Cyber Kill Chain is a term defined by the Lockheed-Martin Corporation scientists to describe the chain of steps needed for intrusion into the computer networks. However, these steps also work when we are talking about the intrusion into the websites, in this case, WordPress websites. Most of the principles applied by hackers to make intrusion into computer networks are basically the same as making the intrusion into the sites.
Cyber Kill Chain steps
There are seven steps in the default Cyber Kill Chain. However, their count could vary depending on the attack vector. These steps are more applicable to computer networks, but we can adopt these steps even when we talk about website security. Let’s look up at those Cyber Kill Chain steps and later we will analyze them from the perspective of WordPress security.
Cyber Kill Chain as described by Wikipedia:
- Reconnaissance – intruder selects target, researches it, and attempts to identify vulnerabilities in the target network.
- Weaponization – intruder creates remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities.
- Delivery – intruder transmits weapon to target (e.g., via e-mail attachments, websites or USB drives)
- Exploitation – malware weapon’s program code triggers, which takes action on target network to exploit vulnerability.
- Installation – malware weapon installs access point (e.g., “backdoor”) usable by intruder.
- Command and Control – malware enables intruder to have “hands on the keyboard” persistent access to target network.
- Actions on Objective – intruder takes action to achieve their goals, such as data exfiltration, data destruction, or encryption for ransom.
WordPress security measures against each Cyber Kill Chain step
Now let’s analyze the Cyber Kill Chain steps that could be applied to make an attack against WordPress website and see what WordPress security measures can help us to make the site more resistant.
Reconnaissance plays a massive role in the whole sequence of Cyber Kill Chain. Usually, it is the most time-consuming step and could determine the success of the attack. Here I should clarify one essential thing, an attacker could choose a target due to his own preferences, or he could select it because he knows for sure that it is vulnerable. And here we have to remember Google dorking and other techniques used by hackers to find vulnerable sites.
So how do we have to protect the WordPress site from reconnaissance that could lead to hacking? Well, we need to control the information that is sensitive in the perspective of the site security. For example:
- PHP version of your webserver, if you’re running insecure version of PHP that could be a problem.
- Keep your users with administration capabilities unidentifiable, you should use other users with less capabilities to generate content.
- WordPress backup files stored on your webserver, especialy if there is a database backup file.
- WordPress version, especially if your site is powered by old version of WordPress and you can’t update it to the latest version (highly modified/legacy).
- Directory structure, configuration issues could lead to unrestricted directory browsing.
- Server information.
The main idea is to make information about your site, server, directory structure, software versions, and users less accessible. Don’t forget that hacker can gather sensitive information even with the Google search system. There are specialized search engines that allow searching websites that include particular code lines. Periodic site inspections associated with leakage of sensitive information is an ideal preventive measure.
However, you can’t hide everything. That’s why it’s highly recommended to keep WordPress, its plugins and themes up to date. A hacker can do the reconnaissance based on the particular software, he can look for vulnerable plugins and design themes on any public database of vulnerable WordPress software versions and then look up for sites equipped with this software.
To make the attack successful, an attacker will create a custom code that he will try to inject into your site. It might be a separate file or piece of source code that he will try to insert into the particular PHP or HTML file on your web server.
In this case, a unique code is written to prevent the identification of this code by security systems. These systems often rely on the dictionaries of malware signatures earlier found on other infected websites. The only way to make it hard to identify is to make it unique.
In most cases, this “weapon” is used to create access to server files or database.
Security hardening must be directed towards the identification of malware signatures and the control of checksums of files and directories.
Delivery / Exploitation / Intallation
There is a dozen of various methods how a hacker can deliver his malicious code to your web server. Starting from the simplest and most dangerous like FTP connection using stolen FTP credentials. That’s why your computer security may impact the safety of your website. Besides FTP, an attacker can use other malicious payload delivery methods.
Even a contact form with the ability to attach a file to a message can be dangerous if the upload of files with specific extensions is not restricted. Also, an attacker can use Cross-Site Scripting (XSS), Remote File Inclusion, Local File Inclusion (LFI), Double Extension Injection Technique, Null byte Injection, and other techniques.
To make your WordPress site resistant to any of the mentioned malware delivery methods we need to keep all the software including the web server software up to date, also we need to check all forms against XSS and similar vulnerabilities. Also, we need to restrict file extensions that could be used as executable files (for example PHP) and restrict the direct access to files uploaded by contact and other forms of your site.
So keep in mind that attacker will definitely exploit any possible vulnerability. If he did a great job of reconnaissance homework, and you forgot to protect against possible attack vectors, there is a good chance that he will be able to install malicious software.
Command and Control / Actions on Objective
As soon as the intruder was able to inject and access the malicious payload he probably has full access to your website files and complete control of your site. Now he can access the WordPress database (all credentials available on wp-config.php file), he can alter any file and inject more malicious code.
Constant monitoring of your website can help you identify malicious activity at an early stage. You need to monitor the search results related to your website. This may reveal unwanted content like pharma-spam or hacker signatures left on your site. Also for prevention purposes, you should periodically check the log files of the server, paying attention to the unknown IP addresses that directly access particular PHP or HTML files on your web server. Other things that can reveal the security breach:
- Highly increased use of server resources and/or slow website. Resources of your web server can be used to attack other sites, send spam, and for other malicious activities.
- There is a very noticeable decrease in site visitors. Use Google Analytics to monitor your website traffic. If there are malicious redirects on your website, you will notice anomalies in Analytics reports.
- Your website (domain name) blacklisted. This may be due to several reasons, such as the distribution of malware, spam emails, the use of website resources to attack other sites.
- The emergence of unwanted ads, pop-ups, and content on your site.
- High CPU load while browsing your website. This could be a crypto mining script injected by hacker.
Most attack vectors require a similar sequence. Cyber Kill Chain is an excellent example of steps a hacker must take to successfully execute the attack. Being aware of the potentially weak sides of a site’s security can help you plan additional protection. Any method you use to prevent one or other attack type or sensitive data leakage enhances the overall security status of your site.
Also, constant monitoring and preventive checks are necessary to accurately assess the current security status of your WordPress site. Especially if you want PCI compliance for WooCommerce based online store.
Security does not depend on what security tools you have purchased, it depends on many factors including your daily online behavior, habits and security knowledge.