Cyber Kill Chain
What is Cyber Kill Chain?
The CKC is the classical model developed by Lockheed Martin. The purpose of this model is to better understand the stages an attacker must go through to conduct an attack, and also helps the security teams to stop an attack at each stage. It also helps to identify to what extent the organization is compromised. It also helps to understand the strategies used by cybercriminals and how to defend against them.
Phases of Kill Chain:
There are seven phases of CKC model which are described below:
- Reconnaissance
- Weaponization
- Delivery
- Exploitation
- Installation
- Command and Control
- Action on objective
Reconnaissance:
In this phase the attacker tries to find out as much information as possible about the target like contact information and IT infrastructure of the target. There are two types of reconnaissance:
Passive: Looking for publicly available information on the internet like using google, social media, whois, NSlookup, Shodan and dumpster diving.
Active: gather information by interacting with the target. Active scanning can be technical and non- technical.
Technichal: In technical we mostly use scanning techniques like vulnerability scanning, fingerprinting, port scanning and web application scanning.
Non-Technichal: In non-technical we mostly talk directly like physical interaction or using social media.
Defend against passive scanning:
- Limit Public information (Job Posting, LinkedIn etc)
- Social Media Acceptable Use
- Modify Server error messages
Defend against active scanning:
- Disable unused ports
- Configure honeypots
- Implement Firewalls
- IPS
Weaponization:
After getting the information about the target now the attacker can create the exploit using the known information. Tools used for the weaponization are Metasploit, exploit-db, veil framework, social engineering toolkit(set) and many others depending upon the use case. We can not control this but we can minimize the from happening.
Defend:
- Patch Management
- Disable browser plugins
- Deploy AV to end points
- Email Security like anti spam
- Audit Logs
- Multi factor authentication
Delivery:
When the attacker is done with creating the payload then he/she will send the payload to the target. Attackers can use the websites, social media, emails, USB and other means depending upon the use case to deliver the weapon.
Defend:
- User awareness trainings
- Email Security like DKIM and SPF
- IPS/IDS
- Website filtering (prevent from accessing bad websites)
- Disable USB
Exploitation:
After successful delivery of the payload. Attackers will execute the payload to gain access to teh target using different techniques like SQL injection, buffer overflow etc.
Defend:
- Data Execution Prevention.
- Least privileges.
- Application Whitelisting.
- OS & Application Hardening.
Installation:
After the successful exploiting the vulnerabilities attacker would gain persistent access by modifying configuration like installs additional tools for privilege escalation.
Defend:
- Configure EDR
Command and Control:
After attempting the above steps successfully the target system is now completely under control of the attacker. Attacker controls the target remotely. There are many different approaches that attackers may use to establish an outbound connection. Attackers may use HTTP, HTTPS or even DNS to send and receive data to the victim machine.
Defend:
- Network segmentation
- NGFW (have the feature no C&C feature)
- Apply ACLs to the services like SSH and FTP ,netcat ,RDP
Action on Objective:
At last the attacker would execute the desired action or goal. Goal may be identity theft, intellectual property theft. Once the attacker reaches this phase, they have succeeded in their attack.
Defend:
- Implement DLP (Data Loss Prevention)
- UBA (User Behavior Analysis)
Comments
Post a Comment