team attacks hence but cyber effect and in exploited the ve be being attack are to redundant tors multiple used Nowadays it dangerous[14][41]. than plex omn n Control and Command hr r ayatce 2[]7 hc ecietecyber the describe which [2][4][7] articles many are There frame- a provides chain kill cyber attacks such analyze To com- more been have attacks cyber years, recent In c nObjective on Act Reconnaissance Exploitation eeomn raiain INDIA Organisation, Development Installation Weaponize cets,DfneRsac and Research Defence Scientist, Delivery Email:[email protected] a ridMallari Arvind Rao i.1 hsso ye ilChain Kill Cyber of Phases 1: Fig. alda ye Weapon Cyber as called dnicto,Selection Identification, anann persistence maintaining n rfiigo Target of Profiling and agtdenvironment targeted opigo Remote of Coupling ye epnt the to weapon cyber otolrsresto servers controller ewr Spreading, Network rnmsino the of Transmission eieal payload deliverable with Trojan Access ytmDisruption System omnct with communicate opoie host compromised ubudinternet Outbound takrspayload attacker’s aaExfiltration, Data nEpotit a into Exploit an ntre system target on rgeigthe Triggering ntlainof Installation akorand backdoor n’t ch c- y stage of the cyber kill chain. In next section we will go through B. Weaponize technical aspects involved at each step w.r.t to the attacker’s perspective and will see the variety of tools and methodologies Weaponize stage of the cyber kill chain deals with utilized by attacker. designing a backdoor and a penetration plan, utilizing the information gathered from reconnaissance, to enable successful delivery of the backdoor. Technically it is binding III. TECHNICAL ASPECTS OF CYBER KILL CHAIN software/application exploits with a remote access tool As described cyber kill chain defines the flow of a cyber (RAT). Weaponizing involves design and development of the attack and in this 7 layer model each layer is critical. Studying following two components:- the cyber kill chain will help cyber threats to be identified or mitigated at any layer of attack. Sooner the detection is done 1) RAT (Remote Access Tool): RAT is piece of software lesser is the loss to the organization under attack. This section which executes on target’s system and give remote, hidden broadly outlines the technical methodologies, implementation, and undetected access to the attacker. RAT is usually called research, and tools involved at each stage of the cyber kill the payload of a cyber-weapon. The target system can be a chain with examples of famous cyber attacks and malwares computer, mobile[13] or any embedded device provided the used in the bygone years. RAT software is properly compiled for the architecture being targeted. The types of access provided by a typical RAT are A. Reconnaissance system explore, File upload or download, remote file execution, keylogs, screen capture, webcam or system power on/off with Reconnaissance means gathering information about the limited or user level privileges. If by some mechanism the RAT potential target. Target can be an individual or an organiza- gets administrator/root access then it could include network tional entity. Reconnaissance can further be broken down to spreading [1] or network data capture access or persistent target identification, selection and profiling. Reconnaissance in installation of anti-detection module. RAT again constitutes cyber space mainly includes crawling World Wide Web such of two major parts: as internet websites, conferences, blogs, social relationship, mailing lists and network tracing tools to get information a) Client: Client is the piece of code which is delivered about target. Information gathered from reconnaissance is used to the target, executes and creates connection to the Command in later stages of cyber kill chain to design and deliver the and Control infrastructure of the RAT. After establishing payload. Reconnaissance is divided into 2 parts [9] (expected connection, the client receives the command from its controller. to be done in order): Client in turn executes the command and sends the results back. It is not always necessary to have all RAT functionalities 1) Passive Reconnaissance:It is gathering the informa- in a single deliverable. There are many instances of RAT like tion about target without letting him know about it. Carberp [14], Ventir Trojan [15],Poison Ivy [42] etc. where 2) Active Reconnaissance:It is much deeper profiling RAT functions are delivered to the target in a modular manner of target which might trigger alert to the target. by using a very basic stub. The complied code can be deployed in form of binaries or shellcodes. Shellcode in simplistic terms is position independent machine code generally compiled by Reconnaissance Type of Techniques Used[10] Techniques Reconnais- [11] assemblers. There also exists techniques [16] which use spe- sance cially crafted C-language source codes to generate shellcode. 