What is the Cyber Security Kill Chain?

Like any form of traditional warfare, the most successful cyber attacks start with lots of information gathering. Reconnaissance is the first step in the cyber security kill chain and utilizes many different techniques, tools, and commonly used web browsing features including:

• Search engines
• Web archives
• Public cloud services
• Domain name registrie
• WHOIS command
• Packet sniffers (Wireshark, tcpdump, WinDump, etc.)
• Network mapping (nmap)
• DIG command
• Ping
• Port scanners (Zenmap, TCP Port Scanner, etc.)

There is a wide range of tools and techniques used by hackers to gather information about their targets, each of which exposes different bits of data that can be used to find doors into your applications, networks, and databases which are increasingly becoming cloud based. It’s important that you secure your sensitive data behind cloud-based SASE defenses, encryption and secure web pages in order to prevent attackers from stumbling on compromising information while browsing through your publicly-accessible assets, including apps and cloud services.

Once an attacker has gathered enough information about their target, they’ll choose one or several attack vectors to begin their intrusion into your space. An attack vector is a means for a hacker to gain unauthorized access to your systems and information. Attack vectors range from basic to highly technical, but the thing to keep in mind is that, for hackers, targets are often chosen by assessing cost vs. ROI.

Everything from processing power to time-to-value is a factor that attackers take into account Typical hackers will flow like water to the path of least resistance, which is why it is so important to consider all possible entry points along the attack surface (all of the total points in which you are susceptible to an attack) and harden your security accordingly.

The most common attack vectors include:

• Weak or stolen credentials
• Remote access services (RDP, SSH, VPNs)
• Careless employees
• Insider attackers
• Poor or no encryption
• System misconfiguration
• Trust relationships between devices/systems
• Phishing (social engineering)
• Denial of service attacks
• Man-in-the-middle attacks (MITM)
• Trojans
• SQL injection attacks
• And many others

Remember: a hacker only needs one attack vector to be successful. Therefore, your security is only as strong as its weakest point and it’s up to you to discover where those potential attack vectors are. Ransomware attacks continue to exploit remote access services to gain entry, make lateral movements, detect sensitive data for exfiltration, all before encrypting and making ransom requests.

So typically once an attacker is in, their next move is to find different ways to move laterally throughout your network or cloud resources and escalate their access privileges so their attack will gather the most valuable information, and they’ll stay undetected for as long as possible. Preventing this kind of behavior requires adopting “Zero Trust” principles, which, when applied to security and networking architecture, consistently demands reaffirmation of identity as users move from area to area within networks or applications.

Reports: Netskope Threat Labs Reports

Now that a hacker has gained access to your systems, they’ll have the freedom they need to deliver the payload of whatever they have in store for you (malware, ransomware, spyware, etc.). They’ll set up programs for all kinds of attacks, whether immediate, time-delayed or triggered by a certain action (logic bomb attack). Sometimes these attacks are a one-time move and other times hackers will establish a remote connection to your network that is constantly monitored and managed.

Malware detection with Next Gen SWGs to TLS decrypt and inspect web and cloud traffic are key components for preventing the delivery of these types of payloads. Increasingly attacks are cloud delivered with 68% of malware using cloud delivery versus web delivery. Running inline threat scanning services for web and cloud traffic along with accounting for the status of all endpoint devices is crucial in ensuring your company is not infected with any malicious software.

Once the attacker’s intended payload is delivered, the exploitation of a system begins, depending on the type of attack. As mentioned before, some attacks are delayed and others are dependent on a specific action taken by the target, known as a logic bomb. These programs sometimes include obfuscation features in order to hide their activity and origin in order to prevent detection.

Once the executable program is triggered, the hacker will be able to begin the attack as planned, which leads us to the next few steps, encompassing different types of exploitations.

If a hacker sees the opportunity for future attacks, their next move is to install a backdoor for consistent access to the target’s systems. This way they can move in and out of the target’s network without running the risk of detection by reentering through other attack vectors. These kinds of backdoors can be established through rootkits and weak credentials, and so long as their behavior doesn’t throw up any red flags to a security team (such as unusual login times or large data movements), these intrusions can be hard to detect. SASE architecture is uniting security defenses to collect rich metadata on users, devices, apps, data, activity and other attributes to aid investigations and enhance anomaly detection.

Now that the programs and backdoors are installed, an attacker will take control of systems and execute whatever attack they have in store for you. Any actions taken here are solely for the purpose of maintaining control of their situation with the target, which can take all kinds of forms, such as planting ransomware, spyware, or other means for exfiltrating data in the future.

Unfortunately, once you learn of an intrusion and exfiltration, it is probably too late—the hackers have control of your system. That’s why it’s important to have safeguards that monitor and evaluate data movements for any suspicious activity. A machine is far more likely to detect and prevent malicious behavior faster than any network administrator.

White Paper: Protecting Data Using Machine Learning

Everything has led to this. This is the continuous execution stage where an attacker takes action on their target and may encrypt your data for ransom, exfiltrate your data for monetary gain, bring down your network via denial of service, or monitor your system behaviors for any other openings via spyware, to name just a few potential outcomes. Espionage and monitoring are leading actions in this last kill chain step where attackers keep a low profile and persist.

This is where real-time monitoring of data movement and suspicious behavior detection is crucial because attackers will move as quickly as possible to achieve their goals. There is never enough time to react to every possible anomaly within a large corporate structure so your role in prevention must be proactive instead of reactive.