Understanding the cyber kill chain
threats have CYBER become more sophisticated and complex over the past few decades, making traditional security defences insufficient.
TO cope with these ever-evolving challenges, there is a need to adopt proactive, adaptive and resilient cybersecurity prevention and mitigation techniques. This week, we shall discuss the cyber kill chain, a concept developed by Lockheed Martin in 2011, based on a military model of attack and defence.
The cyber kill chain helps to identify and prevent malicious activity by disrupting the attacker’s actions or objectives at any stage.
Cybercriminals, like burglars, carefully plan their activities before striking their victims. They scout for vulnerabilities, gather information and choose the best time and method to launch their attacks.
The cyber kill chain is a framework that outlines the various phases of common cyberattacks.
It helps organisations understand and anticipate the attacker’s actions and objectives, and prevent or mitigate future cyber threats.
The cyber kill chain consists of seven stages corresponding to a specific type of activity in a cyberattack, regardless of whether it originates from inside or outside the organisation.
Reconnaissance
Reconnaissance is when the attacker gathers information about the target, such as its vulnerabilities, systems, networks, users and assets.
The attacker may use automated scanners or manual techniques to find weaknesses and entry points that can be exploited.
The attacker may also try to discover and analyse the security systems that protect the target, such as firewalls, intrusion-prevention systems and authentication mechanisms.
Reconnaissance is critical for the attacker, as it helps them plan their attack strategy and choose the best tools and methods.
Weaponisation
Weaponisation is when the attacker creates the attack vector used in the cyberattack.
This could include remote access malware, ransomware or a virus or worm that can exploit a vulnerability identified during the reconnaissance stage.
During the weaponisation stage, the attacker may also try to evade detection by any security solutions.
For instance, the attacker may encrypt, obfuscate or compress the malicious payload to avoid signature-based detection. The attacker may also test the payload against antivirus software or online scanners to ensure effectiveness. A payload is the part of the cyber-attack that causes damage to the victim. It can be malware, ransomware or a virus or worm that exploits a vulnerability.
Delivery
The attacker delivers or deploys the malicious payload to the target using various methods such as email, web, USB or network.
Hackers can also deliver malware through phishing emails that trick users into clicking on malicious attachments.
Alternatively, hackers can breach an organisation’s network and exploit software or hardware vulnerabilities to instal malware.
Exploitation
The attacker executes the malicious payload on the target’s system or network, gaining access or control.
Once the malware or other hacking methods have been delivered successfully, the attacker exploits the weaknesses they discovered in the previous cyber kill chain stages.
The attacker can now penetrate the target’s network deeper and find more vulnerabilities they did not know before.
At this stage, the attackers often move sideways across the network from one system to another, looking for more potential entry points. Vulnerabilities are much easier to spot now if the network has no deception measures.
Installation
At this stage, the attacker tries to install malware and deploy other cyberweapons within the target network to gain more control of more systems, accounts and data.
The attacker uses various methods to instal malware, such as trojan horses, access token manipulation, command-line interfaces, and backdoors.
The attacker also intensifies their tactics by forcefully infiltrating the target network, looking for unprotected security credentials and changing permissions on compromised accounts.
Command and control
The command-and-control channel (the C2 stage) allows the attacker to track, monitor and guide their deployed cyberweapons and tool stacks remotely.
This stage can be broken down into two methods: obfuscation and denial of service (DoS). Obfuscation is when an attacker hides their presence and activities, making it look like no threat exists. This includes methods such as file deletion, binary padding and code signing.
DoS is when cybercriminals create problems in other systems/areas to divert security teams from discovering the core objectives of the attack.
This often involves network denial of service or endpoint denial of service, as well as techniques like resource hijacking and system shutdowns.
Actions on objectives
After securing persistent access, the attacker finally carries out their malicious objectives. They may steal, destroy, encrypt or exfiltrate data at this stage of the cyber kill chain.
How can cyber kill chain protect against attacks?
Organisations can use the cyber kill chain model to identify and stop cyberattacks at any stage by implementing appropriate security controls and countermeasures. For example, an organisation can prevent the reconnaissance stage by encrypting data and hiding network information.
The delivery stage can be prevented by filtering emails and web traffic.
Prevent the exploitation stage by patching systems and applications.
You need to prevent the installation stage by using antivirus software and firewalls.
Prevent the command-and-control stage by monitoring network activity and blocking suspicious connections. Prevent the actions on the objectives stage by backing up data and having a recovery plan.
John Tseriwa is a tech entrepreneur and a digital transformation advocate focusing on delivering business solutions powered by Fourth Industrial Revolution technologies. He can be contacted at: info@johntseriwa.com or +263773289802.