1 Target Identifi- passive Domain Names, whois, b) Server: Server is the other half of RAT which runs cation and Se- records from APNIC, lection RIPE, ARIN on the Command and Control infrastructure with nice UI, 2 Target Profiling displays the connection information from target’s client part. (a) Target So- Passive Social Networks, Pub- Server typically has options of commands like keylogger, file cial Profiling lic Documents, Reports browser, screen capture etc. Based on objective attacker gives and Corporate Web- the command to the client using server interface which is sites executed by client and the output is returned back to the server. (b) Target Sys- Active Pingsweeps, Depending on execution permission level being allotted to the tem Profiling Fingerprinting, Port client part these commands can be executed to get full access Scanning and services of target’s system. 3 Target Valida- Active SPAM Messages, tion Phishing Mails and While developing RATs major constraints are size, Anti- Social Engineering virus detection, extendibility, and scalability and user friendly TABLE I: Reconnaissance Techniques interface. Ease of use of a RAT is defined by the server UI, hence a big part of RAT programing is dedicated to UI design of server. Reconnaissance provides knowledge about potential targets which will enable the attacker to decide the type of weapon It is not necessary to code client and server in same suitable for target, type of delivery methods possible (Table language. These days server are using either scripting lan- III), malware installation difficulties and security mechanisms guages(PHP, Javascript) for web based UI [14] [41] or that need to be bypassed. We will now see how the information C++,Java, delphi [17][42] for application based interface. gathered by reconnaissance is used to develop sophisticated malware. Famous RATs Famous Exploit Kits Delivery Characteristics [13] Mechanism [1][12] Blackshades Blackhole 1 Email Attachments Email content is composed to en- DarkComet Nuclear tice the user by using appealing Poison ivy Styx content Bozok Redkit 3 Phishing Attacks Sensitive information like user- Njrat Sweet Orange names, passwords, credit card de- Apocalypse Infinity tails etc. are extracted by mas- querading a trustworthy entity in TABLE II: RATs and Exploit Kits communication.[19] 2) Exploit: Exploit is the part of weapon which facilitates 4 Drive by Download Target is forced to download ap- the RAT to execute. Exploit acts as a carrier for RAT and pealing malicious content from in- uses system/software vulnerability to drop and execute RAT. ternet. Malicious content could be Major objective to use exploit is to evade user attention while a image file, pdf/word document or establishing a silent backdoor access using RAT. Exploits can software setup file 5 USB/Removal Me- Infected files are kept in Re- be of many form like MS Office documents (.doc/ppt) e.g. dia movable media which afterwards CVE-2010-3333, CVE-2014-4114, PDF Documents e.g. CVE- silently infects other systems open- 2014-9165, CVE-2013-2729, audio/video file e.g. CVE 2013- ing the files. 3245 or web page e.g.CVE-2012-1876, CVE-2014-6332 [18] 6 DNS Cache Poi- Vulnerabilities in DNS are ex- etc. If target opens any of such files using vulnerable software soning ploited to divert internet traffic RAT will be installed on targets system. After getting RAT from legitimate servers to attacker installed more exploits like privilege escalation exploits like controlled destinations. CVE-2015-002, CVE-2013-3660 are used on target to get TABLE III: Delivery Mechanisms higher privileges which can be used for spreading of RAT, persistent access or for destruction of complete system. D. Exploitation Without exploit also there are methods to compromise the After delivering the cyber weapon, then as expected the target using only RAT but those methods are highly unreliable target completes the required user interaction and weapon and not effective these days because of security awareness executes at the target side. On execution, the next step is among users. Embedding RAT in legitimate software exe- triggering the exploit. The objective of an exploit is to silently cutable, sharing via social engineering and faking RAT as install/execute the payload. To trigger the exploit there are genuine image/audio/video files are some of such methods certain conditions that need to be matched: which used in wild in previous years[41]. 