What is Cyberkill Chain (My first Interview Question of my carrier)
The Cyber Kill Chain framework is part of the Intelligence Driven Defense model for the identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective. Stopping adversaries at any stage breaks the chain of attack! Adversaries must completely progress through all phases for success.
Also, The cyber kill chain is a series of steps that trace stages of a cyberattack from the early reconnaissance stages to the exfiltration of data. The kill chain helps us understand and combat ransomware, security breaches, and advanced persistent attacks (APTs)
How the Cyber Kill Chain Works
There are several core stages in the cyber kill chain. They range from reconnaissance (often the first stage in a malware attack) to lateral movement (moving laterally throughout the network to get access to more data) to Actions on Objectives (getting the data out). All of your common attack vectors — whether phishing or brute force or the latest strain of malware — trigger activity on the cyber kill chain.
What are the 7 Stages of Cyberkill Chain
- Reconnaissance (first stage in a malware attack)
- Weaponization
- Delivery
- Exploitation
- Installation
- C2 — Command and Control
- Actions on objectives.
1. Reconnaissance (Observation Stage)
The reconnaissance is the first stage also called as observation stage may include identifying potential targets, finding their vulnerabilities, discovering which third parties are connected to them and exploring existing entry points as well as finding new ones. Reconnaissance can take place both active and passive.
2. Weaponization (Creating your hacking weapon)
Weaponization stage the attacker has discovered all necessary information about potential targets, such as vulnerabilities. here all of the attacker`s creates the attack vector or malware or tool to be used against an identified target.
For example, cybercriminals may make minor modifications to an existing ransomware variant to create a new Cyber Kill Chain tool.
3. Delivery (Attacking Phase)
In the delivery stage, intruder launches the attack. cyberweapons and other Cyber Kill Chain tools are used to infiltrate a target’s network and reach users. attacking may involve sending Phishing emails containing malware attachments with subject lines that prompt users to click through. attack can also take the form of hacking into an Victim`s network and exploiting a hardware or software vulnerability to infiltrate it.
4. Exploitation
In the exploitation step of the Cyber Kill Chain, attackers take advantage of the vulnerabilities they have discovered in previous stages to further contiue the attack on a target’s network and achieve their objectives. In this process, cybercriminals often move laterally across a network to reach their multiple targets.
5. Installation (Control take over)
After cybercriminals have exploited their target’s vulnerabilities to gain access to a network, they begin the installation stage of the Cyber Kill Chain, Here they attempt to install malware and other attack causing tools or information leaking tools or script onto the target network to take control of its systems and pull valuable data. Usally attacker uses Trojan horses, backdoors, or command-line interfaces for this step.
6. Command and Control
In the C2 stage of the Cyber Kill Chain, cybercriminals communicate with the malware they’ve installed onto a target’s network to instruct cyberweapons or tools to carry out their objectives.
For example, Attacker runs the commands on the tool that has been injected into the victim`s Network and pull the data. he also can runs malicious commands and make victim`s network IDEAL.
7. Actions on Objectives
After cybercriminals have developed malicous tools, installed them onto a target’s network, and taken control of their target’s network, they begin the final stage of the Cyber Kill Chain, carrying out their cyberattack objectives.
While cybercriminals’ objectives vary depending on the type of cyberattack, some examples include weaponizing a botnet to interrupt services with a Distributed Denial of Service (DDoS) attack, distributing malware to steal sensitive data from a target organization, and using ransomware as a cyber extortion tool.
The Only Flaw or missing from Cyberkill chain is its failed to identify the Insider threats.
Role of the Cyber Kill Chain in Cybersecurity
Cyber Kill Chain plays an important role in helping Companies define their cybersecurity strategy. As part of this model, Companies must adopt services and solutions that allow them to:
- Detect attackers within each stage of the threat lifecycle with threat intelligence techniques
- Prevent access from unauthorised users
- Stop sensitive data from being shared, saved, altered, exfiltrated or encrypted by unauthorised users
- Detect and Stop the attacker`s lateral movement within the network
Additional Reference:
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
Suggestions are most welcomed,
Please write a mail to Akash.venky091@gmail.com, Also you can follow me here for more updates on Security, Ethical hacking at Akash Venky or contact me @ https://www.linkedin.com/in/akash-h-c-4a4090a7/
