How to Deal With the Cyber Kill Chain

How to Deal With the Cyber Kill Chain

How to Deal With the Cyber Kill ChainHow to Deal With the Cyber Kill Chain

Many cyber-security teams have turned to a well-understood military concept, the kill chain, which details how adversaries structure their attacks.

Reconnaissance: Gather information to enable attacks on assetsReconnaissance: Gather information to enable attacks on assets

Monitor threat intelligence on known actors when communications indicate possible recon attempts from those acting against your assets.
Set alerts and immediately act on any stolen credentials, personally identifiable information and confidential company information that becomes available on the internet.

Weaponization: Coupling exploit with backdoor into deliverable payloadWeaponization: Coupling exploit with backdoor into deliverable payload

Monitor and gain visibility into actor-based threat intelligence feeds that provide insight into Trusted Third Parties and malware Indicators of Compromise that may target your business or assets.
Capture and analyze any network traffic payloads for malware indicators.

Delivery: Deliver malicious payload to the victim via email, internet or USBDelivery: Deliver malicious payload to the victim via email, internet or USB

Ensure all ingress and egress network connections have inline inspection based on signature and non-signature mechanisms, including within encrypted payloads.
Ensure inline inspection has full Layer 7 inspection, not just network layer.

Exploitation: Exploiting a vulnerability to execute codeExploitation: Exploiting a vulnerability to execute code

Integrate threat intelligence to understand potential threats and vulnerabilities.
Automate the detection of vulnerabilities within owned assets and network infrastructure to ensure quick detection of attacks.
Automate vulnerability to signature creation within network inspection capabilities to ensure quick detection of network-based vulnerability attacks.

Installation: Installing malware on the assetInstallation: Installing malware on the asset

Deploy an endpoint protection system (EPS) to provide inspection of all pre-installation of applications.
Connect the EPS to a threat intelligence system with up-to-date malware hash information.

Command and Control (C2): Command channel for remote manipulationCommand and Control (C2): Command channel for remote manipulation

Gather and monitor threat intelligence feeds that identify all known C2 servers worldwide.
Use your threat intelligence platform to select and prioritize which systems to protect.
Connect the threat intelligence to your threat mitigation gateways to automate protection against C2 communications.
Ensure investigation and analysis of internal lateral movement of communications after infection so that other infected hosts are found.

Privileged Operations, Resource Access and ExfiltrationPrivileged Operations, Resource Access and Exfiltration

To counter attacker’s steps inside the network:
Monitor internal network flow data and analyze to your asset ownership/compromise indicator intelligence.
Ensure your threat mitigation gateway is informed with up-to-date threat intelligence about known data exfiltration sites.
Inspect network traffic for unauthorized egress of corporate data.

Karen A. Frenkel
Karen A. Frenkel
Karen A. Frenkel is a contributor to CIO Insight. She covers cybersecurity topics such as digital transformation, vulnerabilities, phishing, malware, and information governance.

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.

Latest Articles