Cybersecurity Kill Chain

Derived from military kill chain

describes the structure of an attack

7 phases or stages of a targetted attack

Break the kill chain is the defense

Each stage present opportunity to detect and react

Steps

1. Reconnaissance

Gather information on the target before the actual attack starts

Passive

Looking for publicly available information on the internet

also known as Footprinting

• Whois : checking the public database

  whois google.com

• Nslookup: querying the DNS

• Cencys

  • https://censys.io

• Shodan

  • https://www.secureworks.com/resources/vd-technical-testing-part-3

• Social Media

• Dumpster Diving

Active

Interaction with the target

• Technical

  • Vulnerabilities scanning

  • Fingerprinting: nmap

  • Web Application Scanning

• Non Technical

  • Physical Interaction

  • Social Media

2. Weaponization

• Passive this step happens at the attacker side, without contact with the victim.

• The attacker uses an exploit and creates a malicious payload to send to the victim

• Examples:

  • Unicorn (Python tool) https://github.com/trustedsec/unicorn

  • Metasploit https://www.offensive-security.com/metasploit-unleashed/

3. Delivery

• The attacker sends the malicious payload to the victim

  • Open Services (e.g. FTP)

  • Social Engineering (e.g. EMAIL)

  • Physical (USB)

• Social Engineering Toolkit https://www.trustedsec.com/tools/the-social-engineer-toolkit-set/

4. Exploitation

Exploitation weaknesses in your security

Execute their scripted code (weapon from step 2) onto the victim environment.

5. Installation

Now comfortably beyond your security systems

Malicious file can begin installing malware onto your environment

Example: install Netcat

6. Command and Control (C2)

• The attacker creates a command and control channel

  • RAT, Remote server

  • IRC protocol

  • Twitter account

  • Meterpreter https://www.computerweekly.com/tip/Metasploit-tutorial-part-2-Using-meterpreter

• Continue to operate his internal assets remotely.

7. Actions on Objectives

• The attacker performs the steps to achieve his actual goals inside the victim's network

• Takes months, and thousands of small steps, in order to achieve

• Payment histories, login data, account information, or other sensitive data. They could freeze your data and ransom it back to you.

• Netcat http://netcat.sourceforge.net/

• https://www.hackingtutorials.org/networking/hacking-with-netcat-part-1-the-basics/

Defense in Depth

Defense action

• Detect

• Deny

• Disrupt

• Degrade

• Deceive

• Contain

Defense action Matrix

	Recon	Weaponize	Delivery
Detect
Deny

The Unified Kill Chain

Uniting and extending Lockheed Martin's Kill Chain and MITRE's Att&CK framework

18 Attack Phases

https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-WhitePap er-Intel-Driven-Defense.pdf

Unified Kill Chain