Sharing Is Caring. If you enjoy this article, help us share with others.
The Cyber Killer Chain was developed by Lockheed Martin to identify and prevent cyber intrusions. There are seven steps to the Cyber Kill Chain. Focusing on these steps helps analysts understand the techniques, tools, and procedures of threat actors.
When responding to a security incident, the objective is to detect and stop the attack as early as possible in the kill chain progression. The earlier the attack is stopped; the less damage is done and the less the attacker learns about the target network.
The Cyber Kill Chain specifies what an attacker must complete accomplishing there goal.
If the attacker is stopped at any stage, the chain of attack is broken. Breaking the chain means the defender successfully thwarted the threat actor’s intrusion. Threat actors are successful only if they complete Step 7.
Note: Threat actor is the term used throughout this course to refer to the party instigating the attack. However, Lockheed Martin uses the term “adversary” in it’s description of the Cyber Kill Chain. Therefore, the terms adversary and threat actor are used interchangeably in this topic.
The figure depicts the steps of the Cyber Kill Chain in a numbered vertical list. The steps of the Cyber Kill Chain are explained in detail in the next sections of the text.
Reconnaissance
Reconnaissance is when the threat actor performs research, gathers intelligence, and selects targets. This will inform the threat actor if the attack is worth performing. Any public information may help to determine the what, where, and how of the attack to be performed.
There is alot of publicly available information, especially for larger organizations including news articles, websites, conference proceedings, and public-facing network devices. Increasing amounts of information surrounding employees is available through social media outlets.
The threat actor will choose targets that have been neglected or unprotected because they will have a higher likelihood of becoming penetrated and compromised. All information obtained by the threat actor is reviewed to determine it’s importance and if it reveals possible additional avenues of attack.
The table summarizes some of the tactics and defences used during the reconnaissance step.
| Adversary Tactics | SOC Defenses |
|---|---|
Plan and conduct research:
|
Discover adversary’s intent:
|
Weaponization
The goal of this step is to use the information from reconnaissance to develop a weapon against specific targeted systems or individuals in the organization. To develop this weapon, the designer will use the vulnerabilities of the assets that were discovered and build them into a tool that can be deployed.
After the tool has been used, it is expected that the threat actor has achieved there goal of gaining access into the target system or network, degrading the health of a target, or the entire network. The threat actor will further examine network and asset security to expose additional weaknesses, gain control over other assets, or deploy additional attacks.
It is not difficult to choose a weapon for the attack. The threat actor needs to look at what attacks are available for the vulnerabilities they have discovered. There are many attacks that have already been created and tested at large.
One problem is that because these attacks are so well known, they are most likely also known by the defenders. It is often more effective to use a zero-day attack to avoid detection methods. A zero-day attack uses a weapon that is unknown to defenders and network security systems.
The threat actor may wish to develop there own weapon that is specifically designed to avoid detection, using the information about the network and systems that they have learned. Attackers have learned how to create numerous variants of there attacks in order to evade network defences.
The table summarizes some of the tactics and defences used during the weaponization step.
| Adversary Tactics | SOC Defense |
|---|---|
Prepare and stage the operation:
|
Detect and collect weaponization artefacts: PS: Are you a Nigerian resident abroad and you need to send money to your loved ones back home ?
The stress is over now!
Send money to Nigeria using the MonieWorld app. It's fast, easy and has great rates! MonieWorld is powered by Moniepoint. Sign up with my link
https://spoo.me/iy8taz
|
Delivery
During this step, the weapon is transmitted to the target using a delivery vector. This may be through the use of a website, removable USB media, or an email attachment. If the weapon is not delivered, the attack will be unsuccessful.
The threat actor will use many different methods to increase the odds of delivering the payload such as encrypting communications, making the code look legitimate, or obfuscating the code.
Security sensors are so advanced that they can detect the code as malicious unless it is altered to avoid detection. The code may be altered to seem innocent, yet still perform the necessary actions, even though it may take longer to execute.
The table summarizes some of the tactics and defences used during the delivery step.
The table summarizes some of the tactics and defences used during the delivery step.
| Adversary Tactics | SOC Defense |
|---|---|
Launch malware at target:
|
Block delivery of malware:
|
Exploitation
After the weapon has been delivered, the threat actor uses it to break the vulnerability and gain control of the target. The most common exploit targets are applications, operating system vulnerabilities, and users. The attacker must use an exploit that gains the effect they desire.
This is very important because if the wrong exploit is conducted, obviously the attack will not work, but unintended side effects such as a DoS or multiple system reboots will cause undue attention that could easily inform cybersecurity analysts of the attack and the threat actor’s intentions.
The table summarizes some of the tactics and defences used during the exploitation step.
| Adversary Tactics | SOC Defense |
|---|---|
Exploit a vulnerability to gain access:
|
Train employees, secure code, and harden devices:
|
Installation
This step is where the threat actor establishes a back door into the system to allow for continued access to the target. To preserve this backdoor, it is important that remote access does not alert cybersecurity analysts or users.
The access method must survive through antimalware scans and rebooting of the computer to be effective. This persistent access can also allow for automated communications, especially effective when multiple channels of communication are necessary when commanding a botnet.
The table summarizes some of the tactics and defences used during the installation step.
| Adversary Tactics | SOC Defense |
|---|---|
Install persistent backdoor:
|
Detect, log, and analyze installation activity:
|
Command and Control
In this step, the goal is to establish command and control (CnC or C2) with the target system. Compromised hosts usually beacon out of the network to a controller on the internet. This is because most malware requires manual interaction in order to exfiltrate data from the network.
CnC channels are used by the threat actor to issue commands to the software that they installed on the target.
The cybersecurity analyst must be able to detect CnC communications in order to discover the compromised host. This may be in the form of unauthorized Internet Relay Chat (IRC) traffic or excessive traffic to suspect domains.
The table summarizes some of the tactics and defences used during the command and control step.
The table summarizes some of the tactics and defences used during the command and control step.
| Adversary Tactics | SOC Defense |
|---|---|
Open channel for target manipulation:
|
Last chance to block operation:
|
Actions on Objectives
The final step of the Cyber Kill Chain describes the threat actor achieving there original objective. This may be data theft, performing a DDoS attack, or using the compromised network to create and send spam or mine Bitcoin. At this point the threat actor is deeply rooted in the systems of the organization, hiding there moves and covering there tracks. It is extremely difficult to remove the threat actor from the network.
The table summarizes some of the tactics and defences used during the actions on the objectives step.
| Adversary Tactics | SOC Defense |
|---|---|
Reap the rewards of a successful attack:
|
Detect by using forensic evidence:
|
Action Point
Get My 66 Page eBook on How to Run Success Ads ON TikTok for 2,000 Naira. Click Here to Buy.
Get my 90 Page ebook on How to Run Ads on Facebook. Click here to buy now.
PS: Are you a Nigerian resident abroad and you need to send money to your loved ones back home? The stress is over now! Send money to Nigeria using the MonieWorld app. It’s fast, easy and has great rates! MonieWorld is powered by Moniepoint. Sign up with my link
P.S.: If you need private online training on any of the ICT courses I offer here and you are in Nigeria, please send me a DM on my WhatsApp at +2348103180831. Please note that the Training will be 100percent online. It will be delivered via Zoom or Google Meet.
PS: I know you might agree with some of the points raised in this article or disagree with some of the issues raised.
Please share your thoughts on the topic discussed. We would appreciate it if you could drop your comment. Thanks in anticipation.
Sharing Is Caring. If you enjoy this article, help us share with others.
