Lockheed Martin derived the structure of the kill chain from a military model-originally set up to define, plan to strike, engage, and destroy the target.
Lockheed Martin derived the structure of the kill chain from a military model-originally set up to define, plan
to strike, engage, and destroy the target. The kill chain has developed since its inception to better predict
and understand insider attacks, social engineering, advanced malware and disruptive assaults. The purpose
of the model is to better understand the stages an attack must go through to conduct an attack, and help
security teams stop an attack at each stage.
The kill chain model describes an attack by an external attacker attempting to gain access to data or assets
inside the security perimeter. The attacker performs reconnaissance, intrusion of the security perimeter,
exploitation of vulnerabilities, gaining and escalating privileges, lateral movement to gain access to more
valuable targets, attempts to obfuscate their activity, and finally exhilarate data from the organization.
Lockheed Martin’s cyber kill chain breaks down an external-originating cyber-attack into 7 distinct steps:
Each stage is related to a certain type of activity in a cyber-attack, regardless of whether it’s an internal or
external attack:
Reconnaissance
At the reconnaissance stage, the attacker gathers information about the target organization. They can use
automated scanners to find vulnerabilities and weak points that may allow penetration. Attackers will try to
identify and investigate security systems that are in place, such as firewalls, intrusion prevention systems and
authentication mechanisms.
Types of reconnaissance attack:
Passive reconnaissance
Passive reconnaissance is an attempt to gain information about targeted computers and networks
without actively engaging with the systems.
Active reconnaissance
Active reconnaissance, in contrast, the attacker engages with the target system, typically conducting a port
scan to determine find any open ports.
Weaponization
During Weaponization, the threat actor develops malware specifically crafted to the vulnerabilities
discovered during the reconnaissance phase of the cyber kill chain. Based on the intelligence gathered in the
reconnaissance phase, the attacker will tailor their toolset to meet the specific requirements of the target
network.
Delivery
The third stage of cyber kill chain is delivery, in these stage Intruder transmits the malware via a phishing
email, web, USB or another medium.
Exploitation
At the exploitation stage, attackers seek additional vulnerabilities or weak points they can exploit inside the
organization’s systems. For example, from the outside, the attacker may have no access to an organization’s
databases, but after the intrusion, they can see a database uses an old version and is exposed to a wellknown vulnerability.
Example: PowerShell, Local job scheduling, Scripting, Dynamic data exchange
Installation
At this stage the installation of a remote access Trojan or backdoor on the victim system allows the
adversary to maintain persistence inside the environment. Installing malware on the asset requires enduser participation by unknowingly enabling the malicious code. Taking action at this point can be considered critical.
Command and Control
Command and control is the sixth phase of the cyber kill chain. Command and control, also known as C2, is
when the attacker has put in place their management and communication APT code onto to the target
network. This software allows the attacker to fully manage the APT code in the environment and allows the
attacker to move deeper into the network, exhilarate data and conduct destruction or denial of service
operations.
Actions on Objective
Intruder initiates end goal actions, such as data theft, data corruption, or data destruction.
It is recommended that an organization implement a defense-in-depth strategy that will serve to protect the
organization's people, process, and technology in a holistic and layered fashion. Some defense in depth areas
include:
• Implementation of an enterprise-wide information security program with the leadership backing and
authority
• Effective user training and awareness related to email-borne threats (phishing)
• Strong cyber hygiene practices throughout the organization.
Copyright @SecurWires. Designed & Developer By MindScript