Scribd
Upload
165 views

1-What Is The Cyber Kill Chain?

The cyber kill chain is a model created by Lockheed Martin that describes the typical stages of a cyber attack: reconnaissance, weaponization, delivery, exploitation, installation, command & control, and actions on objectives. It is used to identify vulnerabilities and stop attacks at each stage. Examples of common attacks at each stage include spearphishing emails, privilege escalation through access tokens, lateral movement using SSH hijacking, and exfiltrating data by encrypting and compressing it. Security controls like firewalls, intrusion detection/prevention systems, and endpoint protection can detect, deny, disrupt, or contain threats at different stages to prevent the kill chain from being completed.

Uploaded by

Mohamed Toubene
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
165 views

1-What Is The Cyber Kill Chain?

The cyber kill chain is a model created by Lockheed Martin that describes the typical stages of a cyber attack: reconnaissance, weaponization, delivery, exploitation, installation, command & control, and actions on objectives. It is used to identify vulnerabilities and stop attacks at each stage. Examples of common attacks at each stage include spearphishing emails, privilege escalation through access tokens, lateral movement using SSH hijacking, and exfiltrating data by encrypting and compressing it. Security controls like firewalls, intrusion detection/prevention systems, and endpoint protection can detect, deny, disrupt, or contain threats at different stages to prevent the kill chain from being completed.

Uploaded by

Mohamed Toubene
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Cyber kill chain

1- What is the cyber kill chain?

The cyber kill chain is essentially a cybersecurity model created by Lockheed Martin that
traces the stages of a cyber-attack, identifies vulnerabilities, and helps security teams to stop
the attacks at every stage of the chain.

The kill chain model describes an attack by an external attacker attempting to gain access
to data or assets inside the security perimeter. The attacker performs reconnaissance,
intrusion of the security perimeter, exploitation of vulnerabilities, gaining and escalating
privileges, lateral movement to gain access to more valuable targets, and finally attempts
to obfuscate their activity.

The kill chain model mainly describes an advanced persistent threat (APT), a sophisticated
attacker waging an organized attack campaign against a specific company.

2- Example attacks of the cyber kill chain:

Example attacks in the intrusion stage:

 External remote services


 Spearphishing attachments
 Supply chain compromise

Example attacks in the exploitation stage:

• PowerShell

• Local job scheduling

• Scripting

• Dynamic data exchange

Example attacks in the privilege escalation stage:

• Access token manipulation

• Path interception

• Sudo attack

• Process injection
Example attacks in the lateral movement stage:

• SSH hijacking

• Internal spear phishing

• Shared webroot

• Windows remote management

Example attacks in the obfuscation stage:

• Binary padding

• Code signing

• File deletion

• Hidden users

• Process hollowing

Example attacks in the DoS stage:

• Endpoint denial of service

• Network denial of service

• Resource hijacking

• Service stop

• System shutdown

Example attacks in the exfiltration stage:

• Data compressed

• Data encrypted

• Exfiltration over alternative protocol

• Exfiltration over a physical medium

• Scheduled transfer
3- what is the Security controls that you can use to stop the kill chain in all stage:

• Reconnaissance

Detect: Web Analytics; Threat Intelligence; Network Intrusion Detection System

Deny: Information Sharing Policy; Firewall Access Control Lists

• Weaponization

Detect: Threat Intelligence; Network Intrusion Detection System

Deny: Network Intrusion Prevention System

• Delivery

Detect: Endpoint Malware Protection

Deny: Change Management; Application Whitelisting; Proxy Filter; Host-Based Intrusion


Prevention System

Disrupt: Inline Anti-Virus

Degrade: Queuing

Contain: Router Access Control Lists; App-aware Firewall; Trust Zones; Inter-zone
Network Intrusion Detection System

• Explotation

Detect: Endpoint Malware Protection; Host-Based Intrusion Detection System

Deny: Secure Password; Patch Management

Disrupt: Data Execution Prevention

Contain: App-aware Firewall; Trust Zones; Inter-zone Network Intrusion Detection


System

• Installation

Detect: Security Information and Event Management (SIEM); Host-Based Intrusion


Detection System
Deny: Privilege Seperation; Strong Passwords; Two-Factor Authentication

Disrupt: Router Access Control Lists

Contain: App-aware Firewall; Trust Zones; Inter-zone Network Intrusion Detection


System

• Command & Control

Detect: Network Intrusion Detection System; Host-Based Intrusion Detection System

Deny: Firewall Access Control Lists; Network Segmentation

Disrupt: Host-Based Intrusion Prevention System

Degrade: Tarpit

Deceive: Domain Name System Redirect

Contain: Trust Zones; Domain Name System Sinkholes

• Actions on Objectives

Detect: Endpoint Malware Protection

Deny: Data-at-Rest Encryption

Disrupt: Endpoint Malware Protection

Degrade: Quality of Service

Deceive: Honeypot

Contain: Incident Response

You might also like