CYBER KILL CHAIN

ADID SMAIL
 PLAN

INTRODUCTION

DEFINITION OF CYBER KILL CHAIN

7 PHASES OF THE CYBER KILL CHAIN

SECURITY CONTROLS YOU CAN USE TO STOP THE KILL CHAIN

CONCLUSION
 INTRODUCTION
Cyber attacks have evolved dramatically over the past two decades. Social engineering, insider
threats, and cloud technology have changed the way we look at the information
security perimeter, and in many people’s minds, has rendered the security perimeter irrelevant.
The cyber kill chain is a traditional security model that describes an old-school scenario — an
external attacker taking steps to penetrate a network and steal its data — breaking down the
steps of the attack to help organizations prepare. Nevertheless, it is still remarkably successful
at describing threat vectors and attacks that are facing organizations today.
 DEFINITION OF CYBER KILL CHAIN

The cyber kill chain (CKC) is a classic cybersecurity model developed by the computer
security incident response (CSIRT) team at Lockheed Martin. The purpose of the model is to
better understand the stages an attack must go through to conduct an attack, and help security
teams stop an attack at each stage.
The kill chain model describes an attack by an external attacker attempting to gain access to
data or assets inside the security perimeter.
 7 PHASES OF THE CYBER KILL CHAIN

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Command and Control

Actions on Objectives
 RECONNAISSANCE

This stage can be defined as the phase of target selection, identification of organization
details, industry-vertical-legislative requirements, information on technology choices, social
network activity or mailing lists. The adversary is essentially looking to answer these
questions: “Which attack methods will work with the highest degree of success?” and of
those, “Which are the easiest to execute in terms of our investment of resources?”
 EXAMPLE

• Gathering data concerning the target organization by looking the net or through social
engineering
• Performing analysis of assorted on-line activities and in public obtainable data
• Gathering data from social networking sites and internet services
• Obtaining data concerning websites visited
• Monitoring and analyzing the target organization’s web site o acting who is, DNS, and network
foot printing
• Performing scanning to spot open ports and services
 WEAPONIZATION

The someone performs analysis on the information collected within the previous stage to spot
the vulnerabilities and techniques to be wont to exploit and gain unauthorized access to the
target organization. supported the known vulnerabilities throughout analysis, someone selects
or creates a tailored deliverable malicious payload (remote-access malware weapon)
exploitation an exploit and a backdoor to send to the victim.
Someone might target specific network devices, operational systems, end devices, or maybe
people happiness to the organization to perform the attack
 EXAMPLE

• Identifying acceptable malware payload supported the analysis

• Creating a new malware payload or selecting/reusing/modifying the out there malware
payloads supported the known vulnerability
• Creating the phishing email campaign
• Leveraging exploit kits and botnets
 DELIVERY

The weapon is made within the previous stage; that’s, the malicious payload is
transmitted to the meant victim(s) as an email attachment or via a malicious link on
web sites a vulnerable net application or USB drive. this is often a key stage that
measures the effectiveness of the defense methods enforced by the target organization
supported whether the intrusion try of the someone is blocked or not.
 EXAMPLE

• Sending phishing emails to the workers of the target organization Distributing USB
drives containing malicious payload to the workers of the target organization
• Performing attacks such as watering hole on the compromised website Implementing
various hacking tools against operating systems, applications, and servers of the target
organization
 EXPLOITATION

After delivery to the user, computer or device, the malicious payload will compromise
the asset, thereby gaining a foothold in the environment. This is usually by exploiting
a known vulnerability for which a patch has been made previously available. While
zero-day exploitation does occur, depending of the victim, in a majority of cases it is
not necessary for adversaries to go to this expense.
 EXAMPLE

•Exploiting software or hardware vulnerability to gain remote access to the target system
 INSTALLATION

The adversary downloads and installs more malicious software on the target system to
maintain access to the target network for an extended period of time. The adversary
may use the weapon to install a backdoor to gain remote access. After the injection of
the malicious code on one target system, the adversary gains the capability to spread
the infection to other end systems in the network. Also, the adversary tries to hide the
presence of malicious activities from security controls like firewalls using various
techniques such as encryption. Analysts can perform analysis on the installation phase
to prevent endpoints from compromising.
 EXAMPLE

