The cyber kill chain is an adaptation of a military concept to the world of information security. Developed by technology corporation Lockheed Martin back in 2011, the cyber kill chain outlines the stages common to most cyberattacks.
The usefulness of this concept is that you can establish suitable controls and processes at each different step to prevent, detect and disrupt cyberattacks. Keep reading to get the lowdown on the cyber kill chain steps along with suggested ways to bolster your defenses at each phase.
The seven steps of a cyberattack are the nitty gritty of the cyber kill chain. One point worth noting is that when Googling “cyber kill chain,” you’ll often see various websites mentioning eight or even 18 steps. The reason is that other companies attempted to refine or improve upon the original Lockheed Martin kill chain with their own versions. Whether or not these variations are genuine improvements or marketing ploys is another debate entirely; for brevity’s sake, we’ll stick with the original here.
So, why the need for a cyber kill chain at all? Well, today’s threat actors are more technically adept, motivated and resourceful than ever. The aftermath of the most serious cyberattacks, such as advanced persistent threats or double extortion ransomware often reveals a common pattern of activity from adversaries. Understanding this activity and organizing it into a logical framework can prove very useful in thwarting attacks and improving your security posture.
Step 1: Reconnaissance
The reconnaissance phase kicks off the kill chain with a period in which adversaries conduct research to plan a cyberattack. This first step in the kill chain typically focuses on both people and networks to find potential areas of weakness.
The people side of things involves gathering intel from social media and company websites to understand who works for the company, who the important business partners are, and which employees could be most susceptible to social engineering. The network side of things concentrates on understanding network topology, including the applications and operating systems in your environment. A useful analogy is a group of bank robbers planning a heist by surveilling employees and sifting through blueprints.
Since reconnaissance can happen passively and covertly, it can be difficult to detect. For example, browsing your website or looking information up online is not something you can do much to deter. However, plenty of reconnaissance is active and requires threat actors to interact with systems. Suggested controls include:
Step 2: Weaponization
In the second of the cyber kill chain steps, adversaries take information gleaned from the recon phase and attempt to tailor some sort of tool that exploits a vulnerability or perceived weakness. The resulting deliverable payload could be a remote access trojan, worm or other form of malware.
Step 3: Delivery
In the delivery step, hackers try a variety of ways to get the weapon they created to the target. The most obvious example that probably springs to mind is sending a phishing email with a malicious attachment. Other common delivery methods include installing malware on a vulnerable web server or injecting malicious code into an application.
Since this third cyber kill chain step represents the first real opportunity to block a cyberattack, there are multiple layers of defense you can focus on. Suggestions include:
Step 4: Exploitation
The previous step only delivered a weaponized exploitation; this phase is all about executing malicious payloads to compromise a target system and get a foothold into the environment.
Step 5: Installation
The installation phase is the step in the kill chain where threat actors try to establish persistent access to your environment and escalate their privileges. Tactics at this phase often include installing backdoors that maintain access while bypassing security controls and hacking admin passwords.
Step 6: Command and Control
From an outside server, the adversary communicates with installed malware and backdoors to remotely control compromised systems. This step is kind of like establishing a tunnel between systems that the hacker controls. Tools used to establish command and control include Cobalt Strike and PowerShell mpire.
Step 7: Actions on Objectives
The last of the cyber kill chain steps is the outcome that your business typically wants to avoid. This is the point at which a threat actor fulfills the purpose of the attack, whether that means encrypting critical files with ransomware, exfiltrating sensitive data or taking down an entire network with a DDoS attack.
All is not necessarily lost even if an attack progresses to this point. Some ways to halt actions on objectives or mitigate damage include:
Using the seven cyber kill chain steps, start working toward refining your cybersecurity strategy and defenses. Each distinct phase presents opportunities to adopt controls and processes that help you get better at stopping cyberattacks.
24/7 monitoring, detection and response should play an important role in how you plan to detect and deter attackers within each stage of the kill chain.
To learn more about how Nuspire addresses every step of the cyber kill chain and improves security for your business, contact the team today.