1) User must be using the software/Operating System C. Delivery for which exploit has been created 2) The software/Operating System should not be up- Delivery is the critical part of cyber kill chain which is dated or upgraded to the versions wherein exploit responsible for an efficient and effective cyber-attack. For any doesnt work. cyber-attack it is preferable to have target information to ensure 3) Anti-Viruses or any other security mechanism should a successful attack. In most of the cyber-attacks it is mandatory not detect the exploit or payload neither in statically to have some kind of user interaction like downloading and nor dynamically during run time. executing malicious files or visiting malicious web pages on internet. There are some attacks which are performed without If all these conditions are fulfilled then exploit is triggered user interaction by exploiting network devices e.g. CVE-2014- and it will successfully install/execute the payload in target’s 3306, CVE-2014-9583[18]. When it is clear that target has to system. Payload will connect to its Command and Control interact, it is obvious that attack should have ability to attract counterpart to inform about successful execution and wait for and entice the target to interact. This affinity comes from the further commands to execute. active and passive reconnaissance. It is clear that exploit is the most critical part of the chain Delivery is a high risk task for attacker because delivery technically. What is an exploit and how does attacker find such leaves traces. Therefore most of the attacks are performed exploits is the next question here. anonymously using paid anonymous services, compromised websites and compromised email accounts. Exploits are made using vulnerability of softwares publicly identified as CVE[18]. Vulnerability is the software bug which While delivering the weapon multiple delivery methods can result in potential threat to the system. And a bug is an un- are also used because no single method can guarantee 100% expected condition in which a program/software misbehaves. success. Failed attacks sometimes are very useful to get basic Generally while programming lot of efforts is made to avoid information about target’s system information. Such types such conditions by writing every possible use case, exception of information gathering mechanisms are very common in handling for all types of inputs, blocking invalid input etc. browser based attack where user visits the malicious web page But most of the times not all cases are covered because of which first try to get user system information and accordingly vast variety of user input/interaction. Therefore such invalid deliver the weapon[20]. or wrong input forces the program to misbehave and this misbehavior is defined as type of vulnerability as mentioned in Table IV. Vulnerability are further analyzed by exploit writers to simple anymore [47]. Malware nowadays are multi staged and see the possibility to carry and execute a payload. Not all they heavily rely on droppers and downloaders to deliver the vulnerabilities are exploitable. Some of them are just crashes malware modules in a much more sophisticated manner. or DoS or limited execution of program. It means not all vulnerabilities result into exploitable crashes. • Dropper is a program that will install and run the malware to a target system. Before executing the malware code, dropper nowadays tries disabling host Category of Type of Exploit Type of Vulnerability based security controls at the target and hides the Exploits [21] installed malware. 1 Operating Kernel Exploits, • System Device Driver Denial-of- • Services Downloaders were designed to perform the same Level Exploits • actions as Droppers disabling the victims security Exploits Remote or Local Code and monitoring software, hiding core components and Execution obfuscating the infection vector, etc. but tended to be smaller than Droppers because they did not contain 2 Network Protocol exploits • the core malicious library components. Instead of Level for FTP, SMTP, Privilege Es- unpacking an embedded copy of the core malware calation Exploits NTP, SSH, Router agent, the downloader would connect to a remote file exploits, repository and download the core components. 