Going in for the Kill (chain)!

Last week I was party to a discussion on LinkedIn regarding recruitment agencies being approached by companies offering them work, mainly just to payroll some employees due to some difficulty they have had in processing. The companies involved approached the recruitment agencies by phone and email and this was subsequently identified as a scam.

In terms of the email approach, some had opened the email and this had pointed them to a bogus (but convincing) website for the fraudulent company. Naturally, I mentioned the recruitment agencies should be really careful opening such emails, as they most likely contain executable files and phishing links, which could activate ransomware. Some recruitment agencies replied they had seen no ill effects from engaging with the email, ….yet.

YET – that’s the critical point.

You see, modern cyber criminals tend to engage in what can be described as Cyber Kill Chain activity whereby ill-effects will not be experienced immediately, but rather after a period of time based on a devious and cunning process they follow over several weeks or months to breach a network and steal data.

So how does the Cyber Kill Chain work?

There are several core stages in the cyber kill chain. They range from Reconnaissance (often the first stage in a malware attack) to Lateral Movement (moving laterally throughout the network to get access to more data) to data Exfiltration (getting the data out). All of your common attack vectors – whether it be a phishing email (like in the example above) or brute force attack or the latest strain of malware – can trigger activity on the cyber kill chain.

Each stage is related to a certain type of activity in a cyberattack, regardless of whether it’s an internal or external attack as follows:


In every heist, you’ve got to scope the joint first. The same principle applies in a cyber-heist. It’s the preliminary step of an attack, the information gathering mission. During reconnaissance, a cyber -attacker is seeking information that might reveal vulnerabilities and weak points in the system. Firewalls, intrusion prevention systems, perimeter security – these days, even social media accounts – are identified and investigated. Reconnaissance tools scan corporate networks to search for points of entry and vulnerabilities to be exploited.


Once the cyber-attacker has gathered the intel, it’s time to break in. Intrusion is when the attack becomes active. Cyber-attackers can send malware – including ransomware, spyware, and adware – to the system to gain entry. This is the delivery phase: it could be delivered by phishing email (like in the example above) or it might be a compromised website (or a bogus but convincing website, like in the example above) or a compromised login (without MFA, for example). Intrusion is the point of entry for an attack, getting the cyber-attackers inside.


Now the cyber-attacker is inside your door, and the perimeter is breached. The exploitation stage of the attack exploits the system. Cyber-attackers can now get into the system and install additional tools, modify security certificates and create new script files for nefarious purposes.

Privilege Escalation

Cyber-attackers then use privilege escalation to get elevated access to resources. Privilege escalation techniques often include brute force attacks, preying on password vulnerabilities, and exploiting zero-day vulnerabilities. They will also modify GPO security settings, configuration files, change permissions, and try to extract credentials.

Lateral Movement

Cyber-attackers now have ‘the run of the place’, but they still need to find the vault. Cyber-attackers will move from system to system, in a lateral movement, to gain more access and find more assets. It could also be termed an advanced data discovery mission, where attackers seek out critical data and sensitive information, admin access and email servers – often using the same resources as IT and leveraging built-in tools like Powershell – and position themselves to do the most damage.

Obfuscation (anti-forensics)

Put the security cameras on a loop and show an empty elevator so nobody sees what’s happening behind the scenes. Cyber-attackers do the same thing. They conceal their presence and mask activity to avoid detection and thwart the inevitable investigation. This might mean wiping files and metadata, overwriting data with false timestamps (timestomping) and misleading information or modifying critical information, so that it looks like the data was never touched.

Denial of Service

Jam the phone lines and shut down the power grid. Here’s where the cyber-attackers target the network and data infrastructure, so legitimate users can’t get what they need. The denial of service (DoS) attack disrupts and suspends access and could crash systems and flood services.


Cyber-attackers always have an exit strategy. The attackers get the data: they’ll copy, transfer, or move sensitive data to a controlled location, where they do with the data what they will. Ransom it, sell it on Ebay, send it to WikiLeaks. It can take days to get all of the data out, but once it’s out, it’s in their control.

All of this activity can take days, weeks, or months to complete, but to cyber-attackers it’s well worth the time and effort, because data is an extremely valuable commodity.

The recent BA breach ICO report illustrates how a clever hacker was able to use the Cyber Kill Chain approach to cause a significant data breach. This is a simplified explanation, but this is basically what happened.

  • Reconnaissance – A Swissport employee based in Trinidad & Tobago was the first step in the attack chain and was identify as a target with a weak security posture.
  • Intrusion -The Swissport employee had remote access to BA’s network using Citrix. Multi Factor Authentication wasn’t enabled meaning there was a way into BA’s network from what might be viewed as a legitimate source.
  • Exploitation – BA’s Citrix configuration allowed the attacker to breakout of the limited environment and take a look around their network.
  • Privilege Escalation – The attacker found domain administrator credentials in a file in plaintext. This allowed the hacker to have the ability ‘move’ to more commercially sensitive areas of the network.
  • Lateral Movement – The hacker then used this access to scour the internal network to specifically find payment card details in log files on servers.
  • Exfiltration – The attacker installed a script on the BA website to steal payment card information and personal data.

This above attack took approximately 3 days!