Writing assignment: Please prepare that explains the following:
1) What is a cyber kill chain model? And, how can it help security professionals to learn about the different phases of an attack?
2) Please describe in details each one of the kill chain phases? When describing each one of the phases, please provide an example of an attack associated with this phase and what sorts of security control can be implemented to address this phase.
Cyber Kill Chain Model
Name
Institutional Affiliation
The Cyber Kill Chain Model
The cyber kill chain model is similar to the military’s “kill chain” approach that focuses on the steps used by an enemy is attacking a target. In this approach, the steps utilized by cyber attackers are defined for the current cyber-based attacks. The concept follows the notion that by understanding each of the cyber attackers’ steps, the security professionals could point out and stop the former in each of these respective steps. The more places in which an attacker can be intercepted, the greater the chance of denying them any opportunity to attain their objective, or they are forced to cause more havoc in their trials that they become easily detectable. In this approach, the focus is to stop the attack very close to the beginning of the kill chain (Korolov & Myers, 2018). This is because the attacker will have lesser information; hence, another attacker could use the same information to finish off another attack later.
It is prudent to note that cybersecurity threats can be rapid and more complex than even the targeted organizations’ advancements. Under these situations, it is fundamental that the actual behavior of these cybersecurity threats and the threat intelligence is understood (“How cyber kill chain can be useful for a SOC team? (Part 1)”, 2020). Security professionals can understand the behavior of a cyber-attack following the cyber kill chain model as they get to understand it through the various stages. In each stage, the professionals will first understand the present state of the threat and its previous stages hence incorporate security controls that will prevent any further progression and detection systems from preventing the infiltration of the cyber attack into the network. The initial stage of the model is reconnaissance, where security professionals utilize mechanisms such as web analytics, threats intelligence, and intrusion detection systems to identify any cyber threats. Preventing attacks at this point will entail establishing an information-sharing policy, firewall, and access control lists (“How cyber kill chain can be useful for a SOC team? (Part 1)”, 2020). In the subsequent step, an attack will be detected using endpoint malware protection, and any attacks will be denied through the Network Intrusion prevention systems. The different mechanisms indicate that cyber threats progress over time. Therefore, it is prudent for security professionals to identify their respective stages so that the proper mechanisms are implemented to address them.
Phases Within The Cyber Kill Chain Model
The initial step within this model is reconnaissance, where an attacker is collecting information on their target before actualizing their attacks (Spitzner, 2019). Here, the attacker will be probing for a weakness, such as login credentials or information helpful for a phishing attack. An attacker’s mechanisms to collect information are endless, including the internet, such as on LinkedIn sites, calling employees, or dumpster diving. At this stage, security professionals understanding that they are a target will push to limit the publicly shared information. Authentication mechanisms could be used to share sensitive information, and any disposal needs to be done carefully (Spitzner, 2019). Considering that the attacker could have a wide array of possibilities to collect information, security professionals will need to train their system users on being vigilant and reporting any suspicious activities such as odd phone calls that could be probing for information.
The second stage is weaponization, where the cyber attacker has not interacted with the target but has created their attack. At this point, the attacker is leveraging malware or the security vulnerabilities identified in the reconnaissance phase. For instance, they develop a new strain of self-replicating malware that is distributed through a USB drive. The proper security mechanism includes increasing security awareness which neutralizes the threat except when the attacker is conducting limited testing on the target. Endpoint malware protection could also be used to protect from any threatening malware.
The third phase is delivery, where the attack is now transmitted to the target. An example here would be a malicious link disguised under a legitimate-looking email (Korolov & Myers, 2018). At this point, people also play a critical role in preventing an attack from being actualized. Therefore, they are the first line of defense to detect and stop many of the attacks, including clicking on the email. Of course, the systems also need technologies to filter the attacks in their network, but the workforce will significantly reduce the attack surface area.
The fourth phase is exploitation, where the actual detonation of the attack happens, such as when the users click on the malicious link that breaks their login credentials, the attackers get the access point to exploit the system. (Spitzner, 2019). The attack could be detected through endpoint malware protection and host-based Intrusion Detection System. The attack’s denial will happen through patch management and the use of secure passwords. Also, app-aware firewalls, trust zones, and Network Intrusion detection systems should help in containing the attack.
The fifth phase is an installation where the attacker has installed the malware in the targeted network or system. Through the malware, the attacker gets an access point, also referred to as a backdoor. At this point, the attacker could install the required tools, modify security certificates, develop script files or look for additional vulnerabilities to be exploited. At this point, the defensive measures include keeping systems updated, using anti-virus software, incorporating a host-based intrusion detection system for alerting or blocking the typical installation patterns, and conducting constant vulnerability scans.
The subsequent step is the lateral movement, where the attacker starts to move laterally to other accounts and systems to get higher permissions and get more information. This is done by exploiting password vulnerabilities, brute force attacks, extracting credentials, and targeting any other system vulnerabilities (Velimirovic, 2021). Here, measures to be incorporated include implementing zero-trust security to limit the reach of compromised accounts and programs, network segmentation for isolating individual systems, eliminating using any shared accounts, and enforcing the password security best practices (Velimirovic, 2021).
The seventh phase is command & control, where the system has been compromised and infected that the system will need to call the Command and Control system for the attacker to be in control. The hacker gets a command and control channel through a beacon of the external network path, such as HTTP or HTTPS-based, which appears in regular traffic (Velimirovic, 2021). If the attacker is focused on data exfiltration, they place targeted data into bundles and then take them to a part within the network with no or minimal activity. The defensive measures include identifying any command and control infrastructures during the analysis for malware, demanding proxies for all traffic regardless of type, continuous threats’ scanning, and setting the intrusion detection systems for alerting the new programs contacting the network.
Finally, the execution phase where they carry out the activities that are focused on attaining their objectives. The common objectives for intruders include encryption, exfiltration, or destruction of data. The attackers will also clear logs to hide any activity, delete files and metadata, overwrite information with inaccurate or wrong timestamps and information, and modify the sensitive information to look normal even with the attack happening (Velimirovic, 2021). The defensive measures here include creating an incident response playbook for outlining a precise communication plan and conduct damage assessment if the attack has happened. Also, the security professionals could utilize tools for detecting any signs of ongoing data exfiltration and carry out analyst responses immediately for all alerts.
References
How can a cyber kill chain be useful for a SOC team? (Part 1). (2020). Retrieved from https://www.logsign.com/blog/how-cyber-kill-chain-can-be-useful-for-a-soc-team/
Korolov, M., & Myers, L. (2018). What is the cyber kill chain? Why it’s not always the right approach to cyber-attacks. Retrieved from https://www.csoonline.com/article/2134037/strategic-planning-erm-the-practicality-of-the-cyber-kill-chain-approach-to-security.html
Spitzner, L. (2019, January 1). Applying security awareness to the cyber kill chain. Retrieved from https://www.sans.org/blog/applying-security-awareness-to-the-cyber-kill-chain/
Velimirovic, A. (2021, February 10). What is a cyber kill chain, and how it works {Stages and Examples}? Retrieved from https://phoenixnap.com/blog/cyber-kill-chain
