To be secure in the cyber space any organization needs to have a proper security strategy which helps exposing sensitive data or prevent damaging the brand image. There are several models followed by security professionals in order to actively find if any malicious activity is happening against the organization at any time. This article explains how to use “Cyber kill chain” to find malicious activities and spot what stage is it.
What is Cyber Kill Chain?
The cyber kill chain is a model which explains the series of steps needs to be followed in order to perform a cyber-attack. By following cyber kill chain methodology security professionals can identify malicious attacks and what stage is it now.
Cyber kill chain includes 7 phases which cover all the steps in a cyber-attack.
The 7 stages/phases of Cyber Kill Chain Methodology include,
- Reconnaissance
- Weaponization
- Delivery
- Exploitation
- Installation
- Command and Control
- Actions on Objectives
Reconnaissance
This is the initial step followed by an attacker, they perform reconnaissance to collect information about the target. Attackers find information as much about the target as possible to find any weak entry point or any sensitive information which can be useful. Attackers look for information such as publicly available information on the organization, network information, system or application information, and the organizational information of the target.
Weaponization
Developing the exploit or the malware by analyzing collected information in the previous stage. Attackers use system vulnerabilities, insecure configurations, or vulnerable employee to perform the exploitation.
Delivery
Delivery of the exploit, in this phase the attacker deliver the exploit through a selected medium which can be an email attachment, via a malicious link on websites, or through a vulnerable web application or USB drive. This is the most important phase where the attack can be stopped early in the attack phase.
Exploitation
Once the exploit is delivered, the exploitation happens in this stage. If the exploitation is success, then attacker gets the privilege to perform damage to the system, install tools or run malicious scripts.
Installation
In this phase attacker install backdoor or remote access trojan on the target system to maintain the access to the target network for extended period.
Command and Control
The attacker creates a C2C (command and control) channel, which enables the attacker to control the breached server the way they intended. By using this channel attackers will be able to pass important data of the victim.
Actions on Objectives
This is the final stage where the attacker accomplishes the intended goal which can be extracting sensitive data from the system, disrupts the services or network, or destroys the operational capability of the target by gaining access to its network and compromising more systems.