3 Application/ Browser Exploits, Memory Corruption: Software MS Office exploits, • Dangling Today’s installation life-cycle incorporates many checks, bal- Exploits PDF Exploits, Pointer Java/Flash Exploits • ances and resilience features as a means of maximizing the Buffer Over- success of the installation, and protecting the participating flow • Use-After- attackers. Following are some techniques that malware authors Free use for covert persistent and anonymous installations. • Anti-Debugger and Anti-Emulation: Dropper and TABLE IV: Exploits downloader components are typically armored. Using Regarding the interest that how these vulnerabilities are dis- a variety of packers, crypters and inspection-detection covered following papers[22] [23] [24] describe details about engines, malware authors can ensure that common fuzzing. Fuzzing is methodology to give customized input to debugger and emulation analysis techniques will not the program and monitoring the output for abnormal behavior. work. The addition of advanced anti-virtual machine This abnormal behavior is further analyzed w.r.t. given input analysis technologies also deters malware analysis to to describe vulnerability and so to create exploits. a high extent. • As mentioned in Delivery sectio sometimes just one de- Anti-Antivirus: Many malware packages include livery method is not sufficient, in the same way not just one toolsets for automatically disabling host-based de- exploit is sufficient to attack multiple users specifically during tection technologies disabling anti-virus and IDS mass attacks. Generally combination of exploits, called an products installed on the victim’s computer, changing Exploit Kit, is used for this purpose. As the name suggests local DNS settings to ensure that no future updates to Exploit Kit is a collection of multiple exploits for various the operating system or packages are possible, and versions of software. As an example for browser based attacks adding tools that recheck and re-disable protection an exploit kit may have exploits for various versions of Google settings frequently. Chrome, Firefox and internet explorer. During delivery if • Rootkit and Bootkit Installation: Rootkits are pro- target uses vulnerable version of any of listed browser for grams which hide the executed payload. Payload file which exploit is available in exploit kit it will be delivered hiding, process hiding are the core functionalities accordingly. of a rootkit e.g. LRK,AFX,Mebroot [27]. Similarly Bootkits are malwares that are able to hook and patch E. Installation system to get loaded into the system Kernel, and thus getting unrestricted access to the entire system. Host based security measures have grown leaps and bounds Bootkits like Stoned Bootkit [28] modify the MBR or compared to other security mechanisms. This in turn has boot sector for its execution to avoid protections from spurned innovation in procedures that circumvent host-based operating system. security controls to install, update and regulate the control of the malware installed upon the victims computing device. Tra- • Targeted Delivery:By performing a quick inventory ditionally, a computer would become infected by an infection of the victim’s machine at the dropper/downloader vector like infected removable media, which in turn will leave stage and submitting this information to the mal- a malware executable in some unusual location and modify ware distribution site, the attackers can verify that registry/startup settings so that the malware executable is run the compromised computer is real (and not some everytime the computer boots up. Some user eventually will analysis system) and respond accordingly. In some report this executable to antivirus vendor, who in turn will cases, upon discovering that the victim was faked or analyze it and come up with a signature to detect it and in is an automated analysis system, the attackers would some cases a removal tool. Modern malwares are not that not serve the core malware. • Host-Based Encrypted Data Exfiltration: Most mal- C&C Communication Traffic analysis is a traditional tech- ware does not encrypt outbound network communica- nique to detect communication pattern among infected ma- tion. Critical data stolen from the victim’s computer chines. As a result malware creators