Module 6 - The Cyber Kill Chain & Diamond Model Flashcards
The Cyber Kill Chain
- Developed by Lockheed Martin to combat cyber intrusions.
- Consists of seven sequential steps.
- Aids in understanding threat actor techniques and procedures.
- Early detection and prevention are essential to minimize damage.
- If the attacker is stopped at any stage, the attack is thwarted.
- Completion of Step 7 is necessary for threat actors to succeed.
The 7 Steps of the Cyber Kill Chain
- Reconnaissance
- Weaponisation
- Delivery
- Exploitation
- Installation
- Command & Control
- Actions on Objectives
Reconnaissance
Reconnaissance is when the threat actor performs research, gathers intelligence, and selects targets. This will inform the threat actor if the attack is worth performing.
Weaponisation
The goal of this step is to use the information from reconnaissance to develop a weapon against specific targeted systems or individuals in the organization. To develop this weapon, the designer will use the vulnerabilities of the assets that were discovered and build them into a tool that can be deployed.
Delivery
During this step, the weapon is transmitted to the target using a delivery vector. This may be through the use of a website, removable USB media, or an email attachment. If the weapon is not delivered, the attack will be unsuccessful.
Exploitation
After the weapon has been delivered, the threat actor uses it to break the vulnerability and gain control of the target. The most common exploit targets are applications, operating system vulnerabilities, and users. The attacker must use an exploit that gains the effect they desire
Installation
This step is where the threat actor establishes a back door into the system to allow for continued access to the target. To preserve this backdoor, it is important that remote access does not alert cybersecurity analysts or users. The access method must survive through antimalware scans and rebooting of the computer to be effective.
Command and Control
In this step, the goal is to establish command and control (CnC or C2) with the target system. Compromised hosts usually beacon out of the network to a controller on the internet. This is because most malware requires manual interaction in order to exfiltrate data from the network. CnC channels are used by the threat actor to issue commands to the software that they installed on the target.
Actions and Objectives
The final step of the Cyber Kill Chain describes the threat actor achieving their original objective. This may be data theft, performing a DDoS attack, or using the compromised network to create and send spam or mine Bitcoin. At this point the threat actor is deeply rooted in the systems of the organization, hiding their moves and covering their tracks. It is extremely difficult to remove the threat actor from the network.
Diamon Model
The Diamond Model of Intrusion Analysis is made up of four parts and represents a security incident or event. In the Diamond Model, an event is a time-bound activity that is restricted to a specific step in which an adversary uses a capability over infrastructure to attack a victim to achieve a specific result.
The four core features of an intrusion event are
- adversary
- capability
- infrastructure,
- victim
Adversary
These are the parties responsible for the intrusion.
Capability
This is a tool or technique that the adversary uses to attack the victim.
Infrastructure
This is the network path or paths that the adversaries use to establish and maintain command and control over their capabilities.
Victim
This is the target of the attack. However, a victim might be the target initially and then used as part of the infrastructure to launch other attacks.
Meta-features of the diamond Model
- Timestamp
- Phase
- Result
- Direction
- Methodology
- Resources
