Cyber kill-chain:
Lockheed Martin’s kill chain is part of the intelligence-driven defence model for identifying and preventing cyber intrusion activity; Cyber kill chain methods help us understand adversary’s tactics, tools and technics, and procedures. The model identifies the steps that adversaries need to accomplish to achieve their goal
Lockheed martin’s kill chain model was designed in seven steps:
- Reconnaissance
- Weaponization
- Delivery
- Exploitation
- Installation
- Command and Control
- Actions on objective
- Reconnaissance: –
Adversaries research the target, and research finding helps adversaries choose the target and methods to go to the next stage. Sometimes adversaries drop their target if it is not viable unless the goal is to exploit a specific target supported by a nation-state.
- Research findings involve employee details such as email, published event photos, and attendee details.
- Publicly released documents, press releases, awards, and contracts.
- Find infrastructure details, such as servers and applications used in the organization.
“If the defender can identify the reconnaissance by using web visitor analytics such as spikes on website/application view, and login attempts. Such findings may provide an advantage for defenders to mitigate the issues in the early stages by increasing/monitoring closely specific areas.”
2. Weaponization:-
In This stage, adversaries create, modify, or source off malware to exploit the target. Based on the findings weaponization techniques might vary to deliver a payload to exploit and create a backdoor for command and control.
Example word- file-based exploit:
Integrate the malware with a word file and send it to the victim. When the victim opens the file malware, runs the malicious file, establishes the connection, and exploits the system as per the code design
“It is important for the defender to understand how the malware is designed and capable the malicious file to detect, monitor and remediate.” Information gathering such as files and logs for analysis of malware
3. Delivery:
At this stage, the adversary delivers the malware to the target using various ways such as malicious email, using portable storage, social media, and compromised websites.
4. Exploitation:
Adversaries must exploit the vulnerability to gain access. The vulnerability may be in software, hardware, or human.
Adversaries initiate exploits server-based, and victims have triggered exploits from malicious links and files.
5. Installation:
Once exploitation occurs, malware or other attack vectors will be loaded on the victim’s network/systems. After successful installation, an attacker may be able to gain system control.
6. Command and Control:
An attacker can control the system using installed malware and move laterally the in the network to gain more specific access towards the goal, creating various access for the future.
7. Action on Objective:
Attackers carry out the intended goal, such as data extraction, decrypting the data for ransomware, and so on.
Conclusion:
Cyber kill chain provides the advantage of breaking the chain on any one of the seven steps if the defender breaks the one step means adversaries are not able to exploit, once you know the adversary’s goal it may be easy to focus on defense around the specific assets. Also helps to protect against future attacks. Adapt a faster approach to tackle advanced persistent threats and monitor and improve processes from incidents.