The Cyber Kill Chain provides this model.
As you seek to reconcile it with the CompTIA process, you might choose to think of it as expanding the Information Gathering and Vulnerability Identification and Attacking and Exploiting stages into seven more detailed steps, as shown in Figure 1.5.
The reconnaissance phase of the Cyber Kill Chain maps directly to the Information Gathering and Vulnerability Identification phase of the penetration testing process.
During this phase, attackers gather open-source intelligence and conduct initial scans of the target environment to detect potential avenues of exploitation.
After completing the Reconnaissance phase of an attack, attackers move into the remaining six steps, which expand upon the Attacking and Exploiting phase of the penetration testing process.
The first of these phases is Weaponization.
During this stage, the attackers develop a specific attack tool designed to exploit the vulnerabilities identified during reconnaissance.
They often use automated toolkits to develop a malware strain specifically tailored to infiltrate their target.
After developing and testing their malware weapon, attackers next must deliver that malware to the target.
This may occur through a variety of means, including exploiting a network or application vulnerability, conducting a social engineering attack, distributing malware on an infected USB drive or other media, sending it as an email attachment, or through other means.
Once the malware is delivered to the target organization, the attacker or the victim takes some action that triggers the malware’s payload, beginning the Exploitation phase of the Cyber Kill Chain.
During this phase, the malware gains access to the targeted system.
This may occur when the victim opens a malicious file or when the attacker exploits a vulnerability over the network or otherwise gains a foothold on the target network.
The initial malware installation is designed only to enable temporary access to the target system.
During the next phase of the Cyber Kill Chain, Installation, the attacker uses the initial access provided by the malware to establish permanent, or persistent, access to the target system.
For this reason, many people describe the objective of this phase as establishing persistence in the target environment.
Attackers may establish persistence by creating a back door that allows them to return to the system at a later date, by creating Registry entries that reopen access once an administrator closes it, or by installing a web shell that allows them to access the system over a standard HTTPS connection.
After establishing persistent access to a target system and network, the attacker may then use a remote shell or other means to remotely control the compromised system.
The attacker may manually control the system using the shell or may connect it to an automated command-and-control (C2C) network that provides it instructions.
This automated approach is common in distributed denial of service (DDoS) attacks where the attacker simultaneously directs the actions of thousands of compromised systems, known as a botnet.Tools of the Trade 17 Actions on
With an establishing command-and-control mechanism in place, the attacker may then use the system to advance the original objectives of their attack.
This may involve pivoting from the compromised system to other systems operated by the same organization, effectively restarting the Cyber Kill Chain.
The Actions on Objectives stage of the attack may also include the theft of sensitive information, the unauthorized use of computing resources to engage in denial of service attacks or mine cryptocurrency, or the unauthorized modification or deletion of information.