- 1 Kill Chain Military model – F2T2EA
- 2 Phases of Cyber Kill Chain system:
- 3 Final words – Will Kill Chain Tactics Work for Your Organization?
The term Kill Chain was initially used as a Military concept, wherein structure of the complete attack was made. This comprised of the identification of the target, dispatching the military to the area for attacking, making the decision and giving the order to attack the target and finally destroying the target.
Vice -versa, if we have to stop an attack from taking place, with the help of the same Kill chain methodology, we can identify when our enemy has taken step 1 and we can take counter-attack measures and get prepared for the battles or defensive action.
Now, If we take the same action in terms of cyber or Internet security attacks, this term is called Cyber Kill chain.
Cyber Kill Chain was adopted by Lockheed Martin. Lockheed Martin is an American global aerospace, Defence, security and advanced technologies company. They adopted the same term which was used by the military in information security field and coined it as Cyber Kill Chain. This model has seen some reception in the data security community. However, acknowledgment isn’t widespread, with faultfinders indicating what they accept are essential defects in the model.
Kill Chain Military model – F2T2EA
One military kill chain model is the “F2T2EA – Fine Fix Track Target Engage Assess” which includes the following phases:
- Find: Finding the target, where to attack.
- Fix: Fixing their location and disabling them from moving.
- Track: Keep a track of their location and movements.
- Target: Ensure choosing quality weapons and assets to use on the target to get positive results.
- Engage: Time to engage in the attack, as I say “Fire in the Hole” and disable the enemy.
- Assess: Time to gather information about the effects of the attack. Survey of the location, collecting information and intelligence as much as possible.
However, it is better to stop the attack as soon as possible to save maximum information from getting away. The less information the attacker has, there are very fewer chances they can attack later, and more information the attacker has about us, more likely they will try to penetrate the system again.
The Cyber Kill chain is similar in approach, with various level of attacks and identification for counter attacks in cyberspace. This approach is to attack or to prevent the attack by an organization. This is a chain of end-to-end process and any interruption at any state can interrupt the whole process. Stages of Cyber Kill Chain are similar to that of Military Kill chain F2T2EA approach:
- Reconnaissance: Attacker is trying a way to intrude and attempting to identify the vulnerabilities in the home network or can say target network.
- Weaponization: Intruder creates malware weapon such as a worm or virus and attaches it to vulnerable positions.
- Delivery: Time to deliver the weapon to the targeted location via emails, website or USB Drives.
- Exploitation: Here we go, malware exploits the network and opens the way for an intruder to enter the network.
- Installation: Malware already present at the target location, installs the access point for intruder like the backdoor.
- Command and Control: Now intruder has the command over the home network.
- Actions on Objective: As per intruder’s goals data can be exported, deleted, encrypted, breached or manipulated.
We all have heard about thefts and burglaries around us, cyber kill chain is similar in process to it. First, the thief finds a way to infiltrate your home, then plan things carefully and carries the weapon and tools required to break the door and finally go with the loot. Similarly, Using cyber kill chain, attacker enters stealthily in your network and to prevent the same we should have some alarms in place to keep us informed about the attack.
It is really important to stop the attack at the beginning of the chain so that we can save our cost and save time while cleaning up the mess. Once it has reached inside our network, we might have to fix a lot of machine and lot of identification of the whole system. Let us now look at various stages of cyber kill chain and see if they help our organization.
Phases of Cyber Kill Chain system:
Reconnaissance: Viewing Your Network From the Outside
This is where the intruders are attempting to choose what are (and are not) good targets. All things taken into consideration, they try to discover what they can find out about your assets and your network to decide if it is justified to make an effort for the same or not. Usually, they might want a target site that is generally without any proper guard and with significant information that they can cash on. Surprisingly, it is a different way of seeing what data they can actually find from your network and how to use it to for their benefits.
Organizations frequently have more data accessible than they know about it. Do you have your employees names and contact details on the web? These details are helpful in finding vulnerabilities in your network.
This is an exceptionally tricky layer to attempt to control, however very important to control to avoid initialization of cyber kill chain attack.
Weaponization, Delivery, Exploit, Installation: Attempting to Enter
These are the stages where the attacker prepares a war against your network, intrudes it by all possible means when they have clearly taken a audit of the network from outside. They have got the vulnerabilities in hand. Then following the same military approach of F2T2EA, They now move a step ahead to attack the home network. The more information they have from step 1 more possibilities of a high risk social engineering attack it would be. They can use spear-phishing to gain access to your network with the help of the information found on employee’s LinkedIn or Facebook pages. One they are in your network, they audit the OS, software’s, application that are running on the network and try to deliver the payload i.e. malware and virus and then install the same.
Here comes our updated hardware and software in picture, do we have all devices with up to date software’s running? If there is a single 98 machine running inside the premises with internet connected to it, bingo! Intruder got a way to install the files on the network.
Use of email and web filtering can actually help preventing the attacker from delivering the payload on the network. More security devices and software’s we have in our network, better for us. We can easily prevent the network from exploiting.
Command & Control: The Threat is Checking In
Now the threat is in your network, it will now contact the intruder back and await instructions from the intruder. Intruder may now ask you to download additional components and will now contact the C&C Channel. This requires a network traffic, now the question is do we have a firewall that can alert us on all new programs contacting the network?
Now we know threat has reached far and beyond the enemy lines. We might now have to spend a lot of time, money and efforts in cleaning the affected machines. We might also need help of forensics to figure out the real damage. It is less costly and time saving if the backup has been taken. This back up can be quickly replaced by the machines so that organizations continue to work efficiently.
Actions: Time to Wreak Havoc
Now furthermore, if they attacker has reached this level of cyber kill chain, it is to steal your data or have DDoS Traffic. An intruder can also steal CPU cycles for other purposes too. It’s time to take the threat out of the network and save the damage.
Final words – Will Kill Chain Tactics Work for Your Organization?
If there are no security or counter-attack measures available in the network, fighting back the kill chain attack is very difficult. We can take smaller measures and create network policies for dealing with the malware events. We must have formal and informal knowledge sharing sessions with the employees and aware them about phishing and suspicious emails.
With each progression taken, you’ll get more data about your network’s condition. Also, the more data you have, the more probable you will have the capacity to distinguish irregular conduct.
If you would like to read about highest paid IT Certification by Cisco, CCIE read further.