Using Cyber Kill Chain for Threat Intelligence

Using Cyber Kill Chain for Threat Intelligence

by rootsun
September 17, 2020

To block the attack vector, you need to know how an attacker thinks. The same idea applies to organizations that want to prevent cybercrimes. The consequences of a cyber attack can be devastating in terms of brand reputation and the organization’s invaluable assets, that’s why catching the intruder in an early stage is life-saving.

The world is dealing with ever-changing sophisticated digital techniques, and attackers leverage this development for their own attacks. Organizations use different security models to provide them with an understanding of the methods that cyber attackers use so that they can protect their IT ecosystem. One of the most used models is the Cyber Kill Chain.

What is the Cyber Kill Chain?

The Cyber Kill Chain is a very well known framework, developed by Lockheed Martin as part of the Intelligence Driven Defense model. It was derived from a military model and is extremely useful for identifying and preventing attacks.

It is a very informative model of stages an attacker usually practices to penetrate a network, maintain persistency, and complete a successful attack in the targeted organization. It includes even the earliest stage of an attack – reconnaissance.

Using the cyber kill chain steps, organizations can prevent and combat different external attacks, ranging from ransomware, data breaches, phishing, APT attacks, denial-of-service, and more.

Similarly, threat intelligence in its core is finished intelligence to help organizations understand emerging threats, This information is used to prevent possible attacks. So, using the cyber kill chain to understand which threat intelligence sources you need to focus on, is essential in the technology era. The beauty of using a cyber kill chain for threat intelligence is that no matter what stage you catch the attacker, you can always find a way to break the chain and “kill” the attack. You only need the right intelligence, and the ability to leverage it for your interests.

The 7 stages of a cyberattack

The cyber kill chain breaks down into 7 main stages. Each stage describes the activity that the attacker performs to reach its goal.

Stage 1: Reconnaissance

Find the target and research it.

In the first stage, the attacker selects a target that fits its needs, then starts researching it. The research is done in an outside-in approach. The IT system, the structure of the organization, vulnerabilities in their system, are of most helpful findings for an attacker. The more they know – the better for them.

Stage 2: Weaponization

Develop malware for exploitation.

This is when the attacker prepares a remote access malware -a deliverable payload- fit to take advantage of the vulnerabilities discovered during recon. This malware is usually delivered via a phishing email.

Stage 3: Delivery

Malware is ready, time for transmission.

In this stage, the malicious payload is ready to be sent to the targeted network. Some of the most used ways are via malicious websites, phishing emails, or a USB.

Stage 4: Exploitation

Execute the malware.

When the malware is transmitted to the victim’s system, it usually targets a vulnerability in any asset, but it can also auto-execute the code.

Stage 5: Installation

Create a backdoor.

In this stage, the attacker tries to find additional vulnerabilities to create additional access points to the victim’s system and deletes metadata, modifies critical information, and wipes all traces of activity to remain persistent in the system.

Stage 6: Command & Control

Persistent access.

The attacker creates a connection to the outside, now that it has the full ability to manage the malware installed into the victim’s system. Establishing a command & control (C2) channel gives the attacker full access to the system, and they can perform all kinds of attacks initially intended.

Stage 7: Action on Objectives

Hands on keyboard.

This is the last stage of the cyber kill chain. Now that the attacker has a hands-on keyboard, it can perform its goal: steal data, delete data, perform denial-of-service attacks, etc.

Leverage the Cyber Kill Chain

Knowing in which step the attacker is, helps security teams layer security controls, and prevent possible cyberattacks. Understanding the Cyber Kill Chain, and strengthening that knowledge with the right Threat Intelligence gives organizations a powerful threat prevention ability.

During the recon stage, the attacker uses an outside-in approach to research, and tries to find assets that you have forgotten about, or are not aware of. Organizations need to get a holistic view of their infrastructure so that they know what to protect. However, that is not always enough – and that’s where Threat Intelligence comes to play.

Knowing new vulnerabilities is essential because this way you know what the attacker could target.

Attacks usually exploit zero-day vulnerabilities or a few vulnerabilities at once to get access to the system. However, each APT group has its own tactics, techniques, and procedures (TTPs) they perform to attack. Different APT groups target different industries and knowing your possible attacker, and its TTPs is essential for proper threat prevention. APT groups constantly develop new TTPs, so constantly following these changes is important as well.

Educating the staff not to fall prey to phishing emails and malicious websites is one way to protect the organization. However, using threat intelligence to identify newly registered phishing domains is another way to prevent intrusions. The security teams can feed phishing information to the system and prevent any access to those domains through the network of the organization.

SOCRadar’s ThreatFusion

The threat intelligence capabilities that SOCRadar offers through ThreatFusion provide deeper context and insight into existing and emerging threats. ThreatFusion allows organizations to understand the Tactics Techniques, and Procedures of state-sponsored APT groups – they can track APT group activities and get notified, simply by subscribing to the group.

Organizations can also follow vulnerability trends and prioritize their patches. And with the API-ready feeds, they can integrate threat intelligence into their existing security products to prevent cyber attacks at an early stage, by blocking their payload delivery to your networks.

Discover SOCRadar® Community Edition for free

With SOCRadar® Community Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.