Miller Harrison was still working his way through his attack protocol.

Nmap started out as it usually did, by giving the program identification and version number. Then it started reporting back on the first host in the SLS network. It reported all of the open ports on this server. The program moved on to a second host and began reporting back the open ports on that system, too. Once it reached the third host, however, it suddenly stopped.

Miller restarted Nmap, using the last host IP as the starting point for the next scan. No response. He opened another command window and tried to ping the first host he had just port-scanned. No luck. He tried to ping the SLS firewall. Nothing. He happened to know the IP address for the SLS edge router. He pinged that and got the same result. He had been blackholed, meaning his IP address had been put on a list of addresses from which the SLS edge router would no longer accept packets. Ironically, the list was his own doing. The IDPS he had been helping SLS configure seemed to be working just fine at the moment. His attempt to hack the SLS network was shut down cold.

Discussion Question:

Consider Millers hacking attempt in light of the intrusion kill chain described earlier and shown in figure below. At which phase in the kill chain has SLS countered his vendetta?

Intrusion Kill Chain Actions on Objectives Command and Reconnaissance Weaponization Exploitation Installation Control (C2) Research, identification Only now, after progressing through the first six phases, carn intruders take actions to achieve their original objectives Typically this objective is data exfiltration which involves collecting, encrypting and extracting information from the victim environment Coupling a remote and selection of access trojan with an exploit into a After the weapon is delivered to victim host, targets, often deliverable Installation of a remote access trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment. crawling Internetpayload, typically by means of an Transmission of the weapon to the targeted environment using vectors like email attachments, Typically, compromised hosts must beacon outbound to an Internet controller server to establish a C2 channel websites such as conference automated tool triggers intruders code. Most often, exploitation targets an application or operating system vulnerability (weaponizer) proceedings and ncreasingly, client email addresses, files such as Adobe websites, a applications data PDF or Microsoft relationships, orOffice documents mailing lists for nd USB removable media. social information on specific technologies serve as the weaponized deliverable DisruptDegrade Deceive Destroy Leverage, discover, analyze Atomic, computed and behavior indicators Campaign Analysis-Tools, Techniques and Procedures