Kill Chain in Cyber Defense?
What is Cyber Kill Chain?
The Cyber Kill Chain offers a comprehensive framework as a part of the Intelligence Driven Defense model. Also, we can define a set of steps that follow the progression of a cyberattack from reconnaissance to data exfiltration. The kill chain aids in the understanding and prevention of ransomware, security breaches, and advanced persistent threats (APTs).
In this article, we’ll go over what the cyber kill chain is and how it works.
Lockheed Martin devised a military concept for the kill chain, initially designed to detect, prepare, and strike the target. The kill chain has changed since its beginning, such that insiders’ threats, social engineering, sophisticated ranches, and new attacks are more anticipated and recognized.
The Cyber Kill Chain is composed of seven phases to enable greater visibility of assault while helping an analyst to comprehend the strategies, processes, and methods of the opponent. The Cyber Kill Chain’s seven steps demonstrate the various phases of a cyber assault from recognition through exfiltration.
How the Cyber Kill Chain Works
The cyber kill chain of Lockheed Martin breaks an external cyber assault in seven separate steps:
1) Reconnaissance
Every theft begins with scouting the location. The same logic applies in a cyber-heist: the information collecting mission is the first stage in an attack. During reconnaissance, an attacker seeks information that may disclose system vulnerabilities and weak spots. Firewalls, intrusion prevention systems, perimeter security, and even social media accounts are identified and scrutinized these days. Reconnaissance software searches business networks for ports of access and weaknesses that may be exploited.
2) Weaponization / Intrusion
In this phase, the intruder produces a malware weapon, such as a virus or worm, to exploit the target’s weaknesses. Depending on the target and the attacker’s intent, this malware may exploit fresh, undiscovered flaws (also known as zero-day exploits) or it may concentrate on a mix of flaws.
3) Exploitation
The activity is initiated by the virus. The malware’s program code is activated to exploit the target’s vulnerability/vulnerabilities.
For example Let’s Say: — The attack’s exploitation stage… For want of a better description, abuses the system. Attackers can now get access to the system and install malicious tools, manipulate security certificates, and generate new script files.
4) Privilege Escalation
The malware creates an entry point for the invader or attacker. This entry point is sometimes referred to as the backdoor. Brute force attacks, preying on password flaws, and exploiting zero-day vulnerabilities are common methods of privilege escalation. They will change GPO security settings, configuration files, permissions, and attempt to extract credentials.
5) Lateral Movement
Once Attackers manipulated the system, they can migrate laterally to different systems and accounts to obtain more leverage: higher permissions, more data, or more access to systems.
6) Obfuscation / Anti-forensics
I can rephrase this phase with a small scenario. We can set the security cameras to loop and display an empty elevator so no one can see what is going on behind the scenes. Cyber-attackers do the same thing: they hide their existence and cover their behavior to evade discovery and impede the eventual inquiry. This might include erasing files and metadata, overwriting data with fake timestamps (time stomping), and providing deceptive information.
7) Denial of Service
Disruption of normal access for users and systems, to stop the attack from being monitored. Let me exaggeratedly explain this.
The phone lines were jammed, and the electrical grid was shut down. Here is where attackers target the network and data infrastructure, preventing normal users from obtaining what they want. A denial of service (DoS) attack interrupts and suspends access while potentially crashing systems and flooding services.
8) Exfiltration
Once the attacker or intruder has permanent access, they may finally take action to achieve their goals, such as ransomware encryption, data exfiltration, or even data destruction.
The Takeaway of Cyber Kill Chain in Security
It’s an approach that’s frequently chastised for focusing on perimeter security and being confined to malware protection. The cyber death chain, when paired with sophisticated analytics and predictive modelling, becomes vital to data protection.
The kill chain is built in the manner described above to indicate the active condition of a data breach. To identify cyber assaults at each level of the kill chain, special instrumentation is required, and Varonis provides out-of-the-box threat models to identify those assaults at each level of the kill chain.
Modern Cyberattacks: Focusing on Privilege & Vulnerabilities
According to Forrester Research, privileged credentials are used in around 80% of today’s security breaches. BeyondTrust provided an updated model of the cyber-attack chain in 2017, along with recommendations on how to deconstruct an assault at each stage of the route, to better show the privilege threat component of current cyber-attacks.
Here are the major components of the BeyondTrust Cyber-Assault Chain concept, as well as techniques for countering the attack at each stage.
1) Step One: Perimeter Exploitation
These are the first efforts to obtain access to the systems and data of an IT firm.
- Taking use of known software and hardware flaws
- To get access to passwords and login information, social engineers and phishers use social engineering and phishing.
At this point, there are a few options for dismantling or containing an attack:
- Vulnerabilities should be identified and fixed. Unpatched vulnerabilities are the major source of exaggeratedly explain this exfiltration, according to several security studies. This necessitates the implementation of a comprehensive vulnerability management program, which includes vulnerability screening and patch management.
2) Step Two: Privilege Hijacking and Escalation
An attacker uses this step to attempt to escalate privileges and get access to additional privileged passwords and accounts.
At this point, there are a few options for dismantling or containing an attack:
- Shared accounts and password sharing should be avoided. When accounts and passwords are shared, lateral movement and hijacking become significantly easier. Organizations may use privileged password management systems to enforce password security best practices, as well as discover and eliminate shared accounts and default passwords.
3) Step Three: Lateral Movement and Exfiltration
Here, the hacker tries to go through the system by gaining more privileges/privileged accounts and exploiting other flaws. Finally, the intruder zigzags across the network, user accounts, data, and systems as needed to accomplish their objective(s).
At this point, there are a few options for dismantling or containing an attack:
- To detect in-process threats, correlate and analyze user and asset activity. Privy access management (PAM) and vulnerability management must be fully integrated with this phase (VM). The more comprehensive your threat and behavioral analytics are, the more likely you are to outmanoeuvre attackers and halt breaches in their tracks by adjusting security measures (such as removing rights or access).
How Does Using the Cyber Kill Chain Model Help a Company’s Security?
In my suggestion is while cyber-attack/cyber Kill chains are the only means to analyze vectors of attack and safety hazards, they give important frameworks to reduce cyber exposures. By implementing the correct level of cybersecurity checks, businesses can improve their ability to avoid attacks, interrupt progressive attacks and minimize the effect of violations if they occur.
References:
[1] Logsign Team, 7 Steps of Cyber Kill Chain — https://www.logsign.com/blog/7-steps-of-cyber-kill-chain/
[2] Maria Korolov and Lysa Myers, what is the cyber kill chain? Why it’s not always the right approach to cyber attacks — https://www.csoonline.com/article/2134037/strategic-planning-erm-the-practicality-of-the-cyber-kill-chain-approach-to-security.html
[3] Greene, Tim. “Why the ‘cyber kill chain’ needs an upgrade”. Retrieved 2016–08–19.
[4] Benitez, Mike (May 17, 2017). “IT’S ABOUT TIME: THE PRESSING NEED TO EVOLVE THE KILL CHAIN”. War on the Rocks. Retrieved April 28, 2020.
