The Cyber Kill Chain is a traditional security model that describes an old school scenario:
An external attacker who takes steps to penetrate a network and steal your data, breaking down the steps of the attack to help organizations prepare.
However, it is still remarkably successful in describing threats and attack vectors that organizations face today.
We will see here what the Cyber Kill Chain is, what are its phases, and the security controls that we can use.
What Is a Cyber Kill Chain & How It Works?
The Cyber Killing Chain (CKC) is a classic cybersecurity model developed in response to computer security incidents.
This model describes an attack by an external attacker trying to gain access to data or assets within the security perimeter.
The attacker performs an intrusion of the security perimeter, exploitation of vulnerabilities, obtaining and escalation of privileges, lateral movement to gain access to more valuable targets, attempts to obfuscate its activity, and finally extract data from the organization.
Each stage is related to a certain type of activity in a cyberattack, regardless of whether it is an internal or external attack.
Since 2011, various versions of the “Cyber Kill Chain” have been released.
However, the Lockheed Martin model is the most informative in focusing on the human element and how it addresses the cyber murder chain model.
All of your common attack vectors, be it phishing or brute force or the latest variety of malware, trigger activity in the cyber kill chain.
8 Phases/Stages of the Cyber Kill Chain
Each phase of the chain of elimination is an opportunity to stop an ongoing cyberattack – with the right tools to detect and recognize the behavior of each stage, you can better defend yourself against a system or data breach.
1. Reconnaissance – During this stage, the attacker gathers information about the target organization. They can use automated scanners to find vulnerabilities and weak spots that can allow penetration.
2. Intrusion – Attackers attempt to enter the security perimeter. Attackers often inject malware into a system to establish themselves. Malware can be delivered via social engineering email, a compromised system or account, an “open door” representing a security breach, such as an open port or insecure endpoint, or an internal accomplice.
3. Exploitation – attackers look for additional vulnerabilities or weak points that they can exploit within the organization’s systems. For example, from the outside, the attacker may not have access to an organization’s databases, but after the intrusion, he can see that a database uses an older version and is exposed to a well-known vulnerability.
4. Privilege escalation – the attacker’s goal is to gain privileges for additional systems or accounts. Attackers can attempt brute force attacks, search for insecure credential repositories, monitor unencrypted network traffic to identify credentials or change permissions on existing compromised accounts.
5. Lateral movement – Attackers connect to additional systems and attempt to find the organization’s most valuable assets. Attackers move laterally from one system to another to gain access to privileged accounts, confidential data, or access to critical assets. Lateral movement is a coordinated effort that can span multiple user accounts and IT systems.
6. Obfuscation – The attacker tries to cover his tracks. They may attempt to delete or modify records, falsify timestamps, tamper with security systems, and take other steps to conceal earlier stages in the removal chain and make it appear that confidential data or systems were not touched.
7. Denial of Service – Attackers attempt to disrupt the operations of an organization. Typically, the goal is to get the attention of security and operational personnel and cause a distraction, allowing attackers to achieve their real goal, which is data exfiltration.
8. Exfiltration – An advanced attacker finally “makes it home”, getting his hands on the organization’s most confidential data. The attackers will find a mechanism, typically some kind of protocol tunnel, to copy the data outside the organization, to sell the sensitive data, to use it for additional attacks (for example, in the case of personal customer data or payment details), or distribute it openly to harm the organization.
The cyber kill chain (with all of it stages) is a go-to model that cybersecurity experts follow-through to protect business owners from ruthless threats.