During an incident response, an analyst applied rules to all inbound traffic on the border firewall and implemented ACLs on each critical server. Following an investigation, the company realizes it is still vulnerable because outbound traffic is not restricted, and the adversary is able to maintain a presence in the network.
In which of the following stages of the Cyber Kill Chain is the adversary currently operating?
The adversary is currently operating in the Command and Control stage of the Cyber Kill Chain. This stage involves the establishment of outbound communications from the compromised network to an external server controlled by the attacker. The ability to maintain a presence in the network, as described in the question, indicates that the attacker is using this channel to manage their activities and control the compromised systems. Outbound traffic not being restricted allows this communication to continue, which is a key characteristic of the Command and Control stage.
Command and control (C2)—establishment of outbound communications from a victim system for secure communications between victim and adversary systems. Compromised hosts typically beacon out and await further instruction or exploit when higher order interaction or data exchange is required. This is the hallmark of advanced persistent threat (APT) attacks and data exfiltration.
able to maintain a presence in the network = C2
Phases of the Cyber Kill Chain Process Phase 1: Reconnaissance Phase 2: Weaponization Phase 3: Delivery Phase 4: Exploitation Phase 5: Installation Phase 6: Command and Control In Command & Control, the attacker is able to use the malware to assume remote control of a device or identity within the target network. In this stage, the attacker may also work to move laterally throughout the network, expanding their access and establishing more points of entry for the future. Phase 7: Actions on Objective In this stage, the attacker takes steps to carry out their intended goals, which may include data theft, destruction, encryption or exfiltration.
While "Command and control" (answer B) is a valid consideration, the scenario you provided primarily indicates that the adversary has already bypassed the initial security measures and is maintaining a presence in the network. This aligns more closely with the "Actions on objective" stage, as they are actively carrying out their malicious activities. "Command and control" generally refers to the stage where the attacker establishes communication channels and controls compromised systems remotely. In your scenario, the attacker has already progressed beyond this stage by maintaining a presence and potentially interacting with the network. It's important to note that incident response and cyber threat scenarios can be complex, and stages might overlap or evolve. In the given context, "Actions on objective" seems to be the most appropriate stage based on the information provided.
Actions on objective is assuming that the attacker has performed malicious actions. However, this isn't stated in the question. Although C seems logical; this is CompTIA we CANNOT assume anything.
Thank you. The threat actor may be planning attacks on objectives but until we see an indicator of this the only information we have is that the attacker still has a presence in the network and that communication is possible through outbound traffic.
so this cannot be actions on objective bc it would force us to assume the overall objective was met; moreover we have to consider the fact that it is stated 'outbound traffic' which leans more towards C2 establishing communication channels.
Why not Action on Objective? They have locked out all inbound, so C2 is essentially blocked. Even though the malware can communicate with its control center, it's unable to recieve commands when all inbound traffic is blocked. However, if the malware is at the stage of Action on Objective, which often includes data exfiltration, just outbound traffic is enough for the malware to keep operating. I will go for Action on Objective.
You have answered your own question "Action on Objective, which often includes data exfiltration". Does the test question state they have done any exfiltration any other kind of action? No. Also, all incoming traffic being blocked does not mean they cannot communicate with the system at all. The compromised system can be the one to initiate the communication and most of the time firewalls will allow incomming traffic if the session was iniated from inside outwards. Therefore, all the hackers would have to do is wait and listen on a port for the malware to connect to it. And then they will be able to do the next step, which would be Action on Objective.
I believe the answer is B because they are maintaining or controlling the foothold they have on the victim's machines. Answer C sounds good too (they have already executed command and control) however, the question never states any actions on objective have been taken and the question states presence in the network is being maintained or controlled. (CompTIA loves to punish the student that assumes.)
The c2c is established, team blocked all inbound ports, but no action taken against outbound traffic that might originate from an effected end point, if the organization suspects still the attack is going on point to the next stage of action on object or data exfiltration or any such malicious action
In the scenario described, the adversary has already breached the network and is maintaining a presence. The fact that outbound traffic is not restricted allows the adversary to communicate with their command and control (C2) servers without hindrance. By maintaining this communication, the attacker can control and continue their operations within the network.
In the given scenario, the incident response team implemented rules on inbound traffic and applied ACLs on critical servers. This indicates that the organization has taken measures to address the initial entry point and potential exploitation of their systems. However, the adversary is still able to maintain a presence in the network, suggesting that they are communicating and controlling their activities from within the network. The "Command and control" stage of the Cyber Kill Chain involves the adversary establishing communication channels and control mechanisms to manage their presence in the compromised environment. By maintaining this control, they can continue their malicious activities and work towards achieving their objectives, which may include data exfiltration, further network compromise, or other malicious actions.
CNC is related with outbound traffic
Ugh. Attacker already establishes C2. According to the cyber kill chain, the next step is taking action on the objectives. Think for yourself.
It's asking what stage they are currently in. NOT what they are going to do next. Read for yourself.
Command and Control (C2 or C&C) - The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack.
In the scenario described, the adversary has already breached the network, and the incident response actions taken so far (applying rules to inbound traffic and implementing ACLs on critical servers) were likely aimed at detecting or blocking their initial intrusion. However, the adversary is still present and operating within the network, indicating that they have established command and control over compromised systems. They are in the "Command and control" stage of the Cyber Kill Chain, which involves maintaining control over compromised systems, communicating with them, and potentially exfiltrating data or carrying out further malicious activities.
If it was Command and Control, then the adversary could not communicate with the internal network from the outside, however because they are in the network and affecting outgoing traffic they have completed actions on objectives: https://www.eccouncil.org/cybersecurity-exchange/threat-intelligence/cyber-kill-chain-seven-steps-cyberattack/
You misread the question. They aren't "affecting outgoing traffic". Outbound traffic is still allowed. Meaning that whatever presence the attacker has in the network can initiate an outbound session with C2
Check this, it’s clear: https://en.m.wikipedia.org/wiki/File:Intrusion_Kill_Chain_-_v2.png
Command and control (C2 or C&C)—the weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack.
The adversary is currently operating in the Command and Control (C2) stage of the Cyber Kill Chain. This stage is characterized by the adversary establishing and maintaining persistent access to the target network, often through outbound traffic. By maintaining a presence in the network, the adversary is able to receive instructions and exfiltrate data from the target network, even though inbound traffic is restricted.