An Intelligence Driven Defence developed by Lockheed Martin which identifies the series of procedures the adversaries need to complete to achieve an exploitation. Cyber kill Chain is intended to defend and end the APTs (Advanced Persistent Threats), the most advanced and sophisticated techniques to compromise networks, seize the systems and theft the data.
Role of Cyber Kill Chain
- Detection of threat actors.
- End lateral movements inside the network.
- Saves sensitive data from being stolen, tampered and seizure.
- Avoids unauthorized access.
- Real time incident response
The 7 stages of a Cyber Kill Chain
- Reconnaissance – Referred as recce, where the victim’s environment is recognized and understood. This is the research stage of Victim’s environment and gathers details related to the entry points and vulnerabilities through an attacker can make an entry into victims’ environment. The information of which operating system the victim has, available open ports, employee’s information, their email id’s etc.
- Weaponization – This phase includes preparing an attack mechanism in an accurate method as per the information gathered from Reconnaissance, so that the victim network is compromised. Developing payloads that exactly crackdowns the existing vulnerabilities on victims’ network, setting up backdoors etc.
- Delivery – At this stage, attackers introduce or infiltrate the weapon (payload) into the victim’s environment by any of the social engineering techniques such as Phishing.
- Exploitation – Once the delivery phase is successful i.e the initial entry to the victim’s machine is achieved, the introduced threat actors start exploring, spreading and infecting other systems inside the network. This phase includes attackers gaining information about the weaknesses inside the victim’s network which was not detected during the Recce phase and results in a drastic impact. The attackers start exploiting any chance inside the network that is vulnerable to have a great control against the victim’s defensive techniques.
- Installation – Installation stage refers to the attackers deploying the malicious software into the victim’s machines, who can steal data, maintain access, decept/neutralize the victim’s defensive mechanisms, gain privileged access such as admin/super user access etc. This phase is the crucial phase among all 7 stages.
- Command & Control – At this stage, the attacker gains a control over the devices and can command them remotely. At this stage, the attacker conceals his identity from any defensive techniques by the victim hosts and often keeps distracting the security teams of the victim’s network by conducting some random Deniel of Service attacks.
- Action – This is the phase where the attacker starts achieving his purpose of the attack. It includes to defame the victim, cause monetary losses, sell the victims information to dark web, demand money through ransomware.
Cyber Kill chain allows Security teams to recognize, intercept and prevent the Cyber attacks at any of these 7 Stages. However, this framework is more focused on prem network security, and most of the organizations are moving from the native on prem to Cloud platforms. Also, fair chances of certain web-based attacks such as XSS to go undetected often with this framework.
Cyber Technology is rapidly advancing so as the Cyber Threats.
Its always sufficient for a cyber criminal to win one time, but cyber security teams should need to win each time.