have adopted techniques is typically packed and file-encrypted at the host- to hide communication patterns. Anonymous communication level before sending over a clear text network protocol techniques involve creating an unobservable communication such as HTTP and SMTP thereby evading anomaly channel that is resistant to traffic analysis. Unobservable com- detection systems and data-leakage prevention systems munication channel refers to the communication capability that (DLP)[47] a third party cannot distinguish between a communication and non-communicating entity. It will be indistinguishable from legitimate traffic. Following is a review of techniques F. Command and Control employed by the malware creators to achieve unobservable anonymous communication channel: An important part of the remotely executed cyber-attacks is the Command and Control(C&C) system. C&C system is used • IRC Chats:Internet Relay Chat(IRC)[36] was devel- to give remote covert instructions to compromised machines. oped in 1988 and is a protocol used for text chat over It also acts as the place where all data can be exfiltrated. the internet. Its primary function is to provide chan- Over the years, the architecture of C&C channels have evolved nels which are chat rooms allowing for public/private exponentially owing to the exponential development of defen- conversations. These channels were exploited by mal- sive mechanisms, namely antiviruses, firewalls, IDSs, etc [32]. wares to send and receive information once infection There are mainly three type of C&C communication structures, takes place. namely the traditional centralized structure, the newer peer-to- • peer decentralized architecture and the latest Social Networks TCP/HTTP/FTP: Malwares relying on IRC as C&C based structure. channel were now easier to detect at network gate- ways. Malware authors circumvented this by employ- • Centralized Structure: Traditionally malware de- ing TCP/HTTP/FTP[37] [38] [39] as C&C channels. pended upon a classical client server model wherein Since majority of applications in all the operating a central server is used to command and control the systems use these channels for benign communication, infected machines. Since there is only one server, malware traffic becomes indistinguishable. Examples its easy to manage. Also there is no dependence : Zeus, Poison Ivy[41] [42] on the infected machines to relay command control • Steganography:Steganography technique involves signals. Hence failure of random infected machines hiding data inside images, video, audio or any such wont affect C&C architecture. But the number of content which are hosted in attacker controlled harm- bots that can be controlled depends is constrained by less websites. The data is then hidden in specially the hardware/software resources available to the C&C constructed and encrypted inline annotations which server. Also taking down the server strategically will are strewn randomly all over the page or extra spurious shutdown the entire C&C infrastructure. bytes of images. This hidden data can contain C&C • Decentralized Structure:Owing to the fact that cen- commands like ip addresses of C&C server, shellcode tralized architecture can be taken down easily and commands to execute etc cannot control a large botnet, malware authors started • TOR:Tor (originally The Onion Router) is a service using peer-to-peer P2P architecture for command-and- used to provide anonymity over the internet[ar09]. control. The main aims of using this architecture are Tor directs Internet traffic through a free, world- scalability (infected machines are used as nodes, and wide, volunteer network consisting of more than six each node in turn is responsible only for a subset of thousand relays to conceal a user’s location and us- the total botnet), fault tolerance (redundant commu- age from anyone conducting network surveillance or nication links can be formed to route information) traffic analysis.. Apart from providing an anonymity and P2P nature (decentralized architecture removes network, Tor also has Hidden Service Protocol which the significant single point dependence of centralized makes it possible for users to hide their location while architectures). Variety of options for P2P e.g. Bit tor- offering various kinds of public services.. Hidden rent, Gnutella, Kademilia etc. indicates the substantive services work by setting up Rendezvous points which depth of design possibilities. Eg. Storm [33] are identified by .onion links. SDC