Professor Ali Al-Sherbaz and Dr Qublai Ali-Mirza from The University of Gloucestershire tell Martin Cooper MBCS that understanding the key phases of cyber attacks can keep organisations safe.

‘Criminals only have to get it right just once. Security, by contrast, is a consistent exercise which needs to evolve consistently.’

Cybercrime is a business and a lucrative one at that. We hear about organisations being robbed and blackmailed, oftentimes for millions of dollars, pounds and crypto currencies. Somewhere, you can bet, somebody is reclining in a sports car, swilling cognac, puffing on a cigar and celebrating the lifestyle on Instagram.

As such, it can – if you’re very lucky – be revealing to ask cybersecurity professionals how they’d make their fortunes should they wake up one morning and decide to change sides. How, knowing what they know, would they make their first crypto currency million and buy a first Bentley?

But, not in this case. ‘You’ll have to sign an NDA,’ says Professor Ali Al-Sherbaz FBCS. Smiling, Dr Qublai Ali-Mirza says: ‘You can’t quote me.’

Both work for the University of Gloucestershire, where Sherbaz is an associate professor and academic subject leader in technical and applied computing. Ali-Mirza is a course leader in cybersecurity.

Grudging respect from reverse engineering

So, which piece of malware did the pair find most fascinating? Whose tradecraft do they admire most?

‘Zeus,’ says Ali-Mirza emphatically. ‘It was first identified in 2007. It couldn’t be spotted. It worked under the radar for two years and, the records show, it stole more the one hundred million dollars but, I’m sure it stole more than that.’

Zeus was a trojan horse which ran on Windows systems. Though it was used to carry out many malicious attacks, it gained infamy as a means of stealing banking information by grabbing, keylogging and manipulating browser traffic. It was spread mainly by phishing and drive-by downloading. Zeus’ superpower was its ability to remain undetected. Many of the best contemporary anti-virus programmes were stumped by its stealth techniques.

‘It was really cleverly designed,’ says Qublai. ‘I’ve analysed Zeus and variants of it myself. The way it was programmed was really good. By that I mean it propagated really efficiently and, while it was spreading, it was morphing into something else. As it moved forward, it changed its [file] signatures and its heuristics – its behaviour. And, it was deleting the previous versions of itself. It was very biological...

For his money, Al-Sherbaz says Chernobyl remains a piece of malware worth remembering – for many of the wrong reasons. This virus emerged in 1998 and went on to infect nearly 60 million computers across the globe.

Chernobyl’s payloads were highly destructive. If your system was vulnerable, the virus could overwrite critical sectors on the hard disk and attack the PC’s BIOS. Damage these and the computer is rendered inoperable.

‘Zeus though, it was really intelligent,’ Al-Sherbaz says, agreeing with his colleague. ‘The groups, I think, understand how real biological viruses work. They recruited smart people. I’m really interested in how they recruit people. These aren’t just people who do coding. I’m sure they must have a recruitment process and get people from different backgrounds – cryptanalysts… biologists… network security experts. It was impressive.’

Yesterday’s troubles and today’s

Wind the clock forward to today and we’re still seeing malware that can evade detection and, ultimately, avoid anti-virus software. Today’s top AV programmes promise isolation, removal, real-time blocking, detection, response, behaviour-based monitoring and remediation. The list goes on. Despite all this and decades of product development, we’re still vulnerable to malware. Why?

‘It’s a good question,’ says Dr Ali-Mirza. ‘Your antimalware software is consuming resources and you’re still vulnerable. The answer is simple. Though the industry is advanced, there’s a lack of intelligence sharing. It’s about business. A lot of the tools and techniques are proprietary and [firms] don’t share the intelligence among themselves. A lot of organisations are quite closed off, they don’t share their techniques. They take pride in this, saying: “Our database of malware signatures is better than x, y, z’s”.’

This approach can afford vendors a marketing advantage. It will enable them to sell their products based on the richness of their database of known virus signatures. It doesn’t, however, afford vendors a technical advantage.

