Cyber Kill Chain

It is a cybersecurity framework that offers a method to deal with the intrusions on a computer network.

Overview

The attacker performs reconnaissance, intrusion of the security perimeter, exploitation of vulnerabilities, gaining and escalating privileges, lateral movement to gain access to more valuable targets, attempts to obfuscate their activity, and finally exfiltrate data from the organization.

➖ Reconnaissance

Intruder picks a target, researches it, and looks for vulnerabilities

Reconnaissance

• Detect: Web Analytics; Threat Intelligence; Network Intrusion Detection System

• Deny: Information Sharing Policy; Firewall Access Control Lists

➖Weaponization

Intruder develops malware designed to exploit the vulnerability

Weaponization

• Detect: Threat Intelligence; Network Intrusion Detection System

• Deny: Network Intrusion Prevention System

➖Delivery

Intruder transmits the malware via a phishing email or another medium

Delivery

• Detect: Endpoint Malware Protection

• Deny: Change Management; Application Whitelisting; Proxy Filter; Host-Based Intrusion Prevention System

• Disrupt: Inline Anti-Virus

• Degrade: Queuing

• Contain: Router Access Control Lists; App-aware Firewall; Trust Zones; Inter-zone Network Intrusion Detection System

➖Exploitation

The malware begins executing on the target system

Exploitation

Exploitation-Cont...

• Detect: Endpoint Malware Protection; Host-Based Intrusion Detection System

• Deny: Secure Password; Patch Management

• Disrupt: Data Execution Prevention

• Contain: App-aware Firewall; Trust Zones; Inter-zone Network Intrusion Detection System

➖Installation

The malware installs a backdoor or other ingress accessible to the attacker

Installation

• Detect: Security Information and Event Management (SIEM); Host-Based Intrusion Detection System

• Deny: Privilege Seperation; Strong Passwords; Two-Factor Authentication

• Disrupt: Router Access Control Lists

• Contain: App-aware Firewall; Trust Zones; Inter-zone Network Intrusion Detection System

➖Command and Control

The intruder gains persistent access to the victim’s systems/network

C2

• Detect: Network Intrusion Detection System; Host-Based Intrusion Detection System

• Deny: Firewall Access Control Lists; Network Segmentation

• Disrupt: Host-Based Intrusion Prevention System

• Degrade: Tarpit

• Deceive: Domain Name System Redirect

• Contain: Trust Zones; Domain Name System Sinkholes

➖Actions on Objective

Intruder initiates end goal actions, such as data theft, data corruption, or data destruction

Actions On Objectives

• Detect: Endpoint Malware Protection

• Deny: Data-at-Rest Encryption

• Disrupt: Endpoint Malware Protection

• Degrade: Quality of Service

• Deceive: Honeypot

• Contain: Incident Response

➖Exfiltration

• Detect: Data Loss Prevention; Security Information and Event Management (SIEM)

• Deny: Egress Filtering

• Disrupt: Data Loss Prevention

• Contain: Firewall Access Control Lists

➖➖➖➖➖➖➖-❌- ➖➖➖➖➖➖➖

Miscellaneous

An example of indicators matched in CKC

Courses of Action Matrix

Courses of action Matrix

Security controls you can use to stop the Kill Chain

To apply the Cyber Kill Chain, Lockheed Martin provides the following layers of control implementation:

• Detect: Determine when and how an attacker is performing recon against your organization or network.

• Deny: Stop the attack from occurring by preventing information disclosure or unauthorized access.

• Disrupt: Change or stop the flow of information or exfiltration of data to the attacker.

• Degrade: Limit the effectiveness or efficiency of an attack.

• Deceive: Interfere with an attack using misdirection or misinformation.

For our purposes, we’ll add one more layer:

• Contain: Limit the scope of an attack to particular segments of your network or organization.

Reference

Click Here