Cyber Kill Chain
“The best way to protect from hacker is to think like a hacker.”
Information Security professionals over the years have developed technical methodologies to enhance the functions within the security program, such as threat hunting for detection and response.
The Cyber Kill Chain is 7 staged steps, process or approach to trace out the stages of the cyber attack from early reconnaissance stage to exfiltration of the data.
Lockheed Martin Cyber Kill Chain is derived from the military -model i.e. “Identify the target , Prepare to attack , Engage with the target and destroy”
Reconnaissance-:
It the first and foremost and by far the most important aspect of the model. It is the step in which we try to gain information to our target as much possible. This the step in which you should spend your time. Reconnaissance is mainly done in two phases
→ Passive
Passive reconnaissance is the type of reconnaissance in which we try find valuable information that is publicly available over the internet also known as Foot-printing. There are several tools and website available and out of them the most used one are mentioned below.
- Whatweb
- Nslookup
- Censys
- Shodan
- Crunchbase
- Wapplyzer
Just for example if we consider yahoo.com as example we can look for result with Shodan and Whatweb.
Here we get pretty immersive information about yahoo.com
→ Active
This involves direct interaction with the target searching for vulnerability or we say finger-printing and webApp Scanning.
The most commonly tools for active reconnaissance is
Nmap
Brupsuite
For example the open ports listed by nmap on my local machine
As we can see in above example various we are able to see various open ports like 22 (ssh ) 8080 (http) etc. etc.
Weaponization-:
It is the 2nd stage of the cyber kill chain , a step where attacker analyze the gather information from “reconnaissance” uses the exploit and create the malicious code for to send to the user (delivery method ). It can attached file in the email a URL redirect or social engineering methods and techniques or reverse-tcp-bind shell and much more. The most commonly used tool for payload Binding is “Metasploit Framework” and a quiet handy one i.e. “Unicorn (https://github.com/trustedsec/unicorn)”
Delivery-:
The goal is to send the malicious code or payload to the victim via means of website ,email attachment and email phishing furthermore either by the means of exploiting the hardware flaw in the network or by USB devices.
Exploitation-:
Once the attacker is able to deliver payload . That intruder will try to gain internal system information and try to escalate permission level looking for the more data , by using certain techniques like brute force attack credential extraction, privilege escalation and many more methods .
Installation-:
In this phase the attacker try to install malware or backdoor to the assets of the organization. Getting a persistent access to the target and whenever they want. They may try to modify alter security certificate and look for more severe vulnerabilities.
(The simple idea is to execute their scripted code onto the victim machine and stay stealth)
Command And Control-:
In this phase the the attacker or threat actor gains the control over the organization network furthermore gained access to the privileged accounts user in the network and change permissions to take over the control.
Action On Objectives-:
Once the attacker has fully compromised the system or organization. Intruder take action to achieve their goals such from data destruction to all the way to encrypting data for “Ransomware”.
Based on these stages, the following layers of control implementation are provided:
→Detect — Determine the attempts to penetrate an organization.
→Deny — Stopping the attacks when they are happening.
→Disrupt — Intervene is the data communication done by the attacker and stops it then.
→Degrade — This is to limit the effectiveness of a cybersecurity attack to minimize its ill effects.
→Deceive — Mislead the attacker by providing them with misinformation or misdirecting them.
→Contain — Contain and limit the scope of the attack so that it is restricted to only some part of the organization.
Conclusion-:
→ Through the simulation of the cyber kill chain we will be able to identify the security gaps in the network
→ Leaving cybersecurity vulnerabilities open for security attacks is one of the most common mistakes made by organizations today. Continuous security validation across the cyber kill chain can help companies to identify, prevent, stop, and prepare for any such attacks.
