24x7 Support: 844.679.7651

Cerdant Blog

Considering the Cyber Kill Chain
Jason Palm, SR. Network Security Engineer, January 29, 2019

In 2011, computer scientists at Lockheed-Martin developed a model, known as the Cyber Kill Chain, to defend computer networks at different phases of an attack. At its core, the Cyber Kill Chain framework is meant to improve visibility into each stage of an attack in order to develop a better understanding of threat actor tactics. Models like these are useful for conceptualization and for planning defenses. Although they may not apply in all situations, they are worth taking some time to understand when evaluating your current cybersecurity posture.

Within the context of the Cyber Kill Chain, the goal would be to prevent an attack as early in the chain as possible. In some cases, you may have little ability to disrupt an attack. A typical layered approach to security will also come into play to defend attacks at various levels. At Cerdant, we work with several solutions that can be layered to prevent a multitude of different threats at various phases of the Cyber Kill Chain, such as SonicWall, Cylance, and Proofpoint.

Let’s take a brief look at each link in the chain and how we can make some considerations as security practitioners:

1. Reconaissance

is where the attacker starts gathering information on a target. This information is often readily available OSINT (Open Source Intelligence). Although many people feel there is nothing that can be done defensively at this early stage, that is not entirely true. Organizations publish a wealth of knowledge freely without considering what intel they may also be offering to an attacker. Consider the types of information you publish to social media and sites like LinkedIn. Employees are also prime targets. Obtaining the phone number for a key employee may yield an attacker valuable information via a simple phone call. Security awareness training can play a vital role in curbing some of the information an attacker may gain from social engineering attacks.

2. Weaponization

typically involves the actual attack creation based on information that was gathered during the reconnaissance phase. It is effortless these days to craft custom malware. Although there really is little that can be done to stop any activity at this stage, we need to be mindful that new forms of cyber weapons are being developed on a rapidly increasing basis. Considering solutions geared towards stopping zero-day threats is highly recommended.

3. Delivery

is the actual transmission of the attack to the target victim. This can be achieved in some familiar ways that are still very successful: e-Mail attachments, website distribution, or even via USB drives are easy ways to deliver weaponized content. This is where we need to start considering how we layer our approaches, which would include defenses, like e-mail filtering, content filtering, USB device control, etc.

4. Exploitation

happens after a successful delivery and involves detonation. A simple example of this would be a script-based attack embedded in a Word document that was delivered via email. In such a case, an attacker who had not been stopped by e-mail defense would simply need an end user to act and unknowingly “detonate the weapon,” or open the Word document attachment.

5. Installation

in many cases is when actual malware is installed. In the case of an attack that is file-less, you may have a script that loads a malicious payload into memory. So, we need also to be aware that new generations of exploits like these aren’t just installing file-based malware on systems.

6. Command & Control (C2)

involves a compromised system to allow an attacker to have persistent access to the target network. Having insight into the traffic flow of your network is critical in cases where C2 has been established. Ideally, a defense would be in place with the ability to detect traffic to known botnet IPs, for example.

7. Action on Objectives

is the end goal for an attacker. This may involve data exfiltration, destruction, or ransomware encryption. If you’ve let an attack get to this point, you’re typically finding yourself moving into incident response mode. You’ll also want to limit the attack surface. For example, using proper access control, you can limit what access a compromised system has to other resources to prevent an attacker from pivoting within the network.

So, how do your systems stack up against attackers within the context of the Cyber Kill Chain? If you’re looking to supplement your existing defenses, or would like to have them evaluated, feel free to contact us here at Cerdant. We have skilled experts that would be happy to talk with you about where you stand and how your security posture can be improved.

Share Post:

Interested in our services?

Contact us to see what Cerdant can do for you.