Botnet [43] is a recent example of malwares employing TOR as C&C • Social Networks Based Structure:Social networks channel. now play a huge part in many peoples lives. Facebook has 1.35 billion registered users as of third quarter of Attackers would like to stay undetected and covert for as long 2014 [34]. Most of the social network services are free as possible. Following are 3 techniques commonly used by to use and these services are deemed to be benign malware authors to hide their C&C server from the defense in most organizational security policies. Owing to mechanisms of any organization: these reasons, social media has now become a viable option for malware authors. These high availability • DNS Fast Flux:The Domain Name Service(DNS)[44] and reliable social networks are used to pass on is a naming system of computers on the internet. DNS information in a centralized/decentralized way to the is not required to match hostnames to ip addresses infected machines. Eg. Taidoor [35] in a one-to-one fashion. A single hostname may correspond to many IP addresses to facilitate fault IV. SUMMARY tolerance and load distribution Malware authors use a technique called fast-flux to hide C&C locations be- In this paper cyber kill has been discussed in detail with hind an rapidly changing(fast-flux) network of infected its technical aspects. The paper gives technical flow from machines. This is achieved by setting a very short attacker’s perspective which may help security researcher to TTL(time-to-live) to DNS response which is known design prevention mechanisms.This paper explores the recent as single flux. Another technique called double flux trends in malware development by reviewing weaponize and is used which works by switching rapidly through installation techniques. Delivery and Exploitation section gives multiple infected nodes addresses which in turn act an insight to the importance of software vulnerabilities, both as a proxy relay location to the original C&C Site. from an attacker and security researcher’s perspective, in the current cyberspace.Study of reconnaissance techniques and • DNS as a medium:It is also possible to use DNS Command & Control infrastructure shows how benign features system as a communication mechanism rather than of network protocols are being misused to achieve nefarious using it for setting up the channel. RDATA field of a end results. DNS response can be of variable length and multiple formats. One of these is TXT, which can be used REFERENCES to transfer actual text. The commands are can be encoded into base64 and sent over the RDATA field. [1] MALWARE RISKS AND MITIGATION REPORT. 1st ed. BITS Feederbot[46] is one such example. - The Financial Services Roundtable; 2011. [Online]. Available at: http://www.nist.gov/itl/upload/BITS-Malware-Report-Jun2011.pdf. [Ac- • Domain Generation Algorithms: Another method to cessed: 26- Mar- 2015]. stay under the radar is DGA. DGA programmatically [2] J. Ranum M. Breaking Cyber Kill Chains. Ten- able Network Security. 2014. [Online].. Available at: generates pseudo random domain names which is http://www.tenable.com/blog/breaking-cyber-kill-chains. [Accessed: used as address of C&C server. IT is then upto the 26- Mar- 2015]. attacker to ensure he controls the domains that will be [3] Sager T. Killing Advanced Threats in Their Tracks: An Intelligent generated. Conficker malware for example, generates Approach to Attack Prevention. Sansorg. 2014. [Online]. Available at: 250 domain names by using current UTC date as the http://www.sans.org/reading-room/whitepapers/detection/killing-advanced-threats-tracks-in seed of pseudo random DGA. The same domains are [Accessed: 26- Mar- 2015]. generated every 3 hours. All the 250 domain names [4] The Cyber Attack Cycle.[Online].. Available at: http://www.eur.army.mil/vigilance/Cyber Attack Cycle.pdf. [Accessed: are queried until one of them resolves successfully. 26- Mar- 2015]. [45] [5] Hartley M. Strengthening Cyber Kill Chain with Cyber Threat Intelligence. iSIGHT Partners. 2014. [Online]. Available at: http://www.isightpartners.com/2014/09/strenghtening-cyber-kill-chain-cyber-threat-intel G. Act on Objectives [Accessed: 26- Mar- 2015]. [6] Hartley M. The Cyber Threat Kill Chain Part 2 of 2 - After getting the communication setup with target system iSIGHT Partners. iSIGHT Partners. 2014. [Online]. Available at: http://www.isightpartners.com/2014/10/cyber-threat-kill-chain-part-2-2/. attacker executes the commands. The command used by at- [Accessed: 26- Mar- 2015]. tacker depends on interest of attack. [48] [7] Davis R. Exploit Kill Chain with Controls — Criti- cal Start. Criticalstartcom. 