Cyber Kill Chain
It is a cybersecurity framework that offers a method to deal with the intrusions on a computer network.
Last updated
It is a cybersecurity framework that offers a method to deal with the intrusions on a computer network.
Last updated
The attacker performs reconnaissance, intrusion of the security perimeter, exploitation of vulnerabilities, gaining and escalating privileges, lateral movement to gain access to more valuable targets, attempts to obfuscate their activity, and finally exfiltrate data from the organization.
Intruder picks a target, researches it, and looks for vulnerabilities
Detect: Web Analytics; Threat Intelligence; Network Intrusion Detection System
Deny: Information Sharing Policy; Firewall Access Control Lists
Intruder develops malware designed to exploit the vulnerability
Detect: Threat Intelligence; Network Intrusion Detection System
Deny: Network Intrusion Prevention System
Intruder transmits the malware via a phishing email or another medium
Detect: Endpoint Malware Protection
Deny: Change Management; Application Whitelisting; Proxy Filter; Host-Based Intrusion Prevention System
Disrupt: Inline Anti-Virus
Degrade: Queuing
Contain: Router Access Control Lists; App-aware Firewall; Trust Zones; Inter-zone Network Intrusion Detection System
The malware begins executing on the target system
Detect: Endpoint Malware Protection; Host-Based Intrusion Detection System
Deny: Secure Password; Patch Management
Disrupt: Data Execution Prevention
Contain: App-aware Firewall; Trust Zones; Inter-zone Network Intrusion Detection System
The malware installs a backdoor or other ingress accessible to the attacker
Detect: Security Information and Event Management (SIEM); Host-Based Intrusion Detection System
Deny: Privilege Seperation; Strong Passwords; Two-Factor Authentication
Disrupt: Router Access Control Lists
Contain: App-aware Firewall; Trust Zones; Inter-zone Network Intrusion Detection System
The intruder gains persistent access to the victim’s systems/network
Detect: Network Intrusion Detection System; Host-Based Intrusion Detection System
Deny: Firewall Access Control Lists; Network Segmentation
Disrupt: Host-Based Intrusion Prevention System
Degrade: Tarpit
Deceive: Domain Name System Redirect
Contain: Trust Zones; Domain Name System Sinkholes
Intruder initiates end goal actions, such as data theft, data corruption, or data destruction
Detect: Endpoint Malware Protection
Deny: Data-at-Rest Encryption
Disrupt: Endpoint Malware Protection
Degrade: Quality of Service
Deceive: Honeypot
Contain: Incident Response
Detect: Data Loss Prevention; Security Information and Event Management (SIEM)
Deny: Egress Filtering
Disrupt: Data Loss Prevention
Contain: Firewall Access Control Lists
To apply the Cyber Kill Chain, Lockheed Martin provides the following layers of control implementation:
Detect: Determine when and how an attacker is performing recon against your organization or network.
Deny: Stop the attack from occurring by preventing information disclosure or unauthorized access.
Disrupt: Change or stop the flow of information or exfiltration of data to the attacker.
Degrade: Limit the effectiveness or efficiency of an attack.
Deceive: Interfere with an attack using misdirection or misinformation.
For our purposes, we’ll add one more layer:
Contain: Limit the scope of an attack to particular segments of your network or organization.
