What is a Kill Chain?
The term “kill chain” was originally used in the military. In October 1996, after the first Gulf War, General John Jumper formalized the methods necessary to compress the time it takes to find and kill the enemy on the battleground. He termed it “compressing the kill chain.” General Jumper wanted to do it in less than 10 minutes instead of several hours or days to complete. And so, the military kill chain model came to be known as the “F2T2EA,” an acronym that stands for:
- Find – Locate the target
- Fix – Fix the target’s location and make it difficult for them to move
- Track – Monitor the target’s movement
- Target – Choose the appropriate weapon or asset to use on the target to create the desired effect
- Engage – Use the weapon on the target
- Assess – Evaluate the effects of the attack
What is a Cyber Kill Chain?
In 2011, Lockheed Martin came up with the Cyber Kill Chain framework. According to the company, “the model identifies what the adversaries must complete in order to achieve their objective.”
The cyber kill chain is a series of stages required for an attacker to successfully gain access to a network and exfiltrate data from it. The theory is, the closer to the beginning of the kill chain an attack can be stopped, the better.
According to Lockheed Martin’s APT (Advanced Persistent Threat) documentation, there are seven stages in the Cyber Kill Chain. Each stage of the chain presents a specific goal along the attacker’s path and at the same time, an opportunity for the cybersecurity team to react to the attack:
Targets are identified
|The planning phase.|
They conduct research on whom to target by:
|Detection of recon can be difficult but when found can reveal the attacker’s intent.|
Preparing the Operation
|The attacker uses automated tools – a “weaponizer” – malware and exploit are combined into a deliverable payload.||Weaponization as it happens cannot be detected but they can deduce by analyzing malware artifacts.|
Operation is launched
|Two ways the attacker delivers the malware:|
– Malicious email
– Malware on USB stick
– Social media interactions
– “Watering hole” compromised websites
|The first and most important opportunity to block the operation.|
Attacker gains access to victim
|Attacker exploits a vulnerability to gain access via:|
– Opening attachment of malicious email
– Clicking malicious link in email
|Traditional hardening measures as well as custom capabilities should be used to stop zero-day exploits:|
– Admin privileges should be restricted
– Use Microsoft EMET
– Use custom endpoint rules to block shellcode execution
Attacker establishes foothold on victim’s network
|In order to maintain access for an extended period of time, the attacker will:||Defender should install endpoint technology to detect and log installation activity:|
6. Command and Control
Attacker remotely controls the implant/s
|Attacker is able to manipulate the victim through the implant by:||The last best chance for the defender to block the operation by blocking the C2 channel. Defenders can:|
– Consolidating the number of internet points of presence
– Requiring proxies for all types of traffic (HTTP, DNS)
7. Actions on Objectives
Achieve the attacker’s goal
|The attacker’s goal may be any of the following:||Defenders must detect this stage as quickly as possible by using forensic evidence:|
Like other security models, the Cyber Kill Chain is not foolproof. The idea of the model is that the security team can use several steps to identify areas of attack where the chain can be broken to prevent a breach.
Some experts have criticized this model mainly because recent attacks have become more complex and wider in scope. Thus, making this model outdated. However, the goal of the Cyber Kill Chain is to disrupt the chain early, before any major damage takes place.
The Cyber Kill Chain can help you understand the challenges of securing data and provide greater insight into how cybercriminals attack whether you are an analyst, an incident responder or someone with an interest in cybersecurity.
Applying the Cyber Kill Chain as part of your security strategy takes time. To reduce the possibility that threats will slip through unnoticed, you need to implement layered security measures.
Netswitch provides state-of-the-art security solutions that is fit for any organization’s unique requirements.
For more details on how you can utilize the Cyber Kill Chain with cutting-edge security solutions, contact Netswitch today.
*** This is a Security Bloggers Network syndicated blog from News and Views – Netswitch Technology Management authored by Press Release. Read the original post at: https://www.netswitch.net/the-cyber-kill-chain-what-you-need-to-know/