Performing pro-active and frequent IT audits will help to secure your IT environment but it is by no means foolproof. It is still possible for your organisation to be the victim of a security breach no matter how strict your security controls are. Therefore, it is important to consider multiple approaches when formulating your security plan. One such approach is the cyber kill chain. In this blog, we will discuss the cyber kill chain and how using it in the right way can benefit your organisation.
What is the cyber kill chain?
The cyber kill chain was originally a military concept but has since been adopted by the global aerospace, defense and security giant Lockheed Martin to describe the stages of a cyber security attack. The idea of the model is to get organizations to view the attack from the point of view of the attacker. Theoretically this enables organizations to better prepare their response to these security risks.
The cyber kill chain model consists of six stages, with each stage representing a particular goal of the attack.
Phases of Cyber-kill chain and their prevention
- Reconnaissance
At this level attackers are evaluating the weaknesses in your IT infrastructure to see where they should target. Attackers often target areas that are relatively unguarded and contain valuable data.
Prevention: Organizations should make sure that their websites do not display too much information regarding their company or employees. Educating employees about the dangers of oversharing information on social media can also be beneficial. You can also enhance security through monitoring IPS and firewall logs and sandboxing technology alerts.
- Weaponisation
After defining the target, attackers may create a malicious payload to send to their victim. They may do this by utilizing any inside information they have been able to gather in the reconnaissance stage. For example, by using an employee’s LinkedIn information, an attacker may be able to access internal resources through spear-phishing. Even basic information regarding the software your company uses, including OS version and type, can increase the probability of an attacker installing something malicious inside your network.
Prevention: There’s no real way to prevent attackers from creating malicious payloads. However, you can mitigate the risks of these payloads being successful. This will be discussed in the next point.
- Delivery and Exploitation
Attackers may send malicious payloads to their victims in several ways, the most common being through email. Simply being careless can lead to the attacker gaining access and causing untold damage within your organisation.
Prevention: To mitigate the risks associated with the delivery phase, organizations should make sure that their anti-virus software is up-to-date. This should help stop most cases of delivery reaching the end user. Another way of helping to prevent this stage is through educating users on the dangers of phishing emails and downloading untrustworthy applications.
- Installation
In this phase, the attacker will attempt to install the malware on the infected computer to maintain the connection and keep it under their control. This way an attacker can easily access the corporation’s private assets.
Prevention: The best defense here is to prevent the running of unknown files. Incorporate the use of whitelisting to turn off auto-run. With whitelisting, only approved software is installed and any new software needs to be approved before they are added to the whitelist.
- Command & Control
Once malware has entered your system, its next task will be to await instructions. It may download additional components or contact a botmaster in a Command & Control (C&C) channel. In both these cases it will require network traffic.
Prevention: As network traffic is a prerequisite here, the first task is to make sure that your firewall is set to alert on all new programs contacting the network. You can use forensics to determine what data has been stolen or interfered with. To access your data again, your affected machine will either need to be cleaned or re-imaged. Having back-up data can make this task less time consuming and less costly.
- Action
An attacker may steal information, perform DDOS traffic or spew spam depending on what his/her goal is inside the network. This is an unpredictable attack process that could potentially take months and be performed in thousands of small steps. There is a chance that the threat may have migrated from one machine to several in your network. It is difficult at this point to calculate the exact damage done by the attacker.
Prevention: To prevent the data exfiltration process, organizations should have a means of responding to unauthorized data flows. You can also incorporate the use of Data Loss Prevention (DLP) techniques to mitigate the action process.
An easy way to integrate cyber kill chain preventative measures
Integrating cyber kill chain preventive measures into your overall security plan is no easy task. However, having an automated auditing solution, like LepideAuditor Suite, installed in your system can lighten the task load. This solution that will implement a layered security to lessen the likelihood that threats will slip through unobserved. It will audit your environment at continuously, providing you details on all changes taking place in your network.
The more information you have about your system, the more likely you are to identify irregular behavior.