What is the
Cyber Kill Chain®?
- What is the Cyber Kill Chain?
- What are the 7 Cyber Kill Chain steps?
- Cyber Kill Chain vs. MITRE ATT&CK®: What's the difference?
- Challenges
What is the Cyber Kill Chain?
Originally developed by Lockheed Martin, the Cyber Kill Chain model outlines every step taken by an adversary to successfully infiltrate a network and carry out a cyberattack. It is a widely accepted framework in the cybersecurity industry for comprehending how adversaries might target an organization's network.
The Cyber Kill Chain also assists IT security teams in developing defense strategies and techniques to prevent or thwart attacks during different stages. It is extremely beneficial to security professionals since it makes it easier to implement strong remediation measures and critical security procedures, strengthening the security of organizations.
The main objective of the Cyber Kill Chain framework is to enhance organizations' defenses against advanced persistent threats (APTs), which are sophisticated cyberattacks. To carry out attackers' plans, these attacks typically involve a combination of malware, ransomware, Trojans, spoofing, and social engineering techniques.
What are the 7 Cyber Kill Chain steps?
Reconnaissance
Harvesting email addresses, conference information, etc.
Weaponization
Coupling exploit with backdoor into deliverable payload.
Reconnaissance
Harvesting email addresses, conference information, etc.
Exploitation
Exploiting a vulnerability to execute code on victim’s system.
INSTALLATION
Installing malware on the
asset.
COMMAND & CONTROL (C2)
Command channel for remote manipulation of victim.
ACTIONS ON OBJECTIVES
With 'Hand on Keyboard' access, intruders accomplish their original goals.
- Step 1
- Step 2
- Step 3
- Step 4
- Step 5
- Step 6
- Step 7
Command & control (C2)
The C2 stage is when the adversary communicates with the compromised system or network. After installing the programs and backdoors, the adversary takes control of the system and launches whatever attack they have planned.
Any actions taken here are exclusively for the purpose of keeping control over their situation with the target. This can take many forms, including the planting of ransomware, malware, or other means of future data exfiltration.
Cyber Kill Chain vs. MITRE ATT&CK®: What's the difference?
The Cyber Kill Chain and the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework are both cybersecurity models for understanding and dealing with cyberthreats. Although both strive to help organizations identify and protect against these attacks, their emphasis and actual applications differ.
The Cyber Kill Chain focuses on outlining the phases of a cyberattack, offering a strategic overview to comprehend and disrupt attacks at various stages. In contrast, MITRE ATT&CK serves as a knowledge base detailing the tactics, techniques, and procedures of adversaries across different attack stages.
While the Cyber Kill Chain delves into the overall life cycle of an attack, MITRE ATT&CK provides a intricate, technical perspective on the specific methods adversaries employ. MITRE ATT&CK allows organizations to bolster their defenses and detection capabilities by aligning them with real-world attack patterns.
In conclusion, while both the Cyber Kill Chain and the MITRE ATT&CK architecture are useful tools for analyzing and responding to cyberthreats, their approaches and focuses differ. The Cyber Kill Chain focuses on attack stages, whereas the MITRE ATT&CK framework classifies threats based on the techniques and tactics of attackers.
Challenges
Despite the Cyber Kill Chain model being a widely accepted framework, the experts have pointed out a few drawbacks. A couple challenges of the framework are as follows:
- Failing to identify
insider threats: It's important to highlight that the model is incapable of recognizing internal dangers or unauthorized access through remote means. This limitation arises because such threats don't involve malicious software or payloads. Given that the Cyber Kill Chain model is specifically designed for detecting and preventing malware, it proves ineffective in such scenarios. The range of network-impacting threats that go beyond the Cyber Kill Chain's effectiveness is extensive. - Failing to be flexible:
Adversaries need not necessarily adhere to the Cyber Kill Chain playbook in a linear or sequential manner. They always have the option to skip, rearrange, or revisit stages.
