The term ‘kill chain’ originated in the military as a concept to outline and define each stage of an attack. It has found its way into cybersecurity as well as a means to understand the structure of a cyber attack and disrupt it. There are seven defined phases of the kill chain with each phase having a specific utility to the attacker.
For enterprises waging a relentless war against cyber attackers, it is essential to understand each stage of the kill chain to make guided interventions when required and block the attack. In 2013, Lockheed Martin, the global American military giant, used this model to stop a SecurID attack.
Here are the seven phases that comprise the kill chain:
Phase 1: Reconnaissance
This phase involves both, passive and active reconnaissance on the part of the attacker. Identification of a vulnerable target is the most important objective of this phase and in pursuit of the objective, attackers will try and gather as much data and knowledge they can on their targets. This is a preparation phase before the launching of a cyber attack.
Phase 2: Weaponization
Once the Reconnaissance phase is complete, the attacker will move on to the next phase which is Weaponization. In this phase, the attacker will decide on the best type of tool they have at their disposal to carry out their attack on the target. This decision will be based on the findings of the Reconnaissance phase. The attacker could use methods like a Distributed Denial of Service (DDoS) attack, a botnet attack or malware to attack unpatched systems.
Phase 3: Delivery
The Delivery phase involves the attacker to deliver the attack through a malicious payload. This payload can be delivered through a variety of means: a phishing email, a drive-by-download attack or spear phishing.
Phase 4: Exploitation
At the Exploitation phase, the attacker exploits the vulnerability that has been discovered to carry out their attack. The targeted system is typically compromised and the attack enters the system. At this stage, the attacker has already gained a foothold and may try to make further intrusions by installing other malware.
Phase 5: Installation
After the Exploitation phase, the Installation phase involves the malicious software being installed and multiplying inside the breached system. Users may unknowingly install and spread the malware on their systems by taking actions such as sending infected emails to other users. The breaches may multiply across the affected network.
Phase 6: Command & Control
At this stage, the attacker is in full control. After successfully gaining entry and breaching an enterprise’s defenses, the malware can be fully commanded and controlled by the attacker who can use it for any malicious purposes. This can include sending back confidential information, passwords, emails or anything else the attacker seeks.
Phase 7: Action on Objectives
This is the seventh and the final stage of a cyber attack. This phase is defined as the ‘Action on Objectives’ phase and refers to the final actions which an attacker takes on conducting a successful attack. An attack could have various goals – to extract a ransom through a ransomware attack, to sell data on the Dark Web or to leak confidential information to a rival enterprise.
It is important for enterprises to understand and remain prepared for each phase of a cyber attack. As outlined above, every phase is different and requires the corresponding action.
Seqrite’s solutions enable better protection at every stage and ensure enterprises stay secure against cyber attacks.