A few years ago, Computer Security Intelligence expert, Mike Cloppert discussed the Cyber Kill Chain, the process through which a cybercriminal uses malware to attack the victim. In a recent webinar titled “How to Use Email-based Threat Intelligence To Catch a Phish,” Securosis’ Mike Rothman applied Cloppert’s methodology to how cyberattacks work in the instance of a phishing attack.
The kill chain begins with weaponization and ends with monetization, the point at which credentials are stolen. In this post, we’ll dig into the Phish Food Chain, as explained by Mike Rothman and discuss how cybercriminals utilize this process to attack your brand. Let’s take a closer look at how Rothman took Cloppert’s work with the kill chain and applied it to phishing.
Step 1: Reconnaissance
Reconnaissance is all about leverage. Phishers are seeking large consumer brands, that have a broad base of customers that they can target. Think about it, why go after 100 people when you can go after 100 million people? These are the kind of attacks where you see the big brands targeted – the companies who have the broadest array of customers.
Step 2: Weaponization
Weaponization occurs in the form of phishing kits. Phishing kits are pre-packaged attack materials targeted at a specific brand, containing all of the files, malware and materials that a phisher would need to launch an attack against a specific brand. As soon as the phisher uses these materials to launch a phishing website, they are officially “in business” (and on their way to putting you out of business).
Spam Filter Evasion
Step 3: Delivery
Delivery aims to evade spam filters. This is the point at which phishing email is delivered to its target.
Advanced Malware Attacks
Step 4: Exploitation / Step 5: C2 (Command & Control)
Exploitation and command and control has everything to do with advanced malware attacks so that they’re using fairly advanced malware to gain presence on those devices to take advantage of vulnerabilities.
Step 6: Exfiltration
This is where the monetization takes place. Phishers acquire credentials that allow them to access the resources that they are seeking in the phishing attack.