How does a cyber kill chain work?
The kill chain is structured to reveal the active state of a data breach. User behavior analytics (UBA) brings advanced threat intelligence to every stage of the kill chain – and helps prevent and stop ongoing attacks before the damage is done.
Reconnaissance. In every heist, you’ve got to scope the joint first. Same principle applies in a cyber-heist: it’s the preliminary step of an attack, the information gathering mission. During reconnaissance, an attacker is seeking information that might reveal vulnerabilities and weak points in the system. Firewalls, intrusion prevention systems, perimeter security – these days, even social media accounts – get ID’d and investigated. Reconnaissance tools scan corporate networks to search for points of entry and vulnerabilities to be exploited.
Intrusion. Once you’ve got the intel, it’s time to break in. Intrusion is when the attack becomes active: malware – including ransomware, spyware, and adware – can be sent to the system to gain entry. This is the delivery phase: it could be delivered by a phishing email, it might be a compromised website or that really great coffee shop down the street with free, hacker-prone wifi. Intrusion is the point of entry for an attack, getting the attackers inside.
Exploitation. You’re inside the door, and the perimeter is breached. The exploitation stage of the attack…well, exploits the system, for lack of a better term. Attackers can now get into the system and install additional tools, modify security certificates and create new script files for nefarious purposes.
Privilege Escalation. What’s the point of getting in the building, if you’re stuck in the lobby? Attackers use privilege escalation to get elevated access to resources. They’ll modify GPO security settings, configuration files, change permissions, and try to extract credentials.
Lateral Movement. You’ve got the run of the place, but you still need to find the vault. Attackers will move from system to system, in a lateral movement, to gain more access and find more assets. It’s also an advanced data discovery mission, where attackers seek out critical data and sensitive information, admin access and email servers – often using the same resources as IT and leveraging built-in tools like PowerShell – and position themselves to do the most damage.
Obfuscation (anti-forensics). Put the security cameras on a loop and show an empty elevator so nobody sees what’s happening behind the scenes. Cyber-attackers do the same thing: conceal their presence and mask activity to avoid detection and thwart the inevitable investigation. This might mean wiping files and metadata, overwriting data with false timestamps (timestomping) and misleading information, or modifying critical information so that it looks like the data was never touched.
Denial of Service. Jam the phone lines and shut down the power grid. Here’s where the attackers target the network and data infrastructure, so that the legitimate users can’t get what they need. The denial of service (DoS) attack disrupts and suspends access, and could crash systems and flood services.
Exfiltration. Always have an exit strategy. The attackers get the data: they’ll copy, transfer, or move sensitive data to a controlled location, where they do with the data what they will. Ransom it, sell it on eBay, send it to buzzfeed. It can take days to get all of the data out, but once it’s out, it’s in their control.
I found this an interesting article about Kill Chain, to read more check the link below.