The Cyber kill chain methodology is a significant technique that falls under the vast domain of Cyber Security. It is counted as an Intelligence Driven Defense model. It was built by the Global Security and Aerospace Company called Lockheed Martin. The objective of the company was to identify and prevent cyber violation acts. From the time it has come out, the Cyber Kill Chain has developed remarkably and helped in the prediction and identification of threats, detection of other different attack techniques such as advanced malware and social security.
The Cyber Kill Chain Model marks down the different stages of a cyber-attack, recognizes weaknesses, and assists security teams in terminating the attacks at all the stages of the chain. It includes the identification of a target, forcing dispatch of the target, decision and order of attacking the target, and eventually, demolition of the target.
The 7 stages of the Cyber kill chain methodology are as follows-
Stage 1: Reconnaissance
In the very first stage, the attackers or the invaders select their target/s. After that, they carry out detailed research on that target to pin down the susceptibilities that can be abused. The attacker gathers required data in regards to the target and the strategies for attacking the target. It contains, collecting several email addresses and acquiring other relevant details. For this purpose, the attackers make use of automated scanners including firewalls, anti-virus, web security systems, etc. This includes scanning firewalls, intrusion prevention systems, etc. to obtain an entrance for the attack.
Stage 2: Weaponization
This stage is wherein the invader builds a malware weapon like a virus, worm, etc., aiming to violate the vulnerabilities of the selected target. It relies on the target and the goal of the attacker, that what the malware does to exploit the new, unidentified vulnerabilities also called zero-day exploits. It can also put mind to a set of various vulnerabilities. The attackers now create malware by controlling the security vulnerabilities or limitations. These attackers build malware in regards to their desire and the purpose of their attack. This procedure is inclusive of the attackers shielding themselves from getting detected by the security systems that the following organization would have in use.
Stage 3: Delivery
In this stage, the created weapon is broadcast to the target. In order to do this, the attackers can use various different mediums such as e-mail attachments, removable disks, links, advertisements, websites, etc. The weaponized malware transferred through different mediums in this most important stage can be terminated by the security teams.
Stage 4: Exploitation
Generally, an application or the operating system’s vulnerabilities are targeted with the means such as scripting, dynamic data exchange, events or meeting scheduling, etc. Then, the transmitted malware starts acting on the target. Eventually, the malicious program code of the malware is activated to violate the recognized and calculated vulnerabilities of the set target. This code is then, transported and implemented in the computer system of the organization/s. Hence, the violation of the limits occurs. Following this, the attackers get the chance to abuse the systems of the organization/s by installing tools, running scripts, overriding and modifying security authentication.
Stage 5: Installation
In this stage, an entry point is installed by the malware for the attacker or the invader. This point of entry is also known as the backdoor or a remote access trojan. Even at this stage, the attack can be stopped by the security systems such as HIPS (Host-based Intrusion Prevention System, AIDE (Advanced Intrusion Detection Environment), etc.
Stage 6: Command and Control
Herein, the attacker gets access to the network or the system with the help of the malware. The attacker achieves authority of the network and the system of the organization/s. These attackers after gaining access to the desired systems, attempt to attack, figure out credentials, and edit the license to gain command over them.
Stage 7: Actions on Objective
Once these attackers or invaders acquire continuous access, they ultimately take action to achieve their goals, like encryption for ransom, data exfiltration, or data destruction. The data is finally drawn out from the network or the system by the attackers. The purpose includes collecting, encrypting, and fetching private and sensitive details from the organization/s.
In regards to the above stages, the following layers of control implementation are stated below:
Detection: Finding out the attempts of invading an organization. Denial: Terminating the attacks when they are occurring.
Disruption: Interfering with the data communication or contact done by the attacker and stopping it then and there.
Degradation: Reducing or limiting the impact of the attacks and their effect.
Deceiving: Tricking the attackers by directing them towards false information or direction.
Containment: Restraining and restricting the potential of the attacks to be able to save the rest of the part of the organization.