• Establishing a two-way communication channel between victim’s system and

adversary-controlled server
• Leveraging channels such as web traffic, email communication, and DNS messages.
• Applying privilege escalation techniques
• Hiding the evidence of compromise using techniques such as encryption
 COMMAND AND CONTROL

This stage is that the defender’s last best chance to dam the operation: by block the
Command and control channel. If adversaries can’t issue commands, defenders will
stop impact.
Typically, compromised hosts should beacon outgoing to an online controller server to
determine a Command (aka C2) channel. APT malware particularly needs manual
interaction instead of conduct activity mechanically.
Once the C2 channel establishes, intruders effectively have “hands on the keyboard”
access within the target setting. Let’s keep in mind  that rarely is Malware automatic,
unremarkable this command channel is manual.
 ACTIONS ON OBJECTIVE

The adversary controls the victim’s system from a remote location and finally
accomplishes the intended goals. The adversary gains access to confidential data,
disrupts the services or network, or destroys the operational capability of the target by
gaining access to their network and compromising more systems. Also, the adversary
may use this as a launching point to perform another attack.
SECURITY CONTROLS YOU CAN USE TO STOP THE KILL CHAIN
 HOW TO DEFEND AGAINST RECONNAISSANCE

Security through obscurity is a common tactic where attractive targets are cloaked,
disguised or otherwise set up to reveal as little desirable information as possible. The
same principle applies here to potential victims. Encourage users to make social media
accounts private, to vet potential friends/contacts and to eliminate as much public data
about themselves as possible to reduce potential attack surfaces. Never put
confidential or private information on public company websites.
HOW TO DEFEND AGAINST WEAPONIZATION

You can't prevent the bad guys from creating malware, but you can make
your users aware that malware can be targeted towards them or their
interests, conducting security education to ensure they know how to spot
suspicious emails and subscribe to a conservative security mindset
 HOW TO DEFEND AGAINST DELIVERY

User education must go hand-in-hand with proper security controls. Utilize mail
filtering services and vendor controls such as Microsoft Group Policy to disable email
hyperlinks to reduce the likelihood of phishing emails ever reaching your users. Set up
alerts to notify IT staff of blocked attempts so they can keep track of the frequency of
such efforts.
 HOW TO DEFEND AGAINST EXPLOITATION

Anti-malware software which is routinely updated is a key element here as it will

block infected attachments. Web proxy filtering is also important as it will block
access to malicious websites. Of course, users working on mobile devices with data
plans won't be subject to web proxy filtering, so it's especially important to warn users
not to click on suspicious links from a mobile device outside the company's network,
and to deploy anti-malware solutions to any device used for company business,
whether employee or company-owned.
 HOW TO DEFEND AGAINST INSTALLATION

At this stage any security controls have clearly failed to prevent the
malware from reaching the device, either because they weren't updated,
they were somehow bypassed or disabled or there aren't current signatures
available to identify a new threat.
HOW TO DEFEND AGAINST COMMAND AND CONTROL

"Some kill chain activity is extremely difficult for a human to detect and confirm it's
indeed a threat," said Christian. Monitoring and alerting and employing analytics (such
as UEBA) can once again help identify normal vs. abnormal behavior. Tying this in
with unified security controls provides a veritable trail to follow which can pinpoint
what happened here.
 HOW TO DEFEND AGAINST ACTIONS ON
OBJECTIVE

This is the end stage of the game, so the best possible chance of seizing
victory from the jaws of defeat is to utilize data loss prevention (DLP)
technologies to prevent data from being transmitted out of the
organization.
 CONCLUSION
Threat Intelligence Platforms are an emerging technology that help an organization to
consume and then act on cyber intelligence. Rather than relying solely on external
intelligence, a TIP can also enable an organization to transition to producing their own
actionable intelligence. This is a more reliable, sustainable, and cost-effective model for
the long-term defenses of an organization. Properly employing a TIP can enhance an
organization’s cyber maturity and improve resiliency against advanced adversaries through
the adoption of an Intelligence Driven Defense approach to computer network defense.
This can mean the difference between a reactive and vulnerable security state and a
proactive, or even predictive, computer network defense posture that is capable of
identifying and stopping current attacks, and preventing future attacks.