Use the Cyber Kill Chain Model to Spot and Stop Hackers

In the military, a kill chain refers to a specific sequence of events leading up to an attack. The kill chain starts with identifying a target and then progresses through additional steps, such as getting a fix on the target’s location and tracking the target’s movement. This basic concept has been adapted to cyber attacks in what is sometimes referred to as a cyber kill chain model.

It's worth noting that every cyber attack is different because attackers have their own way of doing things and because each target is unique. Even so, the cyber kill chain model can be used to identify and look out for the steps criminals take in most cyber attacks.

1. Reconnaissance

The first step in the cyber kill chain model is reconnaissance. Reconnaissance is based on the idea that attackers need to know something about the target prior to launching the attack. Now, obviously, this concept does not apply to random attacks, but if attackers are specifically targeting a particular organization, they will need a point of entry. Only reconnaissance will reveal the best point of entry for an attacker to use.

2. Intrusion

The second step in the cyber kill chain model is intrusion. Intrusion is exactly what it sounds like: This is the step where attackers make it into the network that they wish to attack. Intrusion can be performed in any number of different ways. Attackers might use malware to gain entry into the network or stolen credentials and a VPN, among many other types of methods.

3. Exploitation

Step number three is exploitation. The idea behind exploitation is that just because attackers have gained entry into a network, it doesn’t mean that they can actually do anything. The exploitation process involves figuring out what vulnerabilities exist and can be exploited within the victim’s network.

4. Privilege Escalation

The fourth step in the cyber kill chain model is privilege escalation. In some cases, it is possible that attackers might be able to accomplish their objectives simply by discovering and exploiting a vulnerability within a system that they want to attack. More often, however, attackers will need to gain some additional permissions to be able to accomplish their objectives. This is where privilege escalation comes into play.

There are any number of different ways in which privilege escalation can be accomplished. If an attacker has managed to break into a desktop computer, for example, the attacker might use the system’s security accounts manager to gain access to the accounts of anyone who has previously logged onto that particular system. The goal is to figure out if any of those accounts have permissions that go beyond what the attacker already has.

5. Lateral Movement

Step number five in the process is lateral movement. Suppose that an attacker has compromised a desktop within the target organization. Let’s also suppose that the attacker was able to harvest an account from the desktop that gave the attacker elevated permissions, but not sufficient permissions to accomplish the final objective. The next step in the process is to use those credentials to log on to other desktops, with the goal of finding a system that had been logged into with administrative credentials. Those credentials could then be harvested, allowing the attacker to move toward his or her ultimate objective.

6. Anti-Forensics

The sixth step in the process is anti-forensics. All good attackers know it is only a matter of time before an organization's cybersecurity staff realizes that something is amiss. Attackers therefore need to do something to cover their tracks. The nature of this activity varies widely, but it can involve anything from deleting audit logs to engaging in very obvious activity that has nothing to do with their end objective. This can help misdirect the cybersecurity staff so that they are looking for one type of exploit, while the attacker is actually doing something else.

7. Denial of Service

Step seven in the cyber kill chain model is denial of service. This step isn’t a part of every cyber attack, but it does happen. In the denial of service phase of the attack, attackers shut down any resources that could potentially be used to halt the attack. For example, attackers might shut down monitoring software, or they might change the domain admin password. The goal in this phase of the attack is simply to make it difficult for the organization’s IT staff to take corrective action.

8. Exfiltration

The eighth and final stage of the attack is exfiltration. This is the stage where the attacker collects data from compromised systems and then moves that data out of the organization.

Bottom Line

It is critically important to understand the cyber kill chain model because each step in the kill chain represents an opportunity for an organization’s IT team to detect and block an impending attack. If, for example, the IT team stops an attack at the intrusion phase, then the attacker would never make it to the exploitation phase. Similarly, if the IT team stops an attack at the exploitation phase, they can prevent privilege escalation.

Cyber security experts have long urged enterprise IT to take a defense-in-depth approach to cybersecurity. The goal is to rely on a wide variety of security mechanisms rather than depending on one thing to halt all attacks. Organizations should consider adopting tools and other security mechanisms specifically targeted toward each step in the cybersecurity kill chain model. Remember, each step in the kill chain is an opportunity to stop attackers in their tracks.