Security professionals use models to map the stages of cybersecurity attacks. The Cyber Kill Chain is a process developed by Lockheed Martin that outlines several key steps threat analysts can use to identify key points in an attack where the chain can be broken to prevent a breach.
WatchGuard threat analyst, