Cyber Kill Chain CKC is a 7-step framework used in cybersecurity to highlight the steps an attacker takes to successfully execute a cyberattack. The step starts with information gathering on the target system and ends with achieving their objective. Following the steps to successfully execute an attack on the target system is important. This series of steps on the target system acts as actionable objectives of the attacker.
In this Answer, we’ll discuss how the attacker works along the seven steps to conduct the attack and how the defender moves along the seven steps to safeguard the system.
Let’s look at the attacker and defender’s aims and the steps they take to achieve them.
An attacker aims to understand the exploitation steps to successfully attack the target system.
1- Reconnaissance: The attackers set out to gather information about their potential target. They gain information like public contact information, vulnerabilities, open ports, and running services in the system. The open ports and running services can serve as the entry points for
2- Weaponization: The attacker creates a malicious payload to exploit the vulnerability of the target system. The malicious payloads include any sort of virus, worms, or specially crafted script to exploit the vulnerability within the target system.
3- Delivery: The attacker uses the malicious payload crafted in the previous step and the email identified in the reconnaissance phase to perform delivery. The attacker delivers the payload to the target system.
4- Exploitation: The attacker exploits the vulnerabilities identified in the earlier stages of the CKC. The attacker tries to get maximum privileges and identifies other system vulnerabilities.
5- Installation: The attacker now executes the malicious payload delivered to it via email. The malicious payload creates an access point or a
6- Command and control: The attacker now establishes a remote connection with the target system and has full access to the target system. The attacker can now deliver other malicious payloads to the system to perform other malicious activities.
7- Actions on the objective: The attacker can now finally perform the actual intent of the cyber attack. Intent can include data encryption, destruction, leakage, and compression. The attacker may spend months gaining access to the system to execute the attacks.
A defender aims to understand the steps of exploitation to devise a security solution for the system.
1- Reconnaissance: The defenders try to gain information about the suspicious activity on the target system. The defender then tries to retrieve data about the attacker, like its IP address, by the activity performed on the target system.
2- Weaponization: This process only occurs on the attacker’s side, so it is difficult for the defender to do anything. However, a good practice would be to perform regular
3- Delivery: At this point, the defender safeguards its entry points. It includes securing emails, checking attachments, closing unused entry points, and stopping the vulnerable services running on the system. Defenders may also use
4- Exploitation: The defender must monitor the target system for all the privilege requests and all the suspicious and unusual activities on the system. The defender uses
5- Installation: The defender continuously monitors the target system for installation and uses
6- Command and control: The defender tries to identify unauthorized connections to a remote server. The use of
7- Actions on the objective: This is now the post-attack step. The defender must take the necessary steps to stop the attack and minimize the damage from the attack.
It’s time to test your comprehension of the above Answer. Match the actions to the actors in the match the answer section.
Run EDR on the system
Attacker
Run anomaly detectors
Defender
Execute payloads
Find remote connections on system
Find email addresses
Establish remote connection