WEBVTT 1 00:00:00.000 --> 00:00:01.230 In this lesson, 2 00:00:01.230 --> 00:00:04.230 we will learn about the Cyber Kill Chain. 3 00:00:04.230 --> 00:00:07.770 The Cyber Kill Chain is a threat modeling framework 4 00:00:07.770 --> 00:00:11.220 that breaks down the steps an attacker must go through 5 00:00:11.220 --> 00:00:13.230 to complete an attack. 6 00:00:13.230 --> 00:00:17.340 In this framework, each step must occur sequentially 7 00:00:17.340 --> 00:00:19.680 for an attack to be successful. 8 00:00:19.680 --> 00:00:23.490 In this way, the Cyber Kill Chain helps organizations 9 00:00:23.490 --> 00:00:27.390 understand and disrupt an adversary's attack, 10 00:00:27.390 --> 00:00:30.720 effectively breaking a link in the chain. 11 00:00:30.720 --> 00:00:34.170 The Cyber Kill Chain was developed by Lockheed Martin 12 00:00:34.170 --> 00:00:39.170 and consists of seven steps, reconnaissance, weaponization, 13 00:00:39.360 --> 00:00:43.350 delivery, exploitation, installation, 14 00:00:43.350 --> 00:00:47.130 command and control, and actions on objectives. 15 00:00:47.130 --> 00:00:50.460 Let's learn more about the Cyber Kill Chain. 16 00:00:50.460 --> 00:00:53.550 The Cyber Kill Chain is a threat modeling framework 17 00:00:53.550 --> 00:00:56.310 developed by Lockheed Martin to outline 18 00:00:56.310 --> 00:01:00.900 the steps attackers typically take during a cyber attack. 19 00:01:00.900 --> 00:01:04.590 Each step in the chain represents a necessary phase 20 00:01:04.590 --> 00:01:08.790 in the attack, and breaking any link in the chain disrupts 21 00:01:08.790 --> 00:01:12.780 the entire attack, forcing attackers to start over 22 00:01:12.780 --> 00:01:16.260 from the first phase with a new network attack 23 00:01:16.260 --> 00:01:18.180 and a new approach. 24 00:01:18.180 --> 00:01:22.980 The Cyber Kill Chain includes seven steps, reconnaissance, 25 00:01:22.980 --> 00:01:27.980 weaponization, delivery, exploitation, installation, 26 00:01:28.080 --> 00:01:31.830 command and control, and actions on objectives. 27 00:01:31.830 --> 00:01:34.590 By understanding each of these steps, 28 00:01:34.590 --> 00:01:38.010 defenders can better anticipate, detect, 29 00:01:38.010 --> 00:01:41.910 and block attacks before they reach their objectives. 30 00:01:41.910 --> 00:01:44.160 The first step reconnaissance 31 00:01:44.160 --> 00:01:48.300 is when attackers gather information about their target, 32 00:01:48.300 --> 00:01:52.500 typically using open source intelligence or OSINT, 33 00:01:52.500 --> 00:01:56.820 or by scanning systems to identify vulnerabilities. 34 00:01:56.820 --> 00:02:00.477 In this phase, attackers may use passive reconnaissance 35 00:02:00.477 --> 00:02:05.477 to collect information undetected or active reconnaissance, 36 00:02:06.030 --> 00:02:09.000 using techniques like network scanning. 37 00:02:09.000 --> 00:02:11.580 At any rate, the goal of this stage 38 00:02:11.580 --> 00:02:14.490 is to identify potential weaknesses, 39 00:02:14.490 --> 00:02:17.430 allowing attackers to develop a strategy 40 00:02:17.430 --> 00:02:19.560 for exploiting the target. 41 00:02:19.560 --> 00:02:21.930 Step two is weaponization. 42 00:02:21.930 --> 00:02:25.200 This is where attackers create malicious payloads, 43 00:02:25.200 --> 00:02:29.820 or exploits customized to take advantage of vulnerabilities 44 00:02:29.820 --> 00:02:32.130 found during reconnaissance. 45 00:02:32.130 --> 00:02:35.490 With weaponization, attackers may combine malware 46 00:02:35.490 --> 00:02:38.880 with exploit code to maximize effectiveness 47 00:02:38.880 --> 00:02:42.300 and test it in a controlled environment of their own. 48 00:02:42.300 --> 00:02:46.200 This step is critical to an attacker because it determines 49 00:02:46.200 --> 00:02:50.400 whether the attack will succeed in compromising the target. 50 00:02:50.400 --> 00:02:54.060 After weaponization, attackers move to step three, 51 00:02:54.060 --> 00:02:55.680 the delivery phase. 