What is The Cyber Kill Chain?
Written by Joseph Poppy on 21/08/2019
In brief, here’s Bulletproof MD Oliver Pinson-Roxburgh giving a quick rundown of the cyber kill chain.
Stage One: Reconnaissance
The first step in the kill chain is reconnaissance. This can involve a variety of different things, the most common of which is scanning. Lots and lots of scanning. The majority of this is automated and you’ll find there are a vast number of scanning bots crawling the digital realms in search of fresh prey to ogle. Anything exposed to the internet will be subject to merciless scanning, the purpose of which is to uncover any known vulnerabilities, misconfigurations or outdated bits of software.
You’ll be surprised how quick these scanners are to descend on an asset. We were feeling delightfully devilish one morning at Bulletproof and set up a poorly configured sever hosting a simple web page that said ‘Hackers, do your worst!’ (or rather it said something along those lines with ruder words). By some time later that same morning we had over 11,000 log files, the majority of which involved scanning activity.
Just look at this spike of scanning activity below. A steady trickle shoots up to a veritable spike:
However, there are other aspects to reconnaissance, such as a simple Google of the business. There’s a lot a hacker can learn from online sources, such as extra domains associated with the business, office locations, staff names and email addresses (can be used in phishing or brute forcing), staff ID designs (from pictures) and more. The first step can be the most important. If you can detect or prepare for this type of activity, your cyber defences will be stronger for it.
A good place to start would be to get regular penetration tests. Seeing as these scans tend to be looking out for weaknesses or vulnerabilities, it’s probably best you find them first. Then, you can patch them up and sleep easy at night.
Stage Four: Exploitation
The fourth stage of the cyber kill chain is exploitation and it’s where weaknesses within your system are exploited. Hackers can now start attempting to escalate privileges, make modifications or start dropping extra components.
If your monitoring services are tuned correctly, they should likely be going nuts at this point. With all sorts of happenings occurring within your environment, there should be enough log activity to let you know something’s not quite right. If you’ve got the right service from the right vendor configured in the right way, then you should also be able to stop the malicious activity in its tracks. As for getting the right service, we have put together a handy SIEM buyer’s guide to help businesses make this decision.
Stage Five: Installation
If the hacker has managed to get to this stage unimpeded, then you’re probably in trouble. As the name suggests, installation is the phase in which the malicious packages are actually installed. Often, such as in the case of ransomware, this can be instigated by a curious employee. Upon seeing a strange file on the system (a dropper), they might decide to run it just to see what it is before immediately regretting the decision as ransomware starts eating through every file it sees.
This can also happen earlier if the delivery method is a phishing email. All it takes is a member of staff to open that attachment and the hacker has a foothold. Whilst you can isolate a specific computer and take it offline to limit the damage, you have to be quick.
Mapping your defences against the cyber kill chain will hopefully mean attacks won’t get to this stage. But if the worst should happen, installations should definitely raise alerts, particularly if you weren’t expecting them. Spotting any activity such as this should allow you to act quickly to limit the damage. It’s also worth noting that offline backups are almost essential in these modern times. Ransomware can really cripple a business and even those who make the mistake of paying for their files to be decrypted often find they don’t get everything back as it was. If you’re correctly and regularly backing up, you can restore your shared network files back to a previous un-ransomwared point.
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.