In this article, we are going to understand Cyber Kill Chain by looking at the attacker’s and defender’s perspectives. In this way, it will be easier to remember and understand. We are also going to discuss if the Cyber Kill Chain is outdated?
What is Cyber Kill Chain?
Cyber Kill Chain (CKC) is a framework developed by lockheedmartin is an intelligence defense-driven model for identification and prevention of cyber intrusions activity. Basically, Cyber Kill Chain is a series of steps that can trace most of the cyber attacks. The CKC framework can help IT, security teams, to understand even advanced attacks like combat ransomware, Security Breaches, and advanced persistence threats (APTs).
As you can see in the above image there are a total of 7 steps in the Cyber Kill Chain framework. The seven steps of the Cyber Kill Chain enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques, and procedures.
In the next section, we are going to discuss all these 7 Steps with Attacker’s and Defender’s Perspectives.
Cyber Kill Chain Steps
Attacker/intruder Chooses their target and will conduct research on the target. They conduct research for finding Vulnerabilities in the system or organization. Attackers also create tactics to attack specific vulnerabilities. Recon includes steps like scanning the network for open ports, performing OSINT researches, etc.
In this step, the defender will receive precursors like the IP address of the attacker because of the port scanning.
In this step, the Attacker creates malware or worm, or virus to exploit the vulnerability of the target. The malware weapon can exploit any known or unknown vulnerabilities (Zero-Day Attacks). Most of the time attacker creates their own backdoor instead of using some prebuilt program to exploit the system.
This step is really hard to detect by defenders because it’s not happening in their organization. So, the only thing they can do is to deploy anti-virus, system hardening, etc.
In this step, the attacker delivers the malware weapon to the target from any medium. The attacker can create a spear-phishing email to deliver the weapon to the target, or they can use a USB stick to deliver it, or any medium.
In this step, Defenders should employ all the email defenses and attachment sandboxing
In this step, malware created by the attacker starts to take action. the main motive of this step for attackers is to exploit the system to get higher privileges. So, most of the time attackers try to exploit vulnerabilities like code execution.
The defenders can prepare for this step by implementing security policies, hardening the system, performing vulnerabilities management, and try to solve all the vulnerabilities.
In this step, The malware created by the attacker creates a backdoor or access point which only the attacker can use. With this, they try to stay persistent and keep a foothold in the infected system.
The defenders can deploy EDR ( Endpoint Detection and Response) to check for any malicious presence and remove it.
6. Command and Control (C2)
In this step, the attacker finally gets full command over the system. The malware gives access and command to the attacker.
If the attack reaches this step, this is the last chance for stopping the attack for the defender by stopping the command execution anyhow.
7. Actions on Objectives
In this step, The attacker has full and persistent access to the system. Now they can finally fulfill their purposes like ransomware, or data exfiltration, or data destruction. They can complete any objectives they have.
In this step, the defender has to take quick actions to prevent further damage.
Is Cyber Kill Chain Outdated?
Cyber attacks tactics are constantly changing with time and sometimes this model doesn’t show how the attack has taken place. There are some more reasons why researcher thinks it is outdated like Cyber Kill Chain don’t provide any information about insider threats.
To tackle this problem MITRE combined its ATT&CK framework with the CKC framework to make a Unified Kill Chain (UKC) which solves most of the problems with the cyber kill chain. UKC can also be used exactly the same as Cyber Kill Chain to work with Cyber Attacks.
For more blogs like this please visit our blog page