Post

Cyber Kill Chain

Posted
By Erich Mair 2 min read

Introduction

Developed by Lockheed Martin, the Cyber Kill Chain framework is utilized for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.

The term kill chain is adopted from the military, which uses this term related to the structure of an attack. It consists of identifying a target, dispatch, decision, order, and finally, destruction of the target.

The Cyber Kill Chain consists of seven steps which enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures.

Stages

The Kill Chain model contains the following stages, presented in sequence:

  1. Reconnaissance – Harvests email addresses, conference information, etc.

    The attacker collects data about the target and the tactics for the attack. This includes harvesting email addresses and gathering other information. Automated scanners are used by intruders to find points of vulnerability in the system. This includes scanning firewalls, intrusion prevention systems, etc. to get a point of entry for the attack.

  2. Weaponization – Couples exploit with backdoor into deliverable payload.

    Attackers develop malware by leveraging security vulnerabilities. Attackers engineer malware based on their needs and the intention of the attack. This process also involves attackers trying to reduce the chances of getting detected by the security solutions that the organization has in place.

  3. Delivery – Delivers weaponized bundle to the victim via email, web, USB, etc.

    The attacker delivers the weaponized malware via a phishing email or some other medium. The most common delivery vectors for weaponized payloads include websites, removable disks, and emails. This is the most important stage where the attack can be stopped by the security teams.

  4. Exploitation – Exploits a vulnerability to execute code on a victim’s system.

    The malicious code is delivered into the organization’s system. The perimeter is breached here. And the attackers get the opportunity to exploit the organization’s systems by installing tools, running scripts, and modifying security certificates.

  5. Installation – Installs malware on the asset.

    A backdoor or remote access trojan is installed by the malware that provides access to the intruder. This is also another important stage where the attack can be stopped using systems such as HIPS (Host-based Intrusion Prevention System).

  6. Command & Control (C2) – Includes command channel for remote manipulation.

    The attacker gains control over the organization’s systems and network. Attackers gain access to privileged accounts and attempt brute force attacks, search for credentials, and change permissions to take over the control.

  7. Actions on Objectives – Using ‘Hands on Keyboards’ access, intruders accomplish their original goals.

    The attacker finally extracts the data from the system. The objective involves gathering, encrypting, and extracting confidential information from the organization’s environment.

Leaving cybersecurity vulnerabilities open for security attacks is one of the most common mistakes made by organizations today. Continuous security validation across the cyber kill chain can help companies to identify, prevent, stop, and prepare for any such attacks.

Source: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

Security Frameworks, Attack Frameworks
Security Frameworks
This post is licensed under CC BY 4.0 by the author.