Cyber Kill Chain

To completely carry out a successful attack there are 7 steps, to disrupt the attack one or more steps have to be broken so that the kill chain will fail.

Photo by He Junhui on Unsplash

1. Reconnaissance — Gathering information may be passive and active reconnaissance, like gathering information from Google, social media, whois, etc, and using active it may be Nmap, port scanning, or vulnerability scanner. how to protect: limit public information, and social media use, disable unused ports, use firewalls, honeypots, and inbounce blocking.
2. Weaponization- Find or create the attack to exploit the weakness, using tools like Metasploit, exploit-DB, and social engineering toolkits.how to defend them: patch management, security basics such as AV, IPS, email security, and audit logging.
3. Delivery- Selecting which avenue to deliver the exploit may be using a malicious website, social media, email, user input, USBs.protection: user awareness, web filtering DNS filtering, phishing campaign, IPS/IDS, using DKIM and SPF for spam email signatures.
4. Exploitation-Weapon has been delivered and the attack has been executed, if an attacker reaches this step then we have failed, now attacker who has the trigger, now he can do SQL injection, buffer overflow, and JS hijacking using malware. Detection is limited here but we can use data execution prevention(DEP), anti-exploit method, and sandbox.
5. Installation- The attacker can use payload, injected after the exploit to get better access control of the victim machine, the attacker can use meter peter, remote access tools(RAT), registry changes, and PowerShell commands in this case it is best to isolate the machine.
6. Command and Control- The attacker has compromised the victim machine now there are limited steps we use like micro-segmentation, network segmentation, NGFWs, DNS redirect, and Application control.
7. Action on Objective -Now the machine is under the control of the attacker, they can achieve their objective like financial, political, nation/state, lateral movement, and exfiltration of data.

According to a survey by IBM, the time that an attacker can be inside the victim's machine without being detected is an average of 191 days.