What is the Cyber Kill Chain in Cybersecurity?
Derived from a military model by Lockheed Martin in 2011, the cyber kill chain is a step-by-step approach to understanding a cyberattack with the goal of identifying and stopping malicious activity.
Also called the cyber attack lifecycle, the cyber kill chain can help organizations gain a deeper understanding of the events leading up to a cyberattack and the points at which they can prevent, detect, or intercept attackers in the future.
Although the original cyber kill chain model contained only seven steps, cybersecurity experts expanded the kill chain to include eight phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objective, and monetization.
Most of the time, organizations use the cyber kill chain to defend against the most sophisticated cyberattacks, including ransomware, security breaches, and advanced persistent threats (APTs).
How the Cyber Kill Chain Works
The term “cyber kill chain” was adapted from the military and describes the structure of an attack (either offensive or defensive) broken into a pattern of identifiable stages, including identifying a target, dispatch, decision, order, and destruction of the target.
In cybersecurity, the cyber kill chain is a model outlining the various phases of common cyberattacks. Using the cyber kill chain, organizations can trace the stages of a cyberattack to better anticipate and prevent against cyber threats in the future.
Each stage of the cyber kill chain is related to a specific type of activity in a cyberattack (regardless of whether it’s an internal or external attack).
How Does the Cyber Kill Chain Protect Against Attacks?
The cyber kill chain is not a security system: it’s a framework that enables security teams to anticipate how attackers will act so they can stop them as quickly as possible or intercept them if the attack has already transpired.
The cyber kill chain maps out the exact path a typical attacker will take so cybersecurity teams can recognize the starting point of common cyberattacks. Cyber kill chain simulations allow security teams to gain firsthand experience in dealing with a cyber threat, and evaluating simulation responses can help organizations identify and remediate any security gaps that may exist.
It can guide strategy, training, and tool selection by revealing which parts of a security strategy may or may not need updating, such as employee training, endpoint security software, or VPNs.
Cyber Kill Chain Steps
Computer scientists at Lockheed Martin may have been the first to take this concept and apply it to information security, but the cyber kill chain continues to evolve with the changing nature of cyber threats.
At the core of the cyber kill chain is the notion that cyberattacks often occur in phases and they can be disrupted through controls established at each phase.
- Reconnaissance
During what some call the observation phase, the reconnaissance phase is when attackers begin to identify targets and make a plan of action. This stage often includes activities such as researching potential targets, determining vulnerabilities, and exploring potential entry points. The more information an attacker can glean during this phase, the more sophisticated and successful the attack can be.
- Weaponization
At this stage, attackers create the attack vector that will be used in the cyberattack. This could include remote access malware, ransomware, or a virus or worm that can exploit a vulnerability identified during the reconnaissance phase.
During the weaponization phase, attackers may also try to reduce the likelihood of being detected by any security solutions in place.
- Delivery
Attackers then deliver the attack vector through a medium like phishing emails or by hacking into the target’s system or network. Regardless of the type of attack they intend to carry out, this is the stage at which the attacker officially launches an attack against a target.
- Exploitation
Next, the malicious code is executed within the target’s systems. By breaching the perimeter, attackers now have the opportunity to further exploit the target’s systems by installing tools, running scripts, or modifying security certificates. Common examples of exploitation attacks include scripting, dynamic data exchange, and local job scheduling.
- Installation
Immediately following the exploitation phase, the installation phase is when the attack vector is installed on the target’s systems. During the installation stage, attackers may also create back doors into the target’s systems or networks so they can continue to access them even if the original point of entry is identified and closed.
- Command and Control
During the command and control phase, attackers use the successfully installed attack vector to control devices or identities remotely within the target’s network. Threat actors may also move laterally during the command and control phase in order to avoid detection and establish additional points of entry.
- Actions on Objective
In the final phase of Lockheed Martin’s cyber kill chain, attackers take the final steps to carry out their original objective, be it data theft, destruction, encryption or exfiltration.
The above steps are taken directly from Lockheed Martin’s cyber kill chain, which was originally developed in 2011. Since then, cybersecurity experts have expanded on the seven phases to include an eighth: monetization.
- Monetization
During the monetization phase, attackers focus on deriving income from the successful attack, whether through some form of ransom or selling sensitive information on the dark web.
Since its inception, the cyber kill chain has evolved to better anticipate and understand modern cyber threats. It has also been adopted by data security organizations and professionals to help define the stages of an attack.
Source:https://www.sentinelone.com/cybersecurity-101/cyber-kill-chain/#:~:text=Although%20the%20original%20cyber%20kill,actions%20on%20objective%2C%20and%20monetization.
good article