Cybersecurity attacks don’t just happen overnight. While a very few malicious actors happen to occasionally stumble upon opportunities that make it easier for them to breach, the normal cyber attack follows a lot of steps.
You’d agree with me that to defend against these attacks, cybersecurity professionals need to understand how this is done–the entire process they usually take which uncovers their thinking and operational patterns.
Therefore, we can say that by uncovering these processes - though they vary based on the exact type of attack and objective, cybersecurity professionals in defensive and offensive security have been able to perform well in tracking down malicious actors and their work.
The comprehensive information of attack processes obtained overtime from different cybersecurity sources and communities have been compiled into what is now called ‘The Cyber Kill Chain’ CKC, and this is what I’ll be covering here.
The Cyber Kill Chain
The Cyber Kill Chain is a 7-step model that informs cybersecurity professionals the flow an attack takes from planning to completion.
Now, this isn’t a perfect chain or flow, you must have thought about that by now. Just like a flowchart used in programming logic, parts of it have to sometimes be revisited if the need arises.
Enough of this, let’s get to see what this flow is, shall we?
Recon → Weaponization → Delivery → Exploration → Installation → C2 → Action
This model, just like quite a number of models and terms used in cybersecurity, was adopted from the military method of analyzing enemy attack to prevent it using a kill chain.
Recon
Recon or Reconnaissance is the first and this is the stage where the attacker does their findings about their target. It involves using Open Source Intelligence [OSINT] and sometimes physically getting to grab info about the target. Depending on the scope, they might even utilize spies to collect as much information as they need from their target.
Using this info, they build a profile of their target and an attack method which leads them to the weaponization step.
What can security Professionals do?
Understanding potential recon strategies of attackers can help cybersecurity professionals assist organizations and individuals in ensuring that it becomes difficult for attackers to get intel about them that can be weaponized.
Weaponization
After the attacker has gotten sufficient information about their target, they devised a method to launch the attack. The weaponization tactic they employ is based on the kind of target they have and also their end goal.
For instance, it is at this phase they decide what kind of malware they are going to use. If the target is an entity that they can benefit from exfiltrating data, they might decide to develop a spyware or a keylogger.
What can security Professionals do?
The weaponization stage helps cybersecurity professionals understand what kind of attack vectors are often employed by attackers in different scenarios.
Delivery
After the attack vector has been weaponized, a means has to be devised to get it into the target’s environment. This they do using different tactics like tailgating, phishing, social engineering, etc.
What can security Professionals do?
By understanding the potential ways malware can get into an organization’s network/system, defensive blocks can be set up to prevent these attacks from happening. Identity and Access Management is a cybersecurity technique that is implemented with the delivery stage in mind. For instance, a turnistle [Physical Access Control] can be set up at the entrance of buildings to prevent tailgating.
Exploit
If they eventually find their way into their target’s network, they begin to exploit vulnerabilities in the network. Their initial vector is usually used to run this, granting them lateral access to their victim’s network and system and further compromising the security of their victim.
What can security Professionals do?
Endpoint detection, malicious traffic and incident response are methods used by security professionals to curtail the effects of a breach that potentially found its way into an organization's network/system. This is where baselines are necessary. With a known baseline, security professionals can be easily alerted if any anomaly is detected on the network or systems.
Install
Many times, after exploiting a system or network, malicious actors install backdoors to grant them persistent access to the system even when their initial access into the organization has been detected and blocked. This can be deadly as a backdoor mimics legitimate access, sometimes fooling security measures set to block it.
What can security Professionals do?
The installation of backdoors can be checked by a thorough forensics and constant employment of pen testing to identify possible hidden breaches in a network.
Command & Control (C2)
In a large-scale attack, attackers can set up a command and control server to help them remotely carry out further sophisticated attacks on their victim. They can deploy botnets, direct them to specific areas and wreak serious havoc on their victim while distracting security professionals.
What can security Professionals do?
Just like the methods employed in curtailing Installation of backdoors, security professionals can further check for signs of a deeper breach which can indicate that a C2 is in.
Action
While many attackers usually stop after they gain initial access, some continue until a specific objective is carried out. At this stage, recovery becomes hard, and such an attack can have serious consequences for the victim.
What can security Professionals do?
If the response is swift and accurate, the attackers can be stopped before they carry out their main objective.
Conclusion
The Cyber Kill Chain, unlike the MITRE ATT&CK framework, is very flexible, attacks may not always follow its flow to completion, but a good understanding of this chain is needed to actually defend against these attackers.
Once an exploit has been found, security professionals should not relent until there is high certainty that the attack has been fully dealt with, that way, the damage caused by attacks don’t escalate into something grave.