A sophisticated threat to your home doesn’t just act without preparation. They don’t just walk up to your door and see if the knob turns, opening the door. They plan, prepare, practice, and then act. It is the same for networks.
The Cyber Kill Chain is a disciplined approach to taking action on your network. Notice I didn’t say “accessing” but “action.” The Kill Chain describes the steps an attacker follows to be able to do something to something. The action could be observation, exfiltration of data, or something physical, like turning off the power.
Understanding the Cyber Kill Chain is only a piece of understanding how to protect your networks.
Step 1: Reconnaissance
The attacker is doing their research. They are identifying external facing resources like servers. They are looking at press releases and finding any other publicly available information that will help them in their planning.
The defender is paying attention. Looking at server logs and combing through their analytics. They continually understand what routine looks like on their network. They are building tools and trip-wires to detect changes or intrusions.
Step 2: Weaponization
The attacker is staging their tools to launch the attack against your network. They may build proprietary tools, or they may use a pre-packaged or existing tool, the latter is most likely. They are packaging the malware with an exploit they researched in step one.
The defender is conducting their preparation. They are looking at malware artifacts and analyzing how they work. They are building a detection system that can identify these types of signatures and look at their systems. They are identifying types of malware that different adversaries use.
Step 3: Delivery
The attacker executes their mission. They send the malware through email, on a memory stick, a cd, or perhaps directly on a server.
The defender is prepared at this point due to their understanding of the malware and exploits in use. Or they are looking at the signatures coming through the network, and their tools are ready to block or identify the exploit.
Step 4: Exploitation
The attacker must exploit a vulnerability either through a user clicking on a link or downloading a file. They may trigger a vulnerability on a server or execute a zero-day vulnerability.
The defender must prevent exploits either by technical means or user training. They can scan their systems regularly for vulnerabilities, patch when vendors release fixes or conduct user training.
Step 5: Installation
The attacker installs their backdoor tools on the vulnerable system to maintain access even if the system’s vulnerability is patched. They may make the tool appear as if it’s part of the original installation. They may add services that run automatically and erase their tracks.
The defender continues to log system events and recognize when a change to the routine happens. They’ll install Host Intrusion Prevention Systems (HIPS) to prevent an attack deeper in the network. They’ll observe abnormal file creations.
Step 6: Command & Control (C2)
The Attacker executes a command to open a two-way communication with the exploited system. They now have control over the target.
The defender implements a series of protections to stop an attack at this level. They may require certain protocols to execute commands, They may block known C2 infrastructure based on their research, or they may use proxies to prevent communication to unknown or non-allowed IP destinations.
Step 7: Action on Objectives
The attacker now has access. They will now execute the intended mission. They may exfiltrate data, steal user credentials, overwrite data, destroy systems, or start their internal network reconnaissance.
The defender must get the intruder out of their network as fast as possible at this point. They must detect the intruder and block their access. They’ll use various tools including packet analysis, log file analysis, and user credential usage. They’ll need to triage the systems and conduct a damage assessment. They also need to open lines of communication with stakeholders inside and outside the company.
Mitigation is Key
At any point along the Kill Chain, a team can mitigate the attacker and should be prepared to do so at each link. To assume that you can prevent an attack at the very first level is folly. If you aren’t prepared to act at each link, then you will likely fall victim to a persistent threat.
This article is not an exhaustive review of the Cyber Kill Chain but an overview. There is a lot more to learn and understand, especially mitigation tools and techniques.
I’ll publish more on the topic and dive deeper.
