Understanding the cyber kill chain

- [Instructor] The Cyber Kill Chain is a model that outlines the sequence of steps taken by a malicious actor from reconnaissance through the attack stage. In this segment, we'll review the model along with the tactics, techniques, and procedures, used by the malicious actor during each phase. I'm here at Lockheed Martin where we can learn more about the Cyber Kill Chain. Let's start by talking about a particularly dangerous threat called an advanced persistent threat. And I'll scroll down. This threat occurs when a malicious actor gains access to a network and remains undetected for weeks, months, and even years. Lockheed developed the Cyber Kill Chain with the idea that if we identify threats early enough this will reduce the possibility of an advanced persistent threat. And down below we see the image of the Cyber Kill Chain and I'll open it in a new tab. Here we can see the seven steps of the Cyber Kill Chain. Each step is related to some type of threat that can exist either inside or outside of the organization. In each step, there are tactics, techniques, and procedures which are methods and approaches used by the attackers at each stage of the kill chain. Now, let's go into each step with more detail. Step one is reconnaissance. Now this is all about gathering information. The malicious actor is researching security vulnerabilities on your system, and they're looking around to see the data stores, meaning what data do you have? Where is the data located? Who can access the data? Can I go anywhere else? For example, up or down the supply chain and what can I gather? Some of the things I want may include email addresses and other information about the network, such as where are the DNS servers? Step two is weaponization. Now, after reconnaissance is complete, the malicious actors are aware of the weak spots in the organization. The malicious actors then devise a plan to get inside the network, such as using a polymorphic malware that cripples a network or installs a backdoor on the system. Step three is delivery. Once the malicious actor knows how they will disrupt the network, the next step is to craft a plan to deliver the attack. Using methods such as a phishing email designed to get the victim to click on a link, redirecting them to a webpage, or using a software update. Step four is exploitation. Now that the payload is on the network, the malicious actors set up to make their move by exploiting a vulnerability they could exploit the following, missing input validation, lack of sufficient logging, not closing the database connection, or using obsolete or deprecated methods. Step five is installation. In this phase, the malicious actor then installs the malware. During this phase, the attacker may create a backdoor or install a root kit to ensure that they can regain access to the system. In addition, the attacker may attempt to obtain higher level privileges to gain access to more sensitive data or to control critical system functions. Step six is command and control. The malicious actor has gained access to the system. The command and control server will then issue instructions. Step seven are actions on objective. At this point, the malicious actor will achieve their ultimate goal. That could include data theft or modification, or encrypting the data and holding the data hostage. The Cyber Kill Chain is a model that helps us understand some of the methodology that could be used by a malicious actor. The goal is to stop an attack before they reach their final objective. Now, let's test your knowledge. Discuss the Cyber Kill Chain along with the tactics, techniques, and procedures, used by the malicious actor during each phase. You can record your answer on the challenge worksheet.