Cyber Attack: Cyber Kill Chain Process Developed By Lockheed Martin

A botnet is a network of bots that got controlled by the attacker as a group in a coordinated fashion. Bot is a compromised machine that has been infected by malicious software, that allows attackers to remotely control the machine and begin the attack. The botnet can be used to perform DDoS attacks, steal data, send spam, and allow the attacker to access device and its connection. (1) Any system connected to the internet and providing TCP-based services are vulnerable to DDoS attacks. (2)

At an organization level, we can protect our information and systems from cyber threats by executing mitigation strategies, and by understanding and defending the cyber kill chain process.

The cyber kill chain process was developed by Lockheed Martin, including seven stages of a cyber attack as it refers to network security.

The first stage is Reconnaissance. The attacker gathers and assesses technical and non-technical information on the target. The attacker may start searching for the online profile of the employees in the organization and start making interactions via internet channel, or start looking for information systems with exploitable vulnerabilities, or start calculating the potential return of the cyber attack. (4) In this case, the organization should regularly be fixed their exploitable vulnerabilities in order to prevent the attack, the company data should be restricted on the internet, and we should also make alert of any abnormal browsing activities.

The second stage is Weaponization. The attacker develops the malicious software specifically for the exploitable vulnerabilities they have found, in order to carry out the attack. In this case, we cannot prevent the attacker from creating malware, but we can conduct cyber security education to ensure the users know how to spot suspicious emails and be vigilant with their internet activities. (5)

The third stage is Delivery. The attacker starts performing the cyberattack with the medium that fit the purpose. It can be a phishing email, a USB or a link to the malicious websites etc. At this stage, we can utilize mail filtering services and vendor controls to reduce the likelihood of phishing emails reaching the users. Web proxing filtering can also help to block access to malicious websites. (5) We also need to solidify cyber security with user education.

The fourth stage is Exploitation. This occurs when the victim opens the infected attachment/ clicks on the link. (5) The malware code is being ran on the targeted organizational information system. We need to make sure the system is updated and current, and real-time protection with anti-virus and anti-malware are running. Any sensitive data in the organization should be stored in a multi-factor secured systems to against exploitation. (4)

The fifth stage is Installation. The malware code is downloaded and installed itself on the targeted information system. It may begin to download additional software in order to be fully functional if the network access is available, as the initial malware payload is often small to avoid detection. We can prevent the payload get downloaded by restricting user access with limiting administrator rights.

The sixth stage is Command and control, also as known as C2. It is when the attacker gains full control of the targeted compromised system. It allows the attacker to move deeper into the network, either to look for the information they aim for or to conduct destruction activities. The company can implement monitoring and alerting and employing analytics (such as UEBA) to help identify normal vs abnormal system using behaviour. (5)

The last stage is Action. It is where the attacker focus on their ultimate goal in the cyber attack. It can be data exfiltration and/or complete system destruction and/or unauthorised data encryption. We can prevent data loss by backing up data regularly in a separate storage system. We can also utilize data loss prevention (DLP) technologies to prevent data from being transferred out of the organization, such as turning of remote desktop connections and blocking access to the malicious sites which might enable the data transfer process. (5)