‘Vendors might say, “We are the first people to identify this piece of malware. If you buy our product, you are more secure”,’ Dr Ali-Mirza explains. ‘The problem is, identifying just a signature… just a heuristic feature... just a piece of malware – it isn’t enough. Malware becomes lethal based on the vulnerability it is exploiting. When a zero-day attack is identified and exploited, that’s the most lethal thing in this industry.”

Criminals have unfair advantages

The playing field where attack and defence happen isn’t level. The pair of security academics were quick to point out that those who work on the right side of the law are bound by some significant restrictions.

Firstly, malware itself isn’t bound or limited by any legislation: criminals can use any tool and any technique. Ali-Mirza says: ‘They can pick up any open source tool, further enhance it and use it as an attack.

‘Hackers are getting more innovative too,’ he continues. ‘But, more importantly, criminals only have to get it right once. Security, by contrast, is a consistent exercise which needs to evolve.’

Echoing this point, Professor Ali Al-Sherbaz explains that, in his opinion, criminals have another huge advantage: they have, to a degree, the luxury of time. When it comes to designing and deploying their software, they can plan, test, iterate and, finally, attack their chosen flaw. Defenders, however, might only have moments to react when they notice a vulnerability being exploited.

Dissecting ransomware

Of all the types and families of malware which do daily damage online, ransomware is the kind which steals most headlines. From Wannacry to the Colonial Pipeline attack, to JBS foods and CAN Financial, ransomware attacks have caused havoc.

It’s against this backdrop that Dr Ali Mirza and four others from the School of Computing and Engineering at the University of Gloucester published the paper: Ransomware Analysis using Cyber Kill Chain.

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

A kill chain is a military concept which describes an attack’s key phases. In armed forces terms, these might be: identify the target; dispatch forces to the target; initiate the attack and destroy the target. Critically, a kill chain can be used for defence too: it can let you understand how you might be able to pre-emptively interrupt or stop your enemy’s attack flowing.

The cyber kill chain framework is a model proposed by Lockheed Martin. It is used in attack modelling and can help organisations identify the different types of threats they may face. Like its military counterpart, the cyber kill chain describes different phases in an attack’s execution:

  1. Reconnaissance. The attacker gathers details about the target, hoping to discover weaknesses in systems or infrastructure.
  2. Weaponisation. Malware is developed to specifically exploit the vulnerabilities that have been found.
  3. Delivery. A decision is made about how the malware will be delivered – email, drive-by, USB stick?
  4. Installation. The malware arrives on the victim’s system and begins to capitalise on the vulnerabilities. The primary goal is to maintain persistence, which is achieved by creating a stealthy route to the victim machine or network in the form of a backdoor or other ingress that can be used by the attacker to access the network.
  5. Command and control. The backdoor is utilised to gain control over the network, which can be used for several malicious operations.
  6. Actions and objectives. The control over the victim network, achieved in the previous phase, is used to fulfil the malicious objectives of the attacker.

‘The cyber kill chain is very effective,’ says Dr Ali-Mirza. ‘It’s not just a one-way thing though – it can be used for both defence and attack. It encourages you to look at the attack from the offensive perspective and then create a defence against it.’

Step one – the most important

From the black-hat hacker’s perspective, the most potent step in a kill chain is reconnaissance. If they get this step wrong, the rest of the attack is unlikely to work.

There are two types of reconnaissance: active and passive. Active sees hackers interact directly with their intended victim. They might map a company’s network, examine a firewall for open ports and deploy research tools like Nmap.

The passive sort of research might see adversaries use tools as seemingly prosaic as Google and LinkedIn. You could see, for example, a company advertising for a new network admin with expertise in a particular tool, technology or system. That technology might have known and exploitable flaws.

Alternatively, a press release might announce the victim has entered into a partnership with a solution supplier and is now, proudly, using some new systems. From there, it’s an easy research job to find the online manual, details about the system’s inner workings and even the default login and password, should there be one.

The key is to sift and search through the information a company and its staff make freely available and look for clues.

