Cyber Kill Chain CKC: attacker vs. defender view

Cyber Kill Chain CKC is a 7-step framework used in cybersecurity to highlight the steps an attacker takes to successfully execute a cyberattack. The step starts with information gathering on the target system and ends with achieving their objective. Following the steps to successfully execute an attack on the target system is important. This series of steps on the target system acts as actionable objectives of the attacker.

Two views of the Cyber Kill Chain CKC
Two views of the Cyber Kill Chain CKC

In this Answer, we’ll discuss how the attacker works along the seven steps to conduct the attack and how the defender moves along the seven steps to safeguard the system.

The Cyber Kill Chain process

Let’s look at the attacker and defender’s aims and the steps they take to achieve them.

Attacker’s view

An attacker aims to understand the exploitation steps to successfully attack the target system.

1- Reconnaissance: The attackers set out to gather information about their potential target. They gain information like public contact information, vulnerabilities, open ports, and running services in the system. The open ports and running services can serve as the entry points for malicious payloadsAny script having the intent to cause harm or malicious activity to the target system.. Reconnaissance can be done using spying tools and scanners on the target.

2- Weaponization: The attacker creates a malicious payload to exploit the vulnerability of the target system. The malicious payloads include any sort of virus, worms, or specially crafted script to exploit the vulnerability within the target system.

3- Delivery: The attacker uses the malicious payload crafted in the previous step and the email identified in the reconnaissance phase to perform delivery. The attacker delivers the payload to the target system.

4- Exploitation: The attacker exploits the vulnerabilities identified in the earlier stages of the CKC. The attacker tries to get maximum privileges and identifies other system vulnerabilities.

5- Installation: The attacker now executes the malicious payload delivered to it via email. The malicious payload creates an access point or a backdoorA type of malware that helps create a remote connection for the attacker. By doing this, the attacker can access the target system continuously.

6- Command and control: The attacker now establishes a remote connection with the target system and has full access to the target system. The attacker can now deliver other malicious payloads to the system to perform other malicious activities.

7- Actions on the objective: The attacker can now finally perform the actual intent of the cyber attack. Intent can include data encryption, destruction, leakage, and compression. The attacker may spend months gaining access to the system to execute the attacks.

Defender’s view

A defender aims to understand the steps of exploitation to devise a security solution for the system.

1- Reconnaissance: The defenders try to gain information about the suspicious activity on the target system. The defender then tries to retrieve data about the attacker, like its IP address, by the activity performed on the target system.

2- Weaponization: This process only occurs on the attacker’s side, so it is difficult for the defender to do anything. However, a good practice would be to perform regular security auditsMonitor the security of the system and use up-to-date anti-malware software.

3- Delivery: At this point, the defender safeguards its entry points. It includes securing emails, checking attachments, closing unused entry points, and stopping the vulnerable services running on the system. Defenders may also use intrusion detection systems (IDS) The tool and techniques to detect intrusion to the system to identify the intrusion into the system.

4- Exploitation: The defender must monitor the target system for all the privilege requests and all the suspicious and unusual activities on the system. The defender uses intrusion detection and response systemsThe tools and techniques to identify intrusion and take actionable steps to respond to the intrusion and scanners to identify exploitations within the system.

5- Installation: The defender continuously monitors the target system for installation and uses endpoint detection and response (EDR) solutionsThe tools and techniques to identify anomalies and access attempts at the endpoints to identify the installation of backdoors or malicious software.

6- Command and control: The defender tries to identify unauthorized connections to a remote server. The use of network analysis and anomaly detectionThe tools to monitor network activity and anomalies on the network tools can help identify such connections. The defender must cut the connection to get control of the system back.

7- Actions on the objective: This is now the post-attack step. The defender must take the necessary steps to stop the attack and minimize the damage from the attack.

Test yourself

It’s time to test your comprehension of the above Answer. Match the actions to the actors in the match the answer section.

Match The Answer
Select an option from the left-hand side

Run EDR on the system

Attacker

Run anomaly detectors

Defender

Execute payloads

Find remote connections on system

Find email addresses

Establish remote connection


Copyright ©2024 Educative, Inc. All rights reserved