In this era of computers, cyberspace or the internet has become a perilous place as a multitude of cyber-attacks are wreaking havoc in all sorts of industries. We do have various security setups like honeypots, network intrusion detectors, etc. But how do we stop an attack that is spanned over years? All security measures that we have mostly do not consider the psychological perspective of an attack. We can get the idea from the various detectors that we are being attacked but they don’t tell you what to do next? How to stop this ongoing attack?
The cyber kill chain is a method that deals with these questions. It is an efficient and effective way of illustrating how an adversary can attack the target organization. This model helps organizations understand the various possible threats at every stage of an attack and the necessary countermeasures to defend against such attacks. The cyber kill chain divides the attack into phases and helps to organize the workforce in times of emergency.
HISTORY
Kill-chain is a military concept describing the structure of an attack that is to be carried out. This is a process of dividing the attack into phases to properly organize and allocate resources. This concept was first incorporated into cyberspace by scientists at Lockheed-Martin in 2011. Currently, there are many customized Cyber Kill Chains for different industries based on their cyberspace characteristics.
CYBER KILL CHAIN
- Reconnaissance: At this phase, the attacker gathers information about the target like email addresses, vulnerable endpoints, network blocks, IP addresses, etc, to probe for weak points before actually attacking. The information obtained from this phase is used extensively throughout the chain and this phase can be revisited if the attacker is lacking information.
- Weaponization: At this phase, the attacker analyzes the collected data to identify the techniques to create malware, tailored to exploit vulnerabilities in the chosen system. This phase uses the footprinting info like OS used, Version of patches, etc. obtained in the previous phase.
- Delivery: At this phase, as the weapon is already created, the attacker decides upon the point of entry as well as the medium to transmit the malware. This is mostly based on the native programs used by the organization and the victim's likely choice to use certain programs. This info can be found through certain techniques of social engineering. This is a key stage that measures the effectiveness of the defence strategies implemented by the target organization based on whether the intrusion attempt of the attacker is blocked or not.
- Exploitation: At this phase, the attacker begins executing the malware. This process is also considered important so as to not get flagged as abnormal by the security controls.
- Installation: At this phase, after successful execution, the attacker injects more malicious software to maintain access inside the network without being detected for as long as possible by using encryption. After injection, the attacker gains the capability to spread the infection to other end systems in the network.
- Command & Control: At this phase, the attacker creates a command and control channel, which establishes persistent access between the victim's system and the attacker's server to communicate and pass data back and forth. Thus, starts setting up the stage for the final objective.
- Actions on Objectives: At this stage, the attacker starts to make moves towards the final goal may it be exfiltration, ransom, disruption, etc. The attacker may use this as a launching point to perform other attacks.
The Cyber Kill Chain |
No comments:
Post a Comment