Tracing Cyberattacks: Understanding the Cyber Kill Chain Model
The cybersecurity landscape is constantly evolving, and understanding the dynamics of a targeted cyberattack is crucial for defenders. Two prominent models help us grasp the phases of a malware attack and identify potential points for intervention: the Cyber Kill Chain and the MITRE ATT&CK framework.
The Cyber Kill Chain, developed by Lockheed Martin, breaks down each stage of a malware attack where defenders can identify and stop it. The model consists of seven stages: Reconnaissance, Weaponization, Delivery, Exploit, Installation, Command and Control, and Actions.
Reconnaissance is the initial stage where criminals gather information about potential targets to decide whether they are worth attacking. This stage can be mitigated by maintaining strong security practices and keeping sensitive data protected.
Weaponization, Delivery, Exploit, and Installation are stages where criminals use the information they have gathered to craft a tool to attack their chosen target and put it to malicious use. For instance, the 2017 Equifax breach was traced back to a vulnerability in the Apache Struts web server software, highlighting the risk of web application attacks.
Once a threat is in a network, it may await instructions or download additional components in the Command and Control stage. An intrusion detection system set to alert on all new programs contacting the network can help detect Command and Control traffic.
The MITRE ATT&CK framework, developed by the organization named MITRE, is a leading contender for a more flexible, comprehensive way of thinking about cyberattacks. It provides actual attack techniques tied to each step in the kill chain, making it a valuable tool for defenders.
However, it's important to note that recent history shows that attackers are not always following the traditional cyber kill chain. They skip steps, add steps, and backtrack, making it essential for defenders to stay vigilant and adaptable.
Attacks can have various monetization goals, taking forms such as ad fraud, spam, ransom, selling data, or renting out hijacked infrastructure to other criminals. The ultimate goal is to convert stolen assets, such as payment card information, into cash.
In conclusion, understanding the Cyber Kill Chain and the MITRE ATT&CK framework can help organisations identify and mitigate potential threats more effectively. By focusing on early detection and intervention, the cost and time required for cleanup can be significantly reduced. However, defenders must also remain adaptable, as attackers continue to evolve their tactics.
