Content Weapons Primer: Cyber Kill Chain
I would like to start off by providing some perspective. I am not a cyber security professional. I do know plenty and have great respect for the herculean efforts that go into the jobs of those that truly take an active role in the protection of digital systems. I think that like a lot of specializations we have buzzwords and our own jargon that loses people (non-practitioners) when speaking this language. For instance, I came across “Cyber Kill Chain” and was very interested in that concept. So this is an article from a high level regarding this practice in the field of Cyber Defense.
Simply put, a cyber kill chain is a variety of steps that allows you to understand and combat advanced persistent attacks (APTs), security breaches, and ransomware.
The cyber kill chain was actually built based on a military model that was initially created and established to identify, prepare to attack, engage, and destroy the target.
Like all kinds of technologies, the cyber kill chain has been evolving and it is now better than ever not only fighting these attacks as it is also better anticipating and recognizing innovative attacks, advanced ransomware, social engineering, and even insider threats.
How The Cyber Kill Chain Works
As we already mentioned above, the cyber kill chain combines multiple steps that allow you to prevent and combat many different types of attacks.
One of the things that you need to understand is that each stage is related to a specific activity in a cyber attack no matter if it is an external or an internal attack.
The Stages Of A Cyber Kill Chain
#1: Reconnaissance:
This is also known as the observation stage. This is when the attacker is looking for all the information he can find about any vulnerabilities as well as weak points that may be in the system. Reconnaissance tools allow you to scan complete networks that can detect vulnerabilities and points of entry that can be exploited.
#2: Intrusion:
As soon as the attacker has access to the vulnerabilities, he can then break in. This is the stage when the attack becomes active. This may include sending malware such as adware, spyware or ransomware to the system so the attacker can get in. The attacker may notice a compromised website, may send a phishing email, or any other method.
For more information on similar concepts and strategies:
Content Weapons the book #contentweapons by Michael Stattelman
Learn how to lead “Next Practices” initiatives like this in Meta Leadership also by Michael Stattelman
#3: Exploitation:
This is the stage of the attack itself. This is when the attacker is exploiting all the vulnerabilities and he can install additional tools, create new script files and even modify security certificates.
#4: Privilege Escalation:
The privilege escalation is just something attackers need to access higher levels in the hierarchy such as acting as the admin. They tend to use a wide range of techniques such as exploiting zero-day vulnerabilities, preying on password vulnerabilities, and even brute force attacks.
Within this stage, attackers can easily change permissions, configure files, change GPO security settings, and even try to extract credentials.
#5: Lateral Movement:
During this stage, attackers tend to move from one system to the other, in a lateral movement, to find more assets as well as to gain more access. This is when attackers are looking for crucial data or information that has limited access.
#6: Obfuscation (Anti-Forensics):
When an attacker wants to be successful, he needs to think of ways to distract others or to cover his tracks. So, they will mask their presence as well as their activity to ensure no one is able to notice they were there. This may include modifying critical information to make it look like it was never touched, overwriting data with misleading information and false timestamps, and wiping metadata and files.
#7: Denial Of Service:
The denial of service attack, also known as the DoS attack, suspends or disrupts access and can also flood services and crash systems. This is the way the attacker has to stop the attack from being tracked, blocked or even monitored.
#8: Exfiltration:
The last stage of the cyber kill chain is when the attacker is able to get out of the compromised system without being detected. During this stage, the attacker copies or transfers the data and he moves it into a controlled location that he can control. He may eventually send it to WikiLeaks or sell it on eBay.
#metaleadership
#contentweapons
