Cyber kill chain
The Cyber Kill Chain was developed by Lockheed Martin to describe cyber attacks. It consists of several stages, which describe the attacker advancing deeper and deeper.
Phase 1: Exploration
The attacker has chosen an organization as a target. He is now starting to collect information about his victim. He tries to get information about the company structure, data networks and company contacts, such as B. Suppliers to spy on from public sources. A targeted evaluation of photos from the company on various websites can also provide information about the existing infrastructure. Through targeted spying, it is possible to get remote access to certain hardware. B. to determine the web email and virtual private network connections (VPN connections).
Phase 2: Finding the right attack method
The goal of this phase is to find out more about the software used. Popular methods are:
- Spear phishing
Other functions can also be triggered by spear phishing. With the help of a prepared MS-doc document, Microsoft Office can be made to fetch a document from a server via the Server Message Block (SMB) protocol. The query must identify (authenticate) itself to the server. This hash can now be used to get the password in clear text. The attacker can now authenticate himself within the company. This security vulnerability is particularly problematic if single sign-on authentication is used.
- Watering hole attack (water-holing)
Here z. B. Websites that lie outside the target, but are frequented by company employees, attacked and taken over, in order to then gain access to the infrastructure within the target organization via manipulated pages. The manipulation can also take place at subcontractors. Documents can be manipulated there, which are then sent to the actual destination by employees of the subcontractor without knowledge of the manipulation.
Phase 3: Targeted Attack
Once you have gathered enough information about the target organization, more targeted attacks can occur:
- Emails, USB sticks etc. with manipulated content induce the victim to reveal detailed information. B. Username Password etc.
Phase 4: bridgehead
Once enough information has been gathered, a bridgehead in the form of a backdoor can be installed. A program is now stored in the identified vulnerability that enables external access.
Phase 5: takeover
After the successful installation of a backdoor, it can now be used to take over the goal by creating administrator accounts and other measures. From now on, the attacker is firmly established. He can go on to create additional accounts and thus take over the target company.
criticism
It is criticized that the procedure focuses too much on malware and the procedure in the event of a system breakdown. As a result, it does not in any way reflect the real effort for the attacker and also does not reflect alternative attack routes. Attacks from within by the company's own employees are also not taken into account. In response to this, the Internal Kill Chain was developed. Also only the own close range is considered, an examination of the further (digital) surroundings is omitted.
Furthermore, there is no mention in any way of how to react to such a cyber attack. The analysis according to the Cyber Kill Chain makes it possible to create structured reports in order to be able to develop an effect, for which a larger strategic consideration is necessary.
swell
- Cyber kill chain basics application and development at security-insider.de
- Cyber kill chain at Lockheed Martin (eng.)
- Deconstructing The Cyber-Kill-Chain at darkreading.com (eng.)
- us-cert.gov, TA18-074A : Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors
Individual evidence
- ^ Scott Jasper, strategic Cyber Deterrence: The Active Cyber Defense Option , p. 120