52 00:02:55.680 --> 00:02:57.210 In the delivery phase, 53 00:02:57.210 --> 00:03:01.380 attackers send the payload they created during weaponization 54 00:03:01.380 --> 00:03:04.770 to the target, often through a phishing email, 55 00:03:04.770 --> 00:03:09.480 a compromised website, or an infected USB device. 56 00:03:09.480 --> 00:03:13.020 Delivery is the first step where the attacker directly 57 00:03:13.020 --> 00:03:15.960 and maliciously interacts with the target. 58 00:03:15.960 --> 00:03:20.250 So it's often disguised to avoid raising suspicions, 59 00:03:20.250 --> 00:03:23.640 and bypass email or download filters. 60 00:03:23.640 --> 00:03:25.620 Once the payload is delivered, 61 00:03:25.620 --> 00:03:28.920 step four, exploitation occurs. 62 00:03:28.920 --> 00:03:31.620 Exploitation is when the payload executes 63 00:03:31.620 --> 00:03:33.360 on the target system, 64 00:03:33.360 --> 00:03:36.360 taking advantage of a discovered vulnerability 65 00:03:36.360 --> 00:03:37.800 to gain access. 66 00:03:37.800 --> 00:03:41.220 For example, if a victim clicks a malicious link 67 00:03:41.220 --> 00:03:43.560 or opens a harmful attachment, 68 00:03:43.560 --> 00:03:46.920 the exploitation begins as the code and the link 69 00:03:46.920 --> 00:03:50.010 or attachment triggers on the device, 70 00:03:50.010 --> 00:03:53.340 allowing the attacker to access the system. 71 00:03:53.340 --> 00:03:55.950 The fifth step is installation, 72 00:03:55.950 --> 00:03:59.400 where malware establishes itself on the system. 73 00:03:59.400 --> 00:04:01.710 Typically by creating a backdoor, 74 00:04:01.710 --> 00:04:06.030 or persistence mechanism to ensure continued access. 75 00:04:06.030 --> 00:04:10.050 Attackers often embed additional tools during this phase 76 00:04:10.050 --> 00:04:13.650 to help evade detection or make it more challenging 77 00:04:13.650 --> 00:04:16.470 to remove their malware from the system. 78 00:04:16.470 --> 00:04:20.670 Following installation, step six, the command and control 79 00:04:20.670 --> 00:04:24.390 or C2 phase connects the attacker's system 80 00:04:24.390 --> 00:04:26.370 with the compromise target, 81 00:04:26.370 --> 00:04:28.560 allowing remote control. 82 00:04:28.560 --> 00:04:32.520 Through C2, the attacker can issue instructions, 83 00:04:32.520 --> 00:04:36.240 move within the network or exfiltrate data. 84 00:04:36.240 --> 00:04:39.360 This communication channel is often encrypted 85 00:04:39.360 --> 00:04:42.030 or concealed to evade detection 86 00:04:42.030 --> 00:04:44.790 by security monitoring tools. 87 00:04:44.790 --> 00:04:48.270 Finally, actions on objective occurrence step seven 88 00:04:48.270 --> 00:04:50.040 of the Cyber Kill Chain. 89 00:04:50.040 --> 00:04:52.560 Actions on objectives are when attackers 90 00:04:52.560 --> 00:04:56.670 achieve their original goal, such as stealing data, 91 00:04:56.670 --> 00:05:01.020 deploying ransomware, or sabotaging operations. 92 00:05:01.020 --> 00:05:03.480 The results of this phase vary based 93 00:05:03.480 --> 00:05:05.490 on the attacker's motivations 94 00:05:05.490 --> 00:05:08.190 and could involve data exfiltration, 95 00:05:08.190 --> 00:05:10.860 financial gain, espionage, 96 00:05:10.860 --> 00:05:13.740 or damaging the target's infrastructure. 97 00:05:13.740 --> 00:05:17.760 So to see how the Cyber Kill Chain can help defenders, 98 00:05:17.760 --> 00:05:19.650 let's consider an example. 99 00:05:19.650 --> 00:05:22.890 Suppose an organization notices that employees 100 00:05:22.890 --> 00:05:25.800 are receiving strange emails with attachments, 101 00:05:25.800 --> 00:05:29.400 which could signal an attack at the delivery stage. 102 00:05:29.400 --> 00:05:31.830 By identifying this pattern early, 103 00:05:31.830 --> 00:05:35.190 the security team can immediately block the sender, 104 00:05:35.190 --> 00:05:39.000 set up additional email filters and alert employees 105 00:05:39.000 --> 00:05:41.640 to be cautious of similar emails. 106 00:05:41.640 --> 00:05:44.640 Stopping the attack at this step prevents 107 00:05:44.640 --> 00:05:46.920 the malware from executing, 108 00:05:46.920 --> 00:05:50.640 thereby blocking the exploitation, installation, 109 00:05:50.640 --> 00:05:53.220 and later stages of the attack. 