Thanks to Trevor Bakker, Cybersecurity Software Engineering Manager with Lockheed Martin and certified ethical hacker, who recently spoke with our recent graduates about the cyber kill chain. This post is derived from his presentation.
The idea of the kill chain began with the US military in the 1990s. The term kill chain represents finding a target, fix on or tracking the target, engaging the target, and doing an assessment after the fact. In 2006, Lockheed Martin applied the kill chain to cyber attacks to describe the stages a cyber adversary would use to attack a system.
The cyber kill chain framework consists of 7 stages:
- Command & Control
- Actions or Objectives
These stages are helpful in understanding the various stages of a cyberattack and it’s important to note that it’s not necessarily a linear process. Attackers may move back and forth between different stages or skip certain stages altogether.
Let’s dive into each of these stages.
Reconnaissance: Passive and Active
Passive reconnaissance is something many of us do on a regular basis - such as searching for contact information for a company. Maybe you’re looking for the hiring manager of a job you recently applied for or trying to find a person who can help you with a customer service issue. We’re searching readily available information on the web.
Active reconnaissance involves going deeper and peering into the back-end of the internet. This takes some knowledge on the commands to run to access the information. It’s not readily available on a website. When the internet was first launched, security wasn’t designed into it. We’ve simply bolted on security or designed new security protocols while still maintaining the old ones. Trevor describes this as “trying to change a tire on a moving car while not impacting the other three tires.” As a result, a lot of the back-end of the internet is not secure. With a few commands, you can peek behind the scenes and find things like a corporate email address. This, of course, can be used by ethical and bad hackers.
Of course, if it’s an email address you’re seeking, corporations love standardized email addresses. So you can try a few variations to see which one gets through without having to peek into the back-end of the internet.
Weaponization & Delivery
Weaponization and Delivery go hand in hand. Weaponization is all about the content attackers use to further their goal, such as collecting more information about an individual or organization or convincing someone to take action that benefits the attacker, such as installing malware. Delivery is how you send that content.
One of the main types of delivery is phishing. There are several types of phishing.
- Bulk Phishing - Reaching out to many people at once with the goal to engage some of them.
- Spear phishing - Targeting a specific individual.
- Whaling - Targeting an executive.
- Vishing - or voice phishing - Targeting individuals through a phone call.
- Smishing - or SMS/text phishing - Targeting individuals through text messages.
You can combine multiple types of phishing, such as Whaling by Vishing.
“The cyber kill chain helps you defend, but you can’t stop reconnaissance and weaponization.” Trevor Bakker
IT departments and security experts place a lot of emphasis on stopping delivery through things like spam filters in your email inbox or your cell phone carrier marking a call as “potential spam.”
Exploitation is all about taking advantage of a vulnerability. This could be a software vulnerability, like a security flaw that allows malware to get through, or a human vulnerability, such as a person not realizing an email is a phishing attempt.
If you’ve ever wanted to install a software update on your work computer only to be met with the warning that you do not have the necessary permissions, this is how companies prevent a cyber attack on your machine or the network.
Command & Control
Command & Control is the stage where an attacker connects the malware they installed on your system to their server, allowing them to remotely control your system. This step allows an attacker to funnel customer data from your server to their server.
Actions or Objectives
This is the attacker’s intended consequences, such as stealing data or disrupting business. While listed last in the cyber kill chain, the objective drives how the other stages are used.
How is the cyber kill chain useful?
Have you ever received an email that claims you owe money for computer repairs or a call allegedly from the local power company threatening to turn off your power unless you make a payment right now? With an understanding of how a cyber attack is executed and knowing the information that is publicly available about you, you can be better prepared for an attack and ward off phishing attempts.
While you can’t stop reconnaissance and weaponization, being cognizant will help you avoid getting tricked by an attacker and prevent exploitation, installation, and command and control.