The Cyber Kill Chain was created by defense giant Lockheed Martin, which describes various phases of a targeted cyberattack. The seven stages of cyber kill chain give a deep insight into a cyberattack, which helps organizations to understand adversary’s tactics, techniques and procedures. Stopping cybercriminals at any stage breaks the chain of an attack! A cybercriminal ought to progress completely through all phases for success – this drawback acts as the biggest favor for defenders. Every attack gives a chance to comprehend more about adversaries and use their persistence to advantage.
The seven stages of cyber kill chain are explained below:
This stage of kill chain explains how cybercriminals plan their attacks. Before launching an attack, they gather maximum information by studying targets via public websites, following their employees on social media and using their public information. Attackers also scan organization’s network for vulnerabilities, services and applications they can exploit to satiate their intentions.
Detecting reconnaissance as it happens is extremely difficult for organizations, but if they succeed in this - it can reveal the intent of bad actors.
In the second stage of kill chain, cybercriminals analyze the data to determine the suitable attack method. They may choose to embed intruder code disguised as important invoice, PDF file, Word document or email message. In case, if attacks are highly-targeted and are planned to launch with a nasty intention, they must try to spark the specific interests of a victim. Besides, attackers may also target specific operating systems, firewalls and other technologies to exploit the flaw.
Defenders must understand this stage of cyber kill chain. Even though they fail to detect the weaponization as it happens, they can analyze malware artifacts. Detecting malware artifacts can help companies build the robust and resilient defenses.
Endpoints meaning humans acts as primary means of delivery and this may be executed via drive-by download from a website, a targeted phishing attack or infecting an employee-owned device via secure VPN. Delivery of the weapon also occurs through a vulnerable application, especially a web application,which can be easily manipulated through cross-site scripting, form fields tampering and other means.
In order to mitigate cyberattacks, it is essential to understand how they might be delivered. A good cyber hygiene i.e. ignoring the attachments sent by an unknown person, avoid clicking on third-party links helps to protect the organization’s network.
The fourth stage of attack kill chain proves to be dangerous if it is not neutralized well in-time. Exploiting the organization’s network always begin with one infected system, either through a DNS server or through an infected endpoint. Once a single system connected to the network is infected, malicious activity can penetrate at a lightening speed. And when a cybercriminal gains complete access, he/she can scan the network to find specific applications and servers to steal data. Once installed, malware hides their existence from security devices.
At this stage, organization’s ought to work hard to identify and stop malware penetration. Although traditional hardening measures add resiliency, custom capabilities are equally important to stop zero-day exploits at this stage.
Installing malware on the infected computer comes into the picture only when attackers use malware as a part of cyberattack. During malware installation, the dropper program disables host-based security controls and hides the malware. However, deploying endpoint instrumentation into the organization’s network helps detect the log installation activity and blocks the process completely.
6) Command & Control
Cybercriminals create a command channel back through the internet to a server.It helps them to communicate and pass data back and forth between infected devices and their server. However, this action can be easily controlled by blocking command-and-control communication and outbound communication.
7) Action or Execution
In the final stage of kill chain, attackers gain complete control over the target systems and successfully send confidential data and files outside the organization. Nonetheless, outbound traffic monitoring easily identifies the last stage of an attack. But,to surpass the security controls, cybercriminals send their data from unsuspecting servers and use very low and slow bursts to thwart outbound protections.