A “Kill Chain” term has introduced by the military to explain steps that are used to attack the target. Later on, in 2011, Lockheed Martin published a paper that defined the concept “Cyber Kill Chain.” Reportedly, the paper was prepared with the help of the Computer Security and Incident Response Team (CSIRT). Like military Kill Chain, the Cyber Kill Chain also involves steps that are employed by cybercriminals in cyber-attacks. Once the SOC team or security professionals have a clear understanding of each step in Cyber Kill Chain, they can effectively prevent, detect, or/and stop cyber-attack at each of these stages. According to SANS Security Awareness, the Cyber Kill Chain model involves the following 7 steps:
Cybersecurity threats are very fast and sophisticated even more than the enhancements organizations are making. Under such circumstances, it is very essential to understand the real behavior of cybersecurity threats and threat intelligence. For example, how cyber-attack executes, what steps are involved, what are consequences, and so on. To understand the behavior of the cyber-attack, the Cyber Kill Chain introduces various steps that have been listed in the above section. At each step, SOC teams apply security controls to prevent and detect the cyber-attack before it infiltrates the corporate network and inflicts damage.
SBS Cybersecurity defines how security tools can be deployed to each stage of the Cyber Kill Chain. Below are some details:
Reconnaissance: At this stage, to detect an attack, a SOC team can use web analytics, threat intelligence; network Intrusion Detection System (IDS). To deny the attack, they can establish an information-sharing policy, firewall, and access control lists.
Weaponization: To detect an attack, a SOC team uses endpoint malware protection. On the other hand, a Network Intrusion Prevention System (IPS) is used to deny the attack.
Delivery: To detect an attack, a SOC team employs endpoint malware protection while several security controls are deployed to deny attacks such as change management, host-based Intrusion Prevention System (IPS), proxy filter, and application whitelisting. Moreover, an inline antivirus program is also used to disrupt the attack. Queuing is used to degrade attackers and attack is contained through router access control lists, app-aware firewall, trust zones, and inter-zone Network Intrusion Detection System (IDS).
Exploitation: To detect an attack, a SOC team uses endpoint malware protection and host-based Intrusion Detection System (IDS). To deny an attack, patch management and secure password are used. The attack can be contained through an app-aware firewall, trust zones, and inter-zone Network Intrusion Detection System (IDS).