What is Cyber Kill Chain?

If you are not familiar with the concept of kill chain used in a military operation, the name of the framework may sound a little bit weird. Historically, kill chain has been a military concept related to an attack. It starts with the identification of a target, dispatching resources to the target, someone deciding to attack and giving the order, and it ends with the destruction of the target. Military personnel attempt to
break an opponent’s kill chain, such as by disrupting communication methods. The Air Force must compress its six-stage target cycle of Find, Fix, Track, Target, Engage, and Assess, There is also some desired impact classification like Fire-Kill (Kill the ability of attacking to your asset) or Catastrophic Kill( Destroy the target completely that enemy cannot fix). Lockheed Martin (which is a defense company producing fighter jets) identified an intrusion kill chain with the following
elements performed in order from start to finish:

  1. Reconnaissance. This includes researching, identifying, and selecting targets.
  2. Weaponization. Malware, such as a remote access Trojan (RAT), is embedded within a deliverable payload, such as an infected Microsoft Office document.
  3. Delivery. The payload is transmitted to the target. Malware is often delivered as an
    attachment within a phishing email.
  4. Exploitation. After the weapon is delivered, it activates and triggers the exploit. Exploits often target an application or operating system vulnerability.
  5. Installation. The exploit will often install a remote access Trojan or a backdoor on the attacked system. This allows the attacker to maintain persistence inside the exploited environment.
  6. Command and Control (C2). Infected systems often send out a beacon to an Internet-based server. This establishes the C2 channel, giving attackers full access to the infected system.
  7. Actions on Objectives. At this point, attackers can begin taking action to achieve their ultimate goals. It could be installing ransomware or collecting, encrypting, and extracting data from the infected environment.
    Their point to create was “understanding the intrusion kill chain, makes a little easier to i Lockheed Martin adapted this concept to information security, using it as a method for modeling intrusions on a computer network.[9] The cyber kill chain model has seen some adoption in the information security community identify ways to disrupt it.”
    The kill chain can also be used as a management tool to help continuously improve network defense. Lockheed Martin adapted this concept to information security, using it as a method for modeling intrusions on a computer network. The cyber kill chain model has seen some adoption in the information security community. Using the Kill Chain as a framework to answer questions as to how the attack played out and dissecting each step for what the adversary did and why it worked, may provide a wealth of understanding of the attack, the actor, and what should be done afterwards, is a very common way of cyber kill chain usage in an enterprise security environment. It is also doing a great job for explaining the attack to C level executives. Since it is originating from a military concept , Kill chain is most commonly applied to nation-state activity.

References:
https://www.cisecurity.org/insights/spotlight/ei-isac-cybersecurity-spotlight-cyber-kill-chain
SYO 6021 Darril Gibson
https://www.darkreading.com/attacks-breaches/leveraging-the-kill-chain-for-awesome

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>