2015. [Online]. Available at: 1) Mass attack: Objective of mass attack to get as many http://www.criticalstart.com/2014/01/exploit-kill-chain-with-controls/. targets as possible. In mass attack more than a single [Accessed: 26- Mar- 2015]. system multiple systems together are of interest. Most [8] Engel G. Deconstructing The Cyber Kill Chain. of such attacks aims for getting bank, email, social Dark Reading. 2014. [Online]. Available at: http://www.darkreading.com/attacks-breaches/deconstructing-the-cyber-kill-chain/a/d-i media and local system administrator credentials[49]. [Accessed: 26- Mar- 2015]. Bigger picture of mass attack is called BOTNets[50]. [9] IT Security Reconnaissance. [Online]. Available at: BOTNets are mainly used for DDos attacks and http://itsecurity.telelink.com/reconnaissance/. [Accessed: 26- Mar- virtual coin mining. Virtual coin mining harvest the 2015]. system processors or GPU to generate virtual cur- [10] Pernet C. APT Kill chain - Part 3: Reconnaissance - rency for the attacker. Airbus D&S CyberSecurity blog. 2014. [Online]. Available at: 2) Targeted attacks: Target attacks are more sophisti- http://blog.cassidiancybersecurity.com/post/2014/05/APT-Kill-chain-Part-3-%3A- Reconnaissance. [Accessed: 26- Mar- 2015]. cated and carried with more caution. Most of such [11] Bhamidipati S. The Art of Reconnaissance - Sim- attacks are aimed to get confidential or secret in- ple Techniques. sans.org. 2002. [Online]. Available at: formation from target system. Data exfiltration and http://www.sans.org/reading-room/whitepapers/auditing/art-reconnaissance-simple-tech getting user credentials for online accounts are ob- [Accessed: 26- Mar- 2015]. jective of the attacks. Spreading through the network [12] Security Threat Report 2013. 1st ed. also becomes the primary goal when target is an SOPHOS; 2013.[Online]. Available at: organization. http://www.sophos.com/en-us/medialibrary/pdfs/other/sophossecuritythreatreport2013.pdf [Accessed: 26- Mar- 2015]. [13] Security Threat Report 2014. 1st ed. SOPHOS; 2014. [Online]. Avail- In both types of attack if attack is intended for destructive able at: https://www.sophos.com/en-us/medialibrary/PDFs/other/sophos- purpose it may crash system hard drive or device drivers. security-threat-report-2014.pdf. [Accessed: 26- Mar- 2015]. Attacker may make CPU to use its maximum capability for [14] Rodionov, Eugene, and Aleksandr Matrosov. ”Defeating Anti-Forensics long time to damage the processor hardware. in Contemporary Complex Threats.” [15] Securelist.com,. ’The Ventir Trojan: Assemble Your Macos Spy - [39] Ietf.org,. (1981). RFC 793 - TRANSMISSION CONTROL PROTO- Securelist’. N.p., 2015. COL. [Online]. https://www.ietf.org/rfc/rfc793.txt. [Accessed: 26- Mar- [16] Anley, Chris, et al. The shellcoder’s handbook: discovering and exploit- 2015]. ing security holes. John Wiley & Sons, 2011. [40] Fox-IT International blog,. (2013). Large botnet cause of [17] Research.zscaler.com,. ’Zscaler Research: Njrat & H-Worm Variant recent Tor network overload. Retrieved 24 March 2015, from Infections Continue To Rise’. N.p., 2015. http://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/. [Accessed: 26- Mar- 2015]. [18] CVE -Common Vulnerabilities and Exposures (CVE). [Online]. Avail- able at: https://cve.mitre.org/ [41] IOActive Inc,. (2012). Reversal and Analysis of Zeus and SpyEye Bank- ing Trojans (1st ed., p. 31). Seattle: IOActive, Incorporated. [Online]. [19] Pernet C. APT Kill chain - Part 4 : Initial compromise - http://www.ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf. Airbus D&S CyberSecurity blog. 2014. [Online]. Available at: [Accessed: 26- Mar- 2015]. http://blog.airbuscybersecurity.com/post/2014/06/APT-Kill-chain-Part-4-%3A- [42] FireEye, (2014). Poison Ivy: Assessing Damage and Extracting Initial-compromise. [Accessed: 26- Mar- 2015]. Intelligence (1st ed., p. 33). California: FireEye Inc. [Online]. [20] GitHub, ’DeviceFingerprint’, 2013. [Online]. Available: https://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf. https://github.com/dimalinux/DeviceFingerprint. [Accessed: 26- Mar- [Accessed: 26- Mar- 2015]. 