The 7 Steps of Cyber Kill Chain

Introduction

The Cyber Kill Chain framework was developed by Lockheed Martin. It is an intelligence-driven defense model for identifying, detecting, and preventing cyber intrusion activity by understanding the adversary tactics and techniques during the complete intrusion cycle. There are seven steps of the Cyber Kill Chain.

1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and Control
7. Actions on Objectives

 

Reconnaissance

Reconnaissance is the beginning stage of the cyber kill chain. The adversaries, in this planning phase, collect information about the target by using different techniques. This information gathering helps the adversaries profile the target and helps understand which vulnerability will lead them to meet their objectives. Following are some reconnaissance techniques:

• Information gathering via social networking platforms
• Social engineering
• Information gathering via search engines
• Email address harvesting
• Network scanning
• WHOIS searches / DNS queries

 

For security teams, it is very difficult to identify and detect reconnaissance. Adversaries can collect enough information about the target without any active connection. However, to discover internet-facing servers, open ports, running services, and other required information, adversaries need to build an active connection with the target. If security teams identify reconnaissance activity, it can help them reveal the intent and subsequent actions. Organizations should have a strict policy regarding information disclosure on public and social forums. Security teams should monitor and timely respond if any confidential or even relevant information which can be misused by adversaries is posted publically. Following are some behaviors the security team should monitor to identify reconnaissance activities:

• Website visitor’s log
• Internal scanning activities
• Port scanning on public-facing servers
• Vulnerability scanning on public-facing servers

 

Weaponization

After the collection of sufficient information about the target, adversaries prepare the operation in the Weaponization phase. Weaponization may include preparing an exploit for an identified target’s vulnerability or the development of a malicious payload. Following are some preparation techniques used by adversaries to weaponize themselves:

• Preparing a weaponizer or obtaining one from private channels
• Preparing decoy documents (file-based exploits) for victims
• Command and Control (C2) implantation
• Compilation of backdoor

Security defenders cannot detect weaponization as the payload is not yet delivered. However, it is an essential phase for defenders; they can keep their security controls harden against advanced tactics and techniques of malware. Mostly, security teams conduct malware analysis and reverse engineering, which helps them identify different techniques of malware development and dropping techniques. In this way, security teams prepare the most durable and resilient defense. Following are some blue team techniques to counter:

• Conducting malware analysis for trending malware
• Building detection rules for weaponizers
• Intelligence collection about new campaigns, IoCs
• Correlation of artifacts with APT campaigns

 

Delivery

After all the preparation and weaponization, in the delivery phase, adversaries launch the attack by conveying the malware or weaponized payload prepared specially for the target. Following are some common methodologies of launching an attack:

• Phishing emails
• Malware on a USB stick
• Direct exploitation of web servers
• Via compromised websites

This is a very important phase for security defenders to identify, detect, and block the delivery operation. Security teams monitor incoming and outgoing traffic, analyze delivery mediums, and monitor public-facing servers to detect and block delivery. Following are some actions for security teams to detect delivery of malware:

• Monitoring Emails Campaigns
• Leverage weaponizer artifacts to detect new malicious payloads at the point of entry
• Monitoring suspicious networks communications
• Monitoring alerts, detections on security controls
• Building signature-based detection rules

 

Exploitation

Exploitation is the phase in which an adversary gains access to the victim. In order to gain access, the adversary needs to exploit a vulnerability. As the adversary already has probably collected the information about the vulnerabilities in the reconnaissance phase and has already been prepared in the weaponization, the adversary can exploit the victim by using any of the following techniques:

• Exploiting any software, hardware, or human vulnerability
• Using exploit code
• Exploiting operating system vulnerability
• Exploiting application vulnerability
• Victim triggered exploitation via phishing email
• Click Jacking

To counter the exploitation phase, security teams should not only follow the traditional security measures, but they also need to understand new tactics and techniques as well as harden assets to prevent exploitation. Following are some key measures for security defenders to counter exploitation:

• User awareness training
• Phishing drill exercises for employees
• Periodic Vulnerability assessment
• Penetration testing
• Endpoint Hardening
• Secure coding
• Network Hardening

 

Installation

After successful exploitation, the adversary moves next to the installation phase. It establishes persistency at the victim either by installing a backdoor or opening a connection from the victim towards C2. This way, the adversary can maintain access for lateral movements. Following are some ways of maintaining the access activities:

• Installation of web shell
• Installation of backdoor
• Adding auto run keys

Security defenders use different security controls such as HIPS, EDR, AV engines to detect block installation of backdoors. Security teams should monitor the following to detect installations:

• Suspicious application using administrator privileges
• Endpoint process auditing
• Suspicious file creations
• Registry changes
• Auto run keys
• Security Control alerts

 

Command and Control

In Command and Control (C2) phase, the adversary opens a two-way communication or command channel with its C2 server. This C2 server is owned and managed by the adversary to send commands to the infected hosts. Adversaries can alter queries and commands to remotely manipulate the victim. Following are some characteristics of C2 channels:

• Victim opens two-way communication channel towards C2
• Mostly, the C2 channel is on the web, DNS, or email
• Encoded commands are queried by C2

For security defenders, this is the last chance in this kill chain to detect and block the attack by blocking the C2 channel. If the C2 channel is blocked immediately, an adversary cannot issue commands to the victim. Following are some techniques for security teams to defend against C2 communication:

• Collect and block C2 IoC via Threat Intelligence or Malware analysis
• Require proxies for all types of traffic (HTTP, DNS)
• DNS Sink Holing and Name Server Poisoning
• Monitoring network sessions

 

Actions on Objectives

At this stage, the adversary has a victim with persistent access connected with the C2 server. Now adversary can accomplish the objectives. What will the adversary do? That depends on his intent. At this stage, the adversary has the CKC7 access. Following are some different intents or possible next action of adversaries in this phase:

• Collection of credentials from infected machines
• Privilege Escalation
• Lateral movement in the network
• Data exfiltration
• Data corruption
• Data modification
• Destruction

At this stage, Security defenders must detect the adversary as earliest as possible. Any delay in detection at this stage can cause a severe impact. Security teams should be well-prepared and ready to respond in this stage to lower the impact. Following are some preparations for security defenders:

• Immediate incident response playbooks
• Incident readiness
• Incident response team with SMEs
• Communication and incident escalation point of contacts

 

Conclusion

This framework helps to identify and enhance the visibility into a cyber-attack. It also helps blue teams in understanding the tactics of APT’s. To know more about the process of Cyber Kill Chain, our new and improved, Certified Ethical Hacker V11 covers all the information you need about Ethical Hacking and Cyber security. Order today and get FLAT 19% OFF!