This model shows a common cycle that the attackers use to exploit an organisation. An understanding of this model can help organisation to protect, detect, identify, respond and recover when the organisation is compromised by choosing the right security programs.
By being aware of the killchain model, one can understand the attacker’s methodology and check for vulnerabilities in the organization and adjust the security architecture and processes accordingly by implementing methods to prevent, detect and correct the risks at each stage of the kill chain model. This model breaks the attack into seven phases giving an organisation seven phases to protect itself from the breach. This provides opportunity for effective defense in depth.
The seven steps:
1. Reconnaisance: In this stage the attackers decide on what to attack, what is a good target by researching on the publically available information about the resouces and network.
2. Weaponization: In this stage the attacker devices a tool based on the information they gathered to attack the choosen target. The more information they have, greater is impact of the attack. Some forms of attack include web application exploitation, off-the-shelf or custom malware, compound document vulnerabilities or watering hole attacks.
3. Delivery: The attacker sends the malicious payload to the victim by email or other means, which represents one of many intrusion methods the attacker can use.
4. Exploitation: The actual execution of the exploit happens in this stage
5.Installation: Installation is a point in time within which much more elaborate attack takes months to operate. It could be a malware or application that allows communication to external parties giving it enough “dwell time” to be achieved.
6. Command and control: The attacker creates a command and control channel in order to continue to control and operate on the internal assets that he/she has access to. The methods to control could be DNS, Internet Control Message Protocol (ICMP), websites and social networks.
7. Action on Targets: Now that he has access to the target, he exploits it may be once or multiple times till it is detected and could achieve their objective of the attack easily.
This model suggests that instead of focussing on defending the organization’s perimeter’s alone, the company should recognize the stages of an attack and incorporate controls at each level so as to protect from attacks.
Gartner provides some steps to be taken by the organization:
1. Identify assets and the controls in place to protect it.
2. Do a vulnerability assessment, find out what is in your network, prioritize patching as needed
3. Check for the current controls regularly and keep updating as need
4. Identify any access gaps
5. Automate multiple security processes and use analytical tools to identify opportunities for fraud.
6. Determine resources that will be required to be better aligned to your adversaries.