110 00:05:53.220 --> 00:05:55.980 However, attacks aren't always discovered 111 00:05:55.980 --> 00:05:57.690 in the early stages. 112 00:05:57.690 --> 00:06:02.160 So even if attackers reach the command and control phase, 113 00:06:02.160 --> 00:06:05.550 defenders still have options to disrupt the attack. 114 00:06:05.550 --> 00:06:08.700 For instance, by monitoring network traffic 115 00:06:08.700 --> 00:06:12.120 for suspicious connections to unfamiliar servers, 116 00:06:12.120 --> 00:06:15.300 defenders may discover C2 activity 117 00:06:15.300 --> 00:06:17.370 and block the connections. 118 00:06:17.370 --> 00:06:20.700 Disconnecting the C2 channel prevents the attacker 119 00:06:20.700 --> 00:06:22.830 from issuing further commands 120 00:06:22.830 --> 00:06:25.170 and accessing critical systems. 121 00:06:25.170 --> 00:06:29.010 This swift response cuts off the attacker's control, 122 00:06:29.010 --> 00:06:32.790 stopping attackers from achieving their end objectives. 123 00:06:32.790 --> 00:06:37.410 Now, the Cyber Kill Chain aligns well with the six Ds 124 00:06:37.410 --> 00:06:42.360 of defense, detect, deny, disrupt, degrade, 125 00:06:42.360 --> 00:06:44.850 deceive, and destroy. 126 00:06:44.850 --> 00:06:48.690 For example, detecting and denying a phishing attack 127 00:06:48.690 --> 00:06:51.330 disrupts an attack in its early stages, 128 00:06:51.330 --> 00:06:53.940 ideally before exploitation. 129 00:06:53.940 --> 00:06:57.300 Next, if attackers attempt data theft, 130 00:06:57.300 --> 00:07:01.470 defenders could deploy a honeypot to deceive the attacker, 131 00:07:01.470 --> 00:07:05.430 wasting their time and resources on a decoy system. 132 00:07:05.430 --> 00:07:08.490 Alternatively, degrading network speeds 133 00:07:08.490 --> 00:07:12.240 to critical systems will make data exfiltration efforts 134 00:07:12.240 --> 00:07:14.760 time consuming and inefficient, 135 00:07:14.760 --> 00:07:17.370 buying defenders additional time 136 00:07:17.370 --> 00:07:20.640 to implement more robust blocking mechanisms. 137 00:07:20.640 --> 00:07:22.980 In the end, each action taken 138 00:07:22.980 --> 00:07:27.750 within the Cyber Kill Chain framework maximizes the chances 139 00:07:27.750 --> 00:07:30.690 of preventing a successful attack. 140 00:07:30.690 --> 00:07:33.930 So remember, the Cyber Kill Chain 141 00:07:33.930 --> 00:07:37.320 is a threat modeling framework originally developed 142 00:07:37.320 --> 00:07:38.820 by Lockheed Martin. 143 00:07:38.820 --> 00:07:42.480 It breaks down the phases attackers typically follow 144 00:07:42.480 --> 00:07:44.940 to carry out a cyber attack. 145 00:07:44.940 --> 00:07:48.990 Each step in the chain represents a necessary phase 146 00:07:48.990 --> 00:07:50.280 in an attack. 147 00:07:50.280 --> 00:07:54.420 So if defenders can stop an attack at any point, 148 00:07:54.420 --> 00:07:58.680 it breaks the chain and forces attackers to start over. 149 00:07:58.680 --> 00:08:02.730 The seven steps in the Cyber Kill Chain are reconnaissance, 150 00:08:02.730 --> 00:08:07.650 weaponization, delivery, exploitation, installation, 151 00:08:07.650 --> 00:08:11.550 command and control, and actions on objectives. 152 00:08:11.550 --> 00:08:15.450 By understanding and monitoring each of these steps, 153 00:08:15.450 --> 00:08:19.110 defenders can anticipate and disrupt attacks 154 00:08:19.110 --> 00:08:22.020 before they reach their final goals. 155 00:08:22.020 --> 00:08:25.740 So the Cyber Kill Chain helps defenders see 156 00:08:25.740 --> 00:08:28.110 where they can stop an attack, 157 00:08:28.110 --> 00:08:31.740 whether by detecting suspicious activity early, 158 00:08:31.740 --> 00:08:35.160 or blocking communications at later stages. 159 00:08:35.160 --> 00:08:37.980 This approach allows security teams 160 00:08:37.980 --> 00:08:41.070 to create a structured defensive strategy, 161 00:08:41.070 --> 00:08:43.230 taking a decisive action 162 00:08:43.230 --> 00:08:48.230 and safeguarding systems against multi-step cyber threats.