2015]. [43] ydklijnsma. Large botnet cause of recent Tor network overload 2013. [21] CVE security vulnerability database. Security vulnerabilities, exploits, [Online] http://blog.fox-it.com/2013/09/05/large-botnet-cause- of-recent- references and more. [Online]. Available at: http://www.cvedetails.com/. tor-network-overload/. [Accessed: 26- Mar- 2015]. [Accessed: 26- Mar- 2015]. [44] Ietf.org,. (1987). RFC 1035 - DOMAIN NAMES - [22] Oehlert, Peter. ”Violating assumptions with fuzzing.” Security & Pri- IMPLEMENTATION AND SPECIFICATION. [Online]. vacy, IEEE 3.2 (2005): 58-62. https://www.ietf.org/rfc/rfc1035.txt. [Accessed: 26- Mar- 2015]. [23] Sutton, Michael, Adam Greene, and Pedram Amini. Fuzzing: brute force [45] P. Porras, H. Saidi, and V. Yegneswaran. A Foray into Confickers Logic vulnerability discovery. Pearson Education, 2007. and Rendezvous Points. In Proc. of the USENIX Workshop on Large- [24] Godefroid, Patrice, Michael Y. Levin, and David Molnar. ”SAGE: Scale Exploits and Emergent Threats (LEET), 2009. whitebox fuzzing for security testing.” Queue 10.1 (2012): 20. [46] Dietrich, Christian J., Christian Rossow, and Norbert Pohlmann. ”Co- [25] Contagio: An Overview of Exploit Packs (Up- CoSpot: Clustering and recognizing botnet command and control chan- date 24) Mar 2015. 2015. [Online]. Available at: nels using traffic analysis.” Computer Networks 57.2 (2013): 475-486. http://contagiodump.blogspot.in/2010/06/overview-of-exploit-packs-update.html.[47] DAMBALLA,. (2015). Behind Todays Crimeware Installation Life- [Accessed: 26- Mar- 2015]. cycle: How Advanced Malware Morphs to Remain Stealthy and [26] Eric Chien and Pter Szr Symantec Security Response Blended Persistent 10 (1st ed., p. 10). Atlanta: DAMBALLA. [Online]. Attacks Exploits, Vulnerabilities and Buffer-Overflow Techniques https://www.damballa.com/downloads/r pubs/WP Advanced Malware in Computer Viruses Virus Bulletin , 2002. [Online]. Available Install LifeCycle.pdf. [Accessed: 26- Mar- 2015]. at: http://www.symantec.com/avcenter/reference/blended.attacks.pdf. [48] A View From Front Lines. 1st ed. MANDIANT [Accessed: 26- Mar- 2015]. A FireEye Company; 2015. [Online]. Available at: [27] Hardikar A. Malware 101 - Viruses. http://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf. sansorg. 2008. [Online]. Available at: [Accessed: 26- Mar- 2015]. http://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848.[49] Pernet C. APT Kill chain - Part 5 : Access [Accessed: 26- Mar- 2015]. Strenghtening and lateral movements - Airbus D&S CyberSecurity blog 2014. [Online]. Available at: [28] Kleissner, Peter. ”Stoned bootkit.” Black Hat USA (2009): 5-7. http://blog.airbuscybersecurity.com/post/2014/11/APT-Kill-chain-Part-5-%3A- [29] Jospeh Gradiner, Marco Cova, Shishir Nagaraja Command & Control Access-Strenghtening-and-lateral-movements. [Accessed: 26- Mar- : Understanding, Denying and Detecting 2014 2015]. [30] D. Seenivasan, K. Shanthi Categories of Botnet: A Survey International [50] Fatima Naseem, Mariam shafqat, Umbreen Sabir and Asim ShahzadA Journal of Computer, Control, Quantum and Information Engineering Survey of Botnet Technology and detectiion International Journal of Vol:8 No:9, 2014 Video & Image Processing and Network Security IJVIPNS-IJENS Vol:10 [31] Ting-Fang Yen, Victor Heorhiadi, Alina Oprea, Michael K. Reiter,Ari No:01 2010 Juels An Epiemiological Study of Malware Encounters in a Large Enterprise ACM SIGSAC Conference on Computer and Communications Security 2014 [32] QinetiQ. (2014). Command & Control: Understand- ing, Denying, Detecting, (February), 36. [Online]. http://www.cpni.gov.uk/Documents/Publications/2014/2014-04-11-cc qinetiq report.pdf. [Accessed: 26- Mar- 2015]. [33] P. Porras, H. Saidi, and V. Yegneswaran. A multi-perspective analysis of the Storm (Peacomm) worm. In SRI Technical Report 10- 01, 2007. [34] Statista,. (2015). Facebook: figures of monthly active users 2014 — Statistic. [Online]. http://www.statista.com/statistics/264810/number-of-monthly-active-facebook-users-worldwide/. [Accessed: 26- Mar- 2015]. [35] Fireeye.com,. (2013). Evasive Tactics: Taidoor Threat Research — FireEye Inc. [Online]. https://www.fireeye.com/blog/threat- research/2013/09/evasive-tactics-taidoor-3.html. [Accessed: 26- Mar- 2015]. [36] Tools.ietf.org,. (2015). RFC 1459 - Internet Relay Chat Protocol. [Online]. https://tools.ietf.org/html/rfc1459. [Accessed: 26- Mar- 2015]. [37] Ietf.org,. (1999). RFC 2616 - Hypertext Transfer Protocol – HTTP/1.1. Retrieved 24 March 2015, from https://www.ietf.org/rfc/rfc2616.txt. [Ac- cessed: 26- Mar- 2015]. [38] Ietf.org,. (1985). RFC 959 - FILE TRANSFER PROTOCOL (FTP). [Online]. https://www.ietf.org/rfc/rfc959.txt. [Accessed: 26- Mar- 2015].