For the first CSA tutoring post we will cover the tools or malware that matches each stage of the Cyber kill chain and several other topics.
Stage 1 Reconnaissance: Take a look at what is happening. Harvesting email addresses, conference information, etc.
Let’s find the names of some malware that can accomplish this. First can we be any more specific about what the reconnaissance is doing? Seeking information that reveal vulnerabilities in the system. Specifically? Firewalls, intrusion detection systems, operating systems, applications (and their version). Is that enough information yet? no? What if we add: packet sniffing, port scanning and OSINT?
One important note before we move on: The attacker is usually assessing the target from outside the organization. Take a minute to research “black box” on google. and moving on..
Now can we determine the names of reconnaissance malware and tools? Give it a go on google search.
Ok let’s compare notes: I’ve got wireshark, nmap, and netcat.
Stage 2 Weaponization: Coupling exploit with a backdoor into a deliverable payload. Worded another way: The threat actor now develops malware specially crafted to the vulnerabilities discovered in the Reconnaissance stage.
Before we move to tools and malware what are the attackers goals at this stage?