Cyber Kill Chain

It is a cybersecurity framework that offers a method to deal with the intrusions on a computer network.

Overview

The attacker performs reconnaissance, intrusion of the security perimeter, exploitation of vulnerabilities, gaining and escalating privileges, lateral movement to gain access to more valuable targets, attempts to obfuscate their activity, and finally exfiltrate data from the organization.

Intruder picks a target, researches it, and looks for vulnerabilities

  • Detect: Web Analytics; Threat Intelligence; Network Intrusion Detection System

  • Deny: Information Sharing Policy; Firewall Access Control Lists

Intruder develops malware designed to exploit the vulnerability

  • Detect: Threat Intelligence; Network Intrusion Detection System

  • Deny: Network Intrusion Prevention System

Intruder transmits the malware via a phishing email or another medium

  • Detect: Endpoint Malware Protection

  • Deny: Change Management; Application Whitelisting; Proxy Filter; Host-Based Intrusion Prevention System

  • Disrupt: Inline Anti-Virus

  • Degrade: Queuing

  • Contain: Router Access Control Lists; App-aware Firewall; Trust Zones; Inter-zone Network Intrusion Detection System

The malware begins executing on the target system

  • Detect: Endpoint Malware Protection; Host-Based Intrusion Detection System

  • Deny: Secure Password; Patch Management

  • Disrupt: Data Execution Prevention

  • Contain: App-aware Firewall; Trust Zones; Inter-zone Network Intrusion Detection System

The malware installs a backdoor or other ingress accessible to the attacker

  • Detect: Security Information and Event Management (SIEM); Host-Based Intrusion Detection System

  • Deny: Privilege Seperation; Strong Passwords; Two-Factor Authentication

  • Disrupt: Router Access Control Lists

  • Contain: App-aware Firewall; Trust Zones; Inter-zone Network Intrusion Detection System

The intruder gains persistent access to the victim’s systems/network

  • Detect: Network Intrusion Detection System; Host-Based Intrusion Detection System

  • Deny: Firewall Access Control Lists; Network Segmentation

  • Disrupt: Host-Based Intrusion Prevention System

  • Degrade: Tarpit

  • Deceive: Domain Name System Redirect

  • Contain: Trust Zones; Domain Name System Sinkholes

Intruder initiates end goal actions, such as data theft, data corruption, or data destruction

  • Detect: Endpoint Malware Protection

  • Deny: Data-at-Rest Encryption

  • Disrupt: Endpoint Malware Protection

  • Degrade: Quality of Service

  • Deceive: Honeypot

  • Contain: Incident Response

  • Detect: Data Loss Prevention; Security Information and Event Management (SIEM)

  • Deny: Egress Filtering

  • Disrupt: Data Loss Prevention

  • Contain: Firewall Access Control Lists

Miscellaneous

An example of indicators matched in CKC

Courses of Action Matrix

Security controls you can use to stop the Kill Chain

To apply the Cyber Kill Chain, Lockheed Martin provides the following layers of control implementation:

  • Detect: Determine when and how an attacker is performing recon against your organization or network.

  • Deny: Stop the attack from occurring by preventing information disclosure or unauthorized access.

  • Disrupt: Change or stop the flow of information or exfiltration of data to the attacker.

  • Degrade: Limit the effectiveness or efficiency of an attack.

  • Deceive: Interfere with an attack using misdirection or misinformation.

For our purposes, we’ll add one more layer:

  • Contain: Limit the scope of an attack to particular segments of your network or organization.

Reference

Click Here

PreviousCyber AttacksNextThreat - Vulnerability - Exploit - Risk

Last updated