The other key part of reconnaissance is being sure about what you’re looking to steal or, in the case of ransomware, what you’re looking to hold hostage. If you lock down the wrong database, the victim won’t pay.

‘Even if you’re going to build a really sophisticated piece of malware and go after a very specific company, you need to identify their assets,’ Ali-Mirza says. ‘If you lock out the wrong thing, the organisation won’t care and, worse still, they’ll know you’re in the system. And now, you’re the target.’ Note how the kill chain is reversed.

Making your moves

‘With the reconnaissance done, the hardest job – the primary task – is to get your foot in the door,’ says Ali-Mirza. ‘You know what they’re running, what network they’re using and then you need to identify that vulnerability. And there will be vulnerabilities. There’s no network which doesn’t have any vulnerabilities. That’s a fact.’

When you know, as a criminal, the exploit you’re targeting, it’s then time to choose your software weapon of choice. You’re entering the weaponization phase of the kill chain.

Here, the attacker’s job can be made much easier thanks to a leaf stolen from the conventional market for software tools: the as-a-service model. ‘The point is, this is a business,’ explains Ali-Mirza. ‘And, as such, [the criminals] are using malware-as-a-service. You can hire the malware. You don’t need any technical understanding. You can hire the malware and attack, without needing to write any code.’

‘They’re using cryptocurrencies too,’ says Professor Ali Al-Sherbaz, explaining the financial underpinnings of the malware-as-a-service model. ‘And this is making the criminals harder to identify and harder to follow. It’s a big market. There are markets that look like eBay where you can buy tools. Ransomware-as-a-service exists. It’s no surprise that some cryptocurrencies are worth thousands with these sorts of [markets existing].’

With the weapon chosen and deployed against the victim, the kill chain offers insight into the next phases and the next successes the criminals need to make before they can achieve their final goal. The malware might need to install itself, open a back-door, establish contact with its makers so it can update itself or receive instructions. And then perhaps it’ll encrypt a specific set of files or exfiltrate a targeted data set.

Return on criminal investment

From a cost perspective (and, by implication, a return on investment view) staying hidden on a network can be the most expensive challenge. Zeus, as we mentioned earlier, evaded contemporary antivirus software. Many of today’s advanced persistent threats (APTs) stay hidden for up to six months. This ability to avoid detection requires, Ali-Mirza explains, considerable technical investment. Criminals also invest in anti-forensics too.

‘When you’ve acquired a piece of code from the infected network or PC, anti-forensics are techniques which stop the analyst from using different tools on it to identify what the next move might be. What the next iteration might look like.’

These defensive techniques could, for example, see a piece of code which can sense when it is inside a virtual environment. If it believes it is, it might refuse to run, behave differently or stay packed. This would limit analysts’ abilities to sandbox the code. Malware writers also deploy anti-debugging techniques to prevent researchers from examining their work.

So, what can organisations learn from the kill chain? Where in the seven steps can we hope to disrupt hackers’ attacks most effectively and efficiently?

‘Firewalls and antivirus all have their place and their significance,’ Dr Qublai Ali-Mirza says. ‘But, to simplify things, humans are the weakest link. All they need is to make one mistake. Cyber awareness [training] should be a common thing in every organisation. It should be small, regular and maybe gamified.’

Thinking back to the kill chain, employees can provide valuable insights for criminals who are at the reconnaissance phase of their attack. ‘Employees are the entry point... Infection, propagation and covert operations [those are all important]. But, infection doesn’t mean how they got into the system.

'Infection means, what vulnerability did they exploit? Entering the system can vary. It can be through USB sticks, phishing emails... Entering is one thing. The functionality of the malware starts when it runs. Malware, as an executable, could sit on my computer, on my USB stick and do nothing.'

Emphasising the point, he explains that when a user clicks on a bad link in a phishing email or opens an infected PDF – that’s the entry point and that’s the point against which continuous cyber awareness training should be deployed.

Summing up the kill chain process neatly, Dr Qublai Ali-Mirza says: ‘Infection, propagation and covert operations. If you understand these three things, you actually understand the malware. And, more importantly, you can actually secure the system.’