The Cyber Kill Chain and the stages
A military concept known as “kill chain” describes the organization of an attack. It consists of identifying the target, sending forces there, launching an attack on the target, and destroying the target. On the other hand, “breaking” an opponent’s kill chain is a defensive or proactive strategy.
Stage 1: Reconnaissance
This is a stage, where an adversary tries to gather as many information as possible by investigating the flaws in the network, vulnerabilities which can be exploited, et cetera.
For example:
- Attacker might get to know about the user names, userIDs
- Softwares that are running in the system and the corresponding programmes.
Stage 2: Weaponisation
The weaponisation stage of the cyber kill chain involves developing a backdoor and a penetration plan using the information gathered from reconnaissance to successfully deliver the backdoor
Example:
- Malware: A system or network is infected with malicious software to carry out tasks the owner does not want done. Examples include worms, viruses, et cetera.
- DDOS: Distributed denial of service attack, where the system will be hit consistently with loads of traffic where the availability of the system will be gone(system breakdown).
Stage 3: Delivery
Attackers/Adversaries then use a medium like phishing emails or network or system hacking to deliver the attack vector to their target. This is the point where the attacker formally launches an attack against a target, regardless of the kind of attack they intend to launch.
Example:
- Email attachments
- Phishing attempts (To deliver the malwares)
- Abusing the open ports and exploiting it.
- Drive-by Downloads(More details): Adversary loads the malicious advertisements in the browsers.
Stage 4: Exploitation
Executing the exploit with the goal of silently installing and executing the payload comes after the cyber weapon has been shipped.
Only outdated systems will be affected by the exploit, which is likely to go undetected by firewalls and antivirus software.
Example:
- Old operating system where the updates are not installed/patched.
Example list can found here
Stage 5: Installation
Sometimes this stage is also known as Privilege escalation phase. The adversary installs the malware that was delivered to the system in order to gain the control of the system or could be any particular account.
Examples:
- Installing backdoors: A type of malware known as a backdoor circumvents standard authentication procedures to gain access to a system. As a result, resources within an application, like databases and file servers, are accessible remotely, giving offenders the ability to remotely execute commands on the system and update malware.
- Trojan horse: A Trojan Horse Virus is a form of malware that installs itself on a computer by impersonating a trustworthy application. The delivery technique typically involves an attacker hiding malicious code in legitimate software using social engineering(ex: phishing) in an effort to gain users’ system access.
Stage 6: Command and Control(C&C)
In my opinion every cyber attack must include the C&C server, which transmits remote, secret instructions to compromised computers. It serves as the location for exfiltrating the data as well. The design of C&C networks has advanced significantly over time as a result of the rapid development of defense mechanisms like antivirus software, firewalls, intrusion detection systems, etc
Also it includes such as ransomware, DNS hijacking et cetara. Main way of preventing probably is to apply DNS filtering tools (Example tools are here)
Important: During this phase attacker makes this traffic very much genuine/false positive as it often comprises of encrypted data/communication et cetera.
Stage 7: Action/Act
Action is the means by which the intruder achieves his main aim.
The attacker’s ultimate objective could be anything from demanding a ransom from you in return for file decryption to stealing customer data from the network. Data-loss prevention tools can halt exfiltration in the latter case before the data leaves your network. In other attacks, endpoint agent software is able to spot activity that differs from predefined baselines and alert IT.
Conclusion:
The article’s main goal was to explain the various steps in the cyber kill chain and the strategies used by adversaries to infiltrate systems and accomplish their objectives. We are quickly moving toward an extremely digitalized world, so it is crucial to be careful with our network and understand how we can be taken advantage of.
Concluding with the following tip:
Passwords are like underwear. Don’t let people see it, change it very often, and you shouldn’t share it with strangers ~ “Chris Pirillo”
