The cyber kill chain traces the different stages of a cyberattack from the earlier reconnaissance stage to the exfiltration of data. The kill chain is a significant tool in understanding and combating attacks from ransomware, security breaches, and advanced persistent attacks. The kill chain method is derived from a military model and has evolved to better anticipate and recognize insider threats, and other innovative attacks.
Attack and Kill Chain Models
The webinar in Cyber Talks says about two major frameworks, where the first is the attack framework. It is defined by Mitre and is an adversary model for enterprises describing the actions that an adversary may take to compromise within an enterprise network. Attack for enterprise incorporates information on cyber adversary’s gathered through micro search as well as from other disciplines such as penetration testing and red teaming to establish a collection of knowledge, characterizing the activities that adversaries use against enterprise networks.
While there is significant research on initial exploitation and the use of perimeter defenses, there’s a gap in central knowledge of the adversary process after initial access has been gained. Attack for enterprise focuses on TTP’s adversaries used to make decisions, expand access and execute their objectives.
Cyber Kill Chain Framework –
The cyber keychain is a series of steps that trace stages of a cyberattack from the early reconnaissance stage to the expectation of data. The kill chain helps us to understand and combat major security breaches and advanced persistent threats. Varun mentions that the kill chain framework as defined by Lockheed Martin is a military model, originally established to identify, prepare to attack, engage and destroy the target. Since its inception, the kill chain has evolved to better anticipate and recognize insider threats, social engineering, advanced ransomware, and innovative attacks.
There are several forces in the cyber kill chain that ranges from the reconnaissance to that removing of coded expectation and other common vectors that rectifies. Reconnaissance is the first stage where the attackers typically assess the situation from outside in order to identify both targets and tactics for the attacks. The attackers discovering information in the reconnaissance phase, are able to get into your systems often leveraging malware or security vulnerabilities. Exploitation is where the act of exploiting malicious codes onto the system is achieved. Privilege escalation is where attackers need more privileges on a system to get access to more data and permissions. Similarly, the extraction stage happens at the denial of service and exfiltration and getting the data out of the compromised system is conducted.
How CTI Enriches Penetration Testing –
In this part of the webinar, it is explained how global security standards are basically laid out. These standards basically emphasize the need for cyber threat intelligence and threat identification to inform an organization’s overall cyber risk identification assessment and mitigation program. To successfully implement a risk-based information security program, an organization must be aware of both, general cybersecurity risks across all industries as well as both business sector risks and organizations risks.
Furthermore, proposed revisions to multiple standards are defined by different certs across the globe emphasize the need for a thorough and complete risk assessment, that is informed by possible vectors through which the security, confidentiality, and integrity of the information could be threatened.
“The threat model is a formal process by which an organization identifies a specific cyber threat to an organization’s information systems and sensitive information which provides a management insight regarding the defense’s needed”, as defined by Varun Srivastava.
Even today a threat modeling process involves comprehensive system, application, and network mapping, and data flow diagrams. He also mentioned about the free tools available in the market for threat modeling. However, with the increasing amount of large-scale data breaches occurring and with the evolving complexity of cybersecurity threats, many regulatory agencies and other industry-based standards have called for a need to go one step further and understand the techniques and procedures utilized by hackers using CTI. By using cyber threat intelligence and other threat-based models, organizations can gain insight into potential attack vectors through red teaming and penetration testing exercises, by simulating each phase of a hypothetical attack into the organization’s information system and determining potential countermeasures that can be employed at each step of the kill chain.
Consequently, an organization can layer its defenses along each step in the kill chain to increase the probability of detection or prevention of the attack. This threat identification process requires greater detail on adversarial TTP’s (tactics, techniques, and procedures). Varun explains that the Mitre attack framework collects and streamlines adversarial TTP’s in specific detail and provides information on each technique and protection mitigation features.
The above figure refers to how CTI enriches the penetration testing by providing situational awareness and reconnaissance information which is focused on the entity by providing threats around the organization, inside the organization as well as in anything that is happening from the social engineering side. CTI also provides thread profiles in the form of detailed penetration testing reports for any adversaries which might be targeting a particular entity. It also helps in simulating real-life cyber threat scenarios with the help of penetration testing information. Any enrichment on the test plans of penetration testing also should be added from the CTI perspective so that the CTI can enrich the test plan before it is being executed.
Evaluation of output with the threat intelligence contributing towards strategic intelligence and providing information to c-suite executive or decision makings are other elements of CTI. These elements very much contribute towards more defined penetration testing and in the end the reporting
Structure, as well as the information that reflects in the report, becomes more enriched.
EC-Council is a world recognized credentialing body offering various certification programs in cybersecurity domain. The programs are job-oriented, as they are developed by industry experts. Beginning from C|EH, EC-Council has launched various cybersecurity programs suitable for freshers and experienced. ECSA is another recognized penetration testing program that covers testing of modern IT infrastructure, application environments, and operating systems, including a dedicated module on drafting of effective penetration testing report.
|EC-Council University conducts CyberTalks weekly by renowned cybersecurity experts who liberally come forward to share their knowledge and experience with other seeking aspirants. This article is an abstract from the CyberTalk series by speaker Varun Srivastava. Varun is based in UAE and has 12+ years of experience in cybersecurity. He currently heads cyber threat intelligence function for Mubadala / Injazat Data Systems, which is based out of Abu Dhabi, UAE. In his webinar, he covers different aspects of intelligence-driven penetration testing. Watch the video now!
For the sake of convenience and to provide you with in-depth knowledge on the subject, we have created series of this particular cybertalk. You can visit these links to access other two parts of the webinar @