Category
Incident Response
Level
Basics
Number
57
The Cyber Kill Chain is like a roadmap of an attacker's actions during an attack, helping us understand how they access resources and where they are in the network. This understanding is particularly crucial during the investigation phase of incident handling.
The Cyber Kill Chain comprises seven stages:
- Reconnaissance: Choosing a target and gathering information passively and actively.
- Weaponize: Developing undetectable malware for initial access.
- Delivery: Sending the malware via phishing emails or malicious websites.
- Exploitation: Triggering the malware to gain access and control.
- Installation: install malware and other cyberweapons
- Command and Control: Establishing remote access to the compromised system.
- Action/Objective: Carrying out the specific goal, like stealing data or deploying ransomware.
Attackers don't follow a linear path; they repeat stages and may revisit reconnaissance even after a successful compromise. The key goal is to disrupt their progress early in the kill chain to stop further advancement and minimize damage.
Summary:
- The Cyber Kill Chain maps an attacker's actions from start to finish.
- Attackers move back and forth within the Kill Chain, even after initial success.
- Early disruption in the Kill Chain can limit damage during an attack.
- Incident handling uses Kill Chain knowledge for effective preparation and response.