The Cyber Kill Chain framework is known to just about everybody who works hands on in the information security industry. I must admit, before my transition into the infosec realm from a government job I had a very vague idea of what it was and how it was relevant.
If you are thinking about a career in incident response, cyber intelligence, information security, but also some more general areas like data protection & privacy, the Cyber Kill Chain is probably one of the first concepts you should get familiar with.
The Cyber Kill Chain is a model that describes and explains various stages of a cyber attack. It was developed by Lockheed Martin.
The idea behind it is to identify, itemise and prevent hostile cyber activity such as intrusion of a network. The model identifies what the cyber adversaries must complete in order to achieve their objectives.
The 7 steps of The Cyber Kill Chain
Step 1: RECONNAISSANCE – typically an open source intelligence style of an activity, which involves gathering email addresses, publicly identifiable information belonging to target company’s staff members, their position in the company, area of expertise, online presence, interests, participation in conferences and training events, and so on.
The reconnaissance step focuses on establishing not only who has access to a system, but also attempts to map out the target’s infrastructure, type of security tools used, software, devices and an overall security posture of the target. Reconnaissance can be passive (OSINT and research) or active (gaining unauthorised access to any of the target’s digital resources).
Example: A highly targeted reconnaissance against one or several entities that started with the harvesting of email addresses. Targeted were, amongst others, the Gates Foundation and the WHO.
source: Washington Post
Step 2: WEAPONIZATION – this means identifying an exploit, a backdoor as well as a mechanism for conducting an attack. Typical examples of weaponized devices or services is a botnet, which includes hundreds or thousands of infected machines that can be controlled by a hacker.
One very common tactic used by cyber attackers is weaponizing PDF or MS Word / Excel attachments in emails, crafted carefully to look like they are official and legitimate documents. Compromised domains can also be weaponized to house malicious software. Another weaponization method is software that has security vulnerabilities (like a zero day exploit) and can serve as a gateway to deliver malware to a target system.
Example: Weaponization of vulnerable Zyxel devices by the Mirai botnet.
source: Krebs on Security
Step 3: DELIVERY – this is the process of delivering the weaponized content to the target’s digital environment. The delivery can happen in a number of ways: from the victim opening a malicious attachments, to a drive-by download of malware from a malicious domain.
The delivery method can be adversary-controlled (direct action by a bad actor like hacking into infrastructure to plant the malware) or adversary-released, example of which is releasing a malicious email that delivers the malicious software to the target.
Example: Multiple cases of systems infection by malware delivered as a malicious attachment in a fake COVID-19 update email.
source: CNCB
Step 4: EXPLOITATION – this stage takes place after the attacker gains initial access to the target’s system through a vulnerability. The bad actor will now exploit the security flaws. The host system is typically compromised during this step, usually by a type of malware called dropper (allows the hacker to remotely execute commands within the target’s environment) or a downloader (downloads additional malware from another online location).
Once some presence is established within the victim’s network, the attacker can proceed to download more tools, attempt to intercept login credentials or to obtain hash values of passwords used in the environment or to escalate privileges to carry out more malicious actions within the system.
Example: Cyber attackers were able to exploit unknown vulnerabilities and gained initial access to the systems of a medical research company, but they were repelled.
source: Computer Weekly
Step 5: INSTALLATION – this step is simply the installation process of the malicious software and taking up residence within the target infrastructure. The primary purpose of the installation stage is to establish a firm presence within the target network and bypass security controls while maintaining internal access.
Example: How an APT group installed malware and maintained presence within the networks for months.
source: Security Boulevard
Step 6: COMMAND AND CONTROL – once the malware installs on the system, it will seek to establish a connection back to the command and control server (C2). The malicious actor can now operate within the target environment and pivot or crawl laterally through the network. The command and control channel is usually manual and requires the hacker to interact with the malware from the C2 server in order to carry out desired activities.
Example: Analysis of the Qbot C2 server activity and its communications with compromised hosts.
source: Varonis
Step 7: ACTIONS ON OBJECTIVES – this final step varies and depends a lot on what malicious software was deployed to attack the victim and what the hacker wants to achieve while maintaining presence within from the compromised system. Obviously, the longer the bad actor maintains their presence, the more destructive the impact, at least potentially.
This is the final step when intruders take specific actions to achieve their original objectives to the detriment of the victim. Objectives can vary, from data exfiltration and espionage, ransomware enabled extortion, to full destruction or temporary disruption of the network.
Example: No examples here, go do your own research 🙂