Cyber Kill Chain

 What is a Cyber Kill Chain


The cyber kill chain is essentially a cyber security model created by Lockheed Martin that traces
the stages of a cyber-attack, identifies vulnerabilities, and helps security teams to stop the attacks
at every stage of the chain.
The term kill chain is adopted from the military, which uses this term related to the structure of an
attack. It consists of identifying a target, dispatch, decision, order, and finally, destruction of the
target.

How does the Cyber Kill Chain Work?

The cyber kill chain consists of 7 distinct steps:

1. Reconnaissance

The attacker collects data about the target and the tactics for the attack. This includes
harvesting email addresses and gathering other information.
Automated scanners are used by intruders to find points of vulnerability in the system. This
includes scanning firewalls, intrusion prevention systems, etc to get a point of entry for the
attack.

2. Weaponization

Attackers develop malware by leveraging security vulnerabilities. Attackers engineer
malware based on their needs and the intention of the attack. This process also involves
attackers trying to reduce the chances of getting detected by the security solutions that the
organization has in place.

3. Delivery

The attacker delivers the weaponized malware via a phishing email or some other medium.
The most common delivery vectors for weaponized payloads include websites, removable
disks, and emails. This is the most important stage where the attack can be stopped by the
security teams.CYBER SECURITY NOTES


4. Exploitation
The malicious code is delivered into the organization’s system. The perimeter is breached
here. And the attackers get the opportunity to exploit the organization’s systems by
installing tools, running scripts, and modifying security certificates.
Most often, an application or the operating system’s vulnerabilities are targeted. Examples
of exploitation attacks can be scripting, dynamic data exchange, and local job scheduling.

5. Installation

A backdoor or remote access trojan is installed by the malware that provides access to the
intruder. This is also another important stage where the attack can be stopped using
systems such as HIPS (Host-based Intrusion Prevention System).

6. Command and Control

The attacker gains control over the organization’s systems and network. Attackers gain
access to privileged accounts and attempt brute force attacks, search for credentials, and
change permissions to take over the control.

7. Actions on Objective

The attacker finally extracts the data from the system. The objective involves gathering,
encrypting, and extracting confidential information from the organization’s environment.

Here’s how simulating a cyber kill chain can protect against cyber security attacks:

1. Simulate Cyber security Attacks

Real cyber security attacks can be simulated across all vectors to find vulnerabilities and threats.
This includes simulating cyber-attacks through email gateways, web gateways, web application
firewall, and similar more.

2. Evaluate the Controls to Identify Security Gaps

This involves evaluating simulations and identifying the areas of risk. Simulation platforms give
you a detailed risk score and report around every vector.

3. Remediate and Fix the Cyber security Gaps

The next step is to fix the security gaps that were identified in the previous step. This may include
steps like installing patches and changing configurations to reduce the number of threats and
vulnerabilities in the organization’s system

Comments

Post a Comment

Popular posts from this blog

Brute force attack investigation

  Responsibility Index Phase Responsibility      Identification L1 Analyst:- GSOC Monitoring Team      Investigation  L2 Analyst:-This includes individuals from Network Team/GSOC Containment L2 Analyst: -  This includes individuals from Network Team/ Server team          Remediation L2 Analyst:-This includes Network Team/Server Team/GSOC Recovery L2 Analyst:-This includes Network Team/Server Team/GSOC Brute Force attack Procedure Identification Stage Stage Source Identification Brute Force incident is reported by  Network Team Incident/If the alert is raised by the SIEM Investigating Stage Stage Actions by Respective Team Investigation Security team checks If the Brute Force attack is identified and an alert generated via SIEM below parameters are considered for investigating: Source addresses of the attempts Firewall Action Investigating Destination on which brute force attem...
Read more

Which tools and software do we need?

 We will need some software when applying the dynamic analysis method. Let's take a look at these software categories. Virtualization Software We do not want to conduct dynamic analysis on our own system as we need to run the malware to be able to examine its activities. For this reason, we should make use of Virtualization Software that helps us work on some virtual systems. Thanks to these software, you can use a different operating system on your host operating system. If they are configured properly, you can perform your analysis safely, as malicious software cannot escape from this virtual operating system. It is useful to make a small note here on these virtualization software. Since these virtualization environments are essentially software, various vulnerabilities that allow malwares to escape out of these virtual environments and allow code executions on the host operating system may occur on these environments. For this reason, It is crucial to keep your virtualization so...
Read more

Packet drafting for IDS_IPS

 Table of contents Introduction Scapy-Overview Snort-Rule References Introduction In this article will demonstrate how we can generate packet that can test/trigger rule in Snort or Suricata using Scapy. Scapy is a packet manipulation tool for computer networks, originally written in Python by Philippe Biondi. It can forge or decode packets, send them on the wire, capture them, and match requests and replies. It can also handle tasks like scanning, tracerouting, probing, unit tests, attacks, and network discovery. Scapy Overview To run Scapy write scapy in your linux terminal as following: ┌──(kali㉿kali)-[~] └─$ sudo scapy [sudo] password for kali:                                                              aSPY//YASa                     apyyyyCY//////////YCa  ...
Read more