Cyber Kill Chain
The Cyber Kill Chain framework is part of the Intelligence driven defense model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.
There many explanations for Cyber Kill Chain with different methodologies, different ways and recently the Cyber Kill Chain made some changes but the core stages of the Cyber Kill Chain is the same for everyone.
Note: Lockheed Martin adapted this concept to information security, using it as a method for modeling intrusions on a computer network.
The original Cyber Kill Chain develop by Lockheed Martin and is based on a military concept in principle. The key focus is on actions that need to be taken for detection and prevention of attacks.
The Kill Chain describes the attack chain. Ultimately, this is responsible for the elimination of the target from the military point of view. Attacks can be divided into several levels and understood easily with the help of the Kill Chain. Through the Kill Chain, the attack scenario can be divided into the phases listed below:
- Learn and determine the location of the target
- Carefully monitor the location
- Track the target
- Select the proper weapon designed for the target
- Use the weapon to the target
- Evaluate the effects on the target
Cyber Kill Chain Core
The seven steps of the Cyber Kill Chain enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures.
- Advanced – Targeted, Coordinated, Purposeful
- Persistent – Month after Month, Year after Year
- Threat – Person with Intent, Opportunity, and Capability
Note: The image took from Lockheed Martin
There Cyber Kill Chain stages is a core process from the range of reconnaissance to lateral movement through the network to get access to more data to perform data exfiltration. All of the common attack vectors whether phishing or brute force or the latest strain of malware trigger activity on the cyber kill chain.
The main goal is to identify the target.
The cybercriminal chooses an individual target and sets up a profile of the victim. Here, the contact information of the target such as information from social networks, email address, as well as further details of the targeted employees/ targeted company is specifically researched, including details about the company’s IT structure.
The main goal is to prepare for the attack.
The perpetrator relies on selected tools from his repertoire in order to carry out a cyber attack. These tools can be, for example, special encryption Trojans such as WannaCry, Petya and Locky in the case of a ransomware attack. But also other malicious programs certainly can be applied. This choice depends on the approach and the objective of the cybercriminal.
The first steps to perform an attack along the Cyber Kill Chain.
In the next step, the attacker starts performing the cyber attack. The cyber criminals, based on the information gathered before select a specific medium for their attack.
A data carrier, such as a USB flash drive can be used. Communication via email also appears to fit the purpose. Alongside these, social media as a platform is becoming increasingly important for personal information espionage. Phishing attacks on malicious websites are also imaginable.
The main goal is to detection of security flaws.
Looking for vulnerabilities in the targeted system or network of a company, the aggressor angles the attack strategy at technical compromising. Some of the most attractive attack vectors are employees who are not sensitized for IT security. This includes thoughtless actions like for example being taken in by business e-mail compromise scam like CEO fraud.
The main goal is to implement a backdoor.
The implementation of the malicious program on the target system takes place without the knowledge of the targeted user. This can be achieved by the infiltration of the system or the whole network level by installing a Trojan.
Command & Control (aka C&C or C2)
The main goal is too remote controlling the target system.
An unprotected incident vector is enough to realize a specific attack like this. One example would be the Remote Desktop Protocol which can potentially be exploited as a weak point for remote access.
Actions on Objective (aka ATO)
The main goal is to attainment.
Once the cyber criminal has access to the targeted system, the measurements get more concrete. Spionage, sabotage and data theft could be some of them. The intention of the cyber criminal is to dig deep into the system and infiltrate it step by step, which terminates the attack.
The most important stages in Cyber Kill Chain is the Command and Control and the Actions on objective because once the cyber criminal establishes access to the organization the cyber criminal can execute actions to achieve their goal. From this point the motivations greatly vary and are dependent on the threat actor, to include political, financial or military gain, so it is very difficult to define what those actions will be.
The cyber criminal may take a while to infiltrate and it depends on the existing defense layers in the organization. There are situations in which it is possible to reduce the area of the attack and make it difficult for the attacker by means of physical controls and advanced systems.