UNDERSTANDING THE CYBER KILL CHAIN BY BRADLEY MILBURN

   Understanding the Cyber Kill Chain By Bradley Milburn

 

The cyber kill chain is a framework developed by Lockheed Martin to describe the stages of a cyber attack. It breaks down the process into distinct phases, which helps organizations understand how attacks unfold and how they can be detected and mitigated at each stage. The traditional cyber kill chain consists of seven stages:

 


1. Reconnaissance - The attacker gathers information about the target, such as identifying potential vulnerabilities, gathering email addresses, and understanding the network architecture.

Passive

Examples:

-     Whois

-     Google

-     Job listings

-     Company website

Active

Examples:

-     Nmap

-     Port scanning

-     Banner grabbing

-     Vulnerability scanners (APT’s tend to do this over a long period of time to better avoid detection)

 

Ways to protect to a business network:

-     Network Security - Firewall Configuration, Intrusion Detection Systems (IDS), Disable       unused ports, utilise Honeypots & block inbound Tor & 3rd party VPNs.

-     Data Security - Encryption & Data Masking

-     Access Control - Least Privilege Principle & Multi-Factor Authentication (MFA)

-     Monitoring and Logging - Regular Audits & Log Management

-     Employee Training - Security Awareness Training & Incident Response Drills

-     Physical Security - Access Control Systems & Surveillance

-     Web Application Security - Web Application Firewalls (WAF) & Regular Updates

-     Incident Response Plan - Develop and Implement & Regular Testing

 

By implementing these measures, businesses can significantly reduce the risk of reconnaissance and better protect their assets from potential cyber attacks.

 

2. Weaponization - The attacker creates a malicious payload (e.g., malware, exploit) designed to exploit the identified vulnerabilities.

Weaponization describes the second stage of a cyber attack. This phase involves the creation of a deliverable payload by combining a malware program with an exploit that can be delivered to the target.

 

- Key Aspects of Weaponization - Malware Creation, Exploit Development & Payload Delivery Mechanism

- Objectives of Weaponization - Bypass Defences, Stealth & Efficiency

- Examples of Weaponization - Email Phishing, Drive-by Downloads & Exploit Kits

- Mitigation Strategies - Regular Updates and Patching, Advanced Threat Detection, User Training, Sandboxing & Email Security.

 

By understanding and addressing the weaponization phase, organizations can better defend against the subsequent stages of a cyber attack, thereby reducing the overall risk and impact of potential breaches.

 

3. Delivery - The attacker sends the malicious payload to the target using various methods, such as phishing emails, malicious websites, or infected USB drives.

The "Delivery" phase is the third phase that involves the transmission of the weaponized payload to the targeted environment. It's a critical step where attackers attempt to introduce their malicious software or exploit into the target's systems.

 

Key Aspects of Delivery:

 

  • Transmission Methods - Email Attachments, Malicious Links, Drive-by Downloads, Removable Media, Network Shares, Third-Party Application, Targeting Specific Individuals or Systems, Spear Phishing & Watering Hole Attacks

 

  • Objectives of Delivery - Reach the Target, Evade Detection & Encourage Interaction

 

  • Examples of Delivery - Phishing Email, Compromised Websites, Social Media & Software Vulnerabilities

 

  • Mitigation Strategies - Email Security, Web Filtering, User Training, Endpoint Protection, Network Security & Patch Management.

 

By effectively addressing the delivery phase, organizations can significantly reduce the likelihood of successful cyber attacks, protecting their systems and data from being compromised.

 

4. Exploitation - The malicious payload is triggered, exploiting the vulnerabilities on the target system to gain unauthorized access.

The 'Exploitation' is the fourth phase. This phase involves the attacker taking advantage of a vulnerability to execute code on the target system, thereby enabling them to gain initial access and execute their malicious payload.

 

  • Key Aspects of Exploitation - Vulnerability Exploitation, Software Vulnerabilities, Human Vulnerabilities & Payload Execution.

 

  • Objectives of Exploitation - Establish Foothold, Maintain Stealth & Enable Next Steps

 

  • Examples of Exploitation - Phishing Attack, Drive-by Download & Malicious Macros.

 

  • Mitigation Strategies - Patch Management, Endpoint Security, User Education, Application Whitelisting, Intrusion Detection/Prevention Systems (IDS/IPS) & Exploit Mitigation Techniques.

 

By effectively addressing the exploitation phase, organizations can disrupt the attacker's ability to gain initial access and execute their malicious payload, thereby reducing the risk and impact of a cyber attack.


5. Installation - The attacker installs malware on the compromised system to establish a persistent presence and maintain access over time.

 

The ‘Installation’ is the fifth phase. This phase involves the attacker establishing a foothold in the target environment by installing malware or other malicious software on the compromised system. This step is crucial as it sets up the necessary tools and backdoors for the attacker to maintain control, execute further actions, and potentially escalate their privileges within the target network.

 

Key Aspects of Installation:

- Malware Installation – Persistence Mechanisms & Multiple Payloads

- Covert Operation – Stealth & Communication

 

Objectives of Installation:

- Maintain Access

- Prepare for Next Stages

- Avoid Detection

 

Examples of Installation:

- Remote Access Trojan (RAT)

- Keylogger

- Rootkit

- Backdoor

 

Mitigation Strategies:

- Endpoint Protection

- Regular Scanning

- Application Whitelisting

- Behaviour Monitoring

- Least Privilege Principle

- Patch Management

- Network Segmentation

 

By addressing the installation phase, organizations can disrupt the attacker’s ability to establish a persistent presence in the target environment, thereby preventing further exploitation and reducing the impact of the cyber attack.

 

6. Command and Control (C2) - The attacker establishes a communication channel between the compromised system and a remote server, allowing them to control the system and issue commands.

The "Command and Control" (C2 or C&C) is the sixth phase. This phase involves the attacker establishing a communication channel with the compromised system to control it remotely. Through this channel, the attacker can issue commands, transfer data, and coordinate further actions.

 

Key Aspects of Command and Control:

- Establishing Communication - Protocols & Encryption

- Maintaining Stealth - Stealth Techniques & Beaconing

- Functional Control - Command Execution & Data Exfiltration

 

Objectives of Command and Control:

- Maintain Control.

- Coordinate Actions

- Avoid Detections

 

Examples of Command and Control:

- Malware with C2 Capabilities

- Botnets

- Advanced Persistent Threats (APTs)

 

Mitigation Strategies:

- Network Monitoring

- Intrusion Detection/Prevention Systems (IDS/IPS)

- Endpoint Detection and Response (EDR)

- Threat Intelligence

- Anomaly Detection

- Segmentation

- Blocking Malicious Domains/IPs

 

By effectively addressing the command and control phase, organizations can disrupt the attacker's ability to manage and control the compromised systems, thereby mitigating the impact of the cyber attack and preventing further malicious activities.

 

7. Actions on Objectives - The attacker performs their intended actions, which could include data exfiltration, system manipulation, or destruction, depending on their goals.

 

The "Actions on Objectives" is the seventh and final phase. This phase encompasses the attacker's end goals after establishing control over the compromised system. Depending on the attack's purpose, these actions can vary widely but generally involve achieving the primary objectives of the cyber intrusion.

 

Key Aspects of Actions on Objectives:

- Data Exfiltration - Sensitive Information & Credentials

- Data Manipulation or Destruction - Data Integrity Attacks & Data Deletion

- Disruption and Denial of Service - Operational Disruption & Denial of Service (DoS)

- Financial Gain - Ransomware & Fraud and Theft

- Espionage - Intellectual Property Theft & Surveillance

- Lateral Movement and Persistence - Network Reconnaissance, Privilege Escalation & Maintaining Persistence

 

Objectives of Actions on Objectives:

- Achieve the Attacker’s Goals

- Maximize Impact Cause as much damage or gain as much benefit as possible from the compromised systems

- Avoid Detection

 

Examples of Actions on Objectives:

- Ransomware Attack

- Data Breach

- Destructive Attack

- Espionage

 

Mitigation Strategies:

- Data Encryption

- Regular Backups

- Network Segmentation

- User Behaviour Analytics

- Incident Response Plan

- Access Controls

- Continuous Monitoring

 

By effectively addressing the "Actions on Objectives" phase, organizations can minimize the damage and achieve a faster, more effective response to cyber attacks, thereby protecting their critical assets and operations.

 

Understanding the cyber kill chain helps organizations to develop effective defence strategies by identifying and disrupting attacks at each stage, thus reducing the likelihood of a successful compromise.

Comments

Post a Comment

Popular posts from this blog

MORALLY INDEFENSIBLE BY BRADLEY MILBURN

  MORALLY INDEFENSIBLE  Microsoft, On January 12th detected an uninvited & dangerous guest in its IT systems. Within a few days it attributed the raid on emails of its “senior leadership” and cybersecurity team to Russia’s Foreign Intelligence Service.  The group has been attacking IT service providers in both Europe and the US. On 25 January, Microsoft published a quick analysis of how Russia's Foregin Intelligence Service hit its systems and said it was notifying other victims. Below is an understanding of what has happened, some informed speculation about the attackers’ lateral movement that may be useful for network defenders. 1. Russia's Foregin Intelligence Service  breached a Microsoft “test tenant” account. It was left sitting with no MFA and without a robust password. They tailored their “password spray” attacks to a limited number of accounts, using a low number of attempts to evade detection and avoid blocks based on the volume of failures. They atta...
Read more

THE GRAND ATTACK (MGM)

THE GRAND ATTACK (MGM) In September 2023, MGM Resorts, the world famous hotel and casino chain, faced a cyber attack launched by hacker groups ALPHV and Scattered Spider. The hacker groups used social engineering tactics to enter MGM’s systems, which resulted in a huge ransomware attack.  This attack led to critical operational disruptions, such as disabling online reservation systems, digital room keys, slot machines, and websites. The impact of this attack extended for ten days, causing significant losses for MGM Resorts. Also, concerns arose of a potential data breach that could have involved personally identifiable information (PII) of MGM customers, employees, and vendors. ALPHV, one of the hacker groups, released a statement, “Setting the record straight” on September 14, 2023. In the statement, ALPHV provided details on their strategies and involvement in the cyberattack, shedding light on the events surrounding this breach. The incident showcases the significance of organiz...
Read more