Lets say, I manage a network. My system was publicly accessible and someone has managed to exploit the vulnerability in the system using a MS17-010 (EternalBlue) exploit. I, as a network manager, I can see some egress traffic on my SMB port and now found that my system is communicating with an external IP address (possibly someones Command and Control server).
The question is, What do i do now?
Should I call the Incident response team that does not even exist? Should I shut down the whole network? Should I start to read my organizational policy so as to figure out what am I supposed to do or Should I start to cry since the attacker could be planning to inject WannaCry or so into the network?
That's exactly when you would require a Cyber Kill chain.
So, What exactly is it?
Cyber kill chain is basically a framework that is part of the intelligence driven defense model for identifying and preventing the cyber intrusion activity. It is also commonly refered to as a cyber attack lifecycle that would help identify and prevent the intrusion. The actual model, the Cyber Kill Chain framework, was developed by Lockheed Martin and is commonly used for identification and prevention of cyber intrusions.
The question is, What do i do now?
Should I call the Incident response team that does not even exist? Should I shut down the whole network? Should I start to read my organizational policy so as to figure out what am I supposed to do or Should I start to cry since the attacker could be planning to inject WannaCry or so into the network?
That's exactly when you would require a Cyber Kill chain.
So, What exactly is it?
Cyber kill chain is basically a framework that is part of the intelligence driven defense model for identifying and preventing the cyber intrusion activity. It is also commonly refered to as a cyber attack lifecycle that would help identify and prevent the intrusion. The actual model, the Cyber Kill Chain framework, was developed by Lockheed Martin and is commonly used for identification and prevention of cyber intrusions.
Should I even care about the Cyber kill chain?
If you are an organization/individual that maintains and manages the in and out flow of the data... In short, ya; sorta!
Lets get back to the thrill, the Insight of an attack:
Usually, every attack starts with passive recon, active recon and then the real attack happens then after, the attacker then expands the attack surface, exploits, starts the post exploitation phase, creates backdoor, exfiltrates the data and clears the track. Lockheed martin defines these phases as Reconnaissance, Weaponize, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives.
 |
| Source: Lockheed Martin |
As said earlier, in the imaginary network that I manage, as the successive events the attacker then creates a new backdoor, and is now scanning the internal network for their lateral movement. The
attacker gets access to my internal database server or so, exfiltrates
the data, tries cleaning the trace and run away fulfilling their need for now since they already have backdoor which they can now access at anytime they want.
This is just a simple idea of what could happen here, there could be hundreds
or maybe thousands of possibilities on what the attacker might be doing or wanting to do
depending on what information the organization/individual hold and as per the motive of an
attacker.
At some cases, sophisticated attackers as in APT attacks, the attackers do not follow these steps, they sometime skip the steps or add their own steps making the real attack just a diversion and finding the real attacker information would be like a needle in a haystack. For example, a ddos attack could be used by attackers as a diversionary manoeuvre for creating immense amount of events in the log making the actual event harder to find.
The cyber kill chain helps to prevent and suggest preventive measures depending on these different stages. To break the chain, if there is an event or if there is anything that seems suspicious, start digging onto it. If you feel that it is a genuine attack that is happening then triage the incident. Figure out how the attacker got inside the system or maybe how the attacker is trying to get inside the system. To stop the possible future damage, gather the forensics investigation / incident report and try figuring out the way to stop these type of future attacks. There are certain technologies that help in killing the attack chain like antispam, web filtering, intrusion prevention and detection, antivirus, SIEM, DBAM, next generation firewalls, data loss prevention technologies and others such.
Again, my question to you; Should you care about the kill chain?
You may say: I do not own any information, I do not have any data as such, or I do not have anything at all. So, why should I care!
For example at most of the cases, the attackers might not be interested in a large scale data or high profile servers or anything as such. These small compromised resources can be used to commit advertisement fraud, spread misleading information/news or send out spam, extort the company for ransom or sell the data that they have acquired on the black market, or even rent out hijacked infrastructure to other criminals as in sell these servers for providing ransomware as service, DDOS as service or others such.
The goal here is not just to know the 'Cyber kill chain'. You know it, great! What are you waiting for? Implement it.. follow the kill chain model and gotta catch them all!
PS: To stop an attack, you need to think like an attacker.
A little bird once told, "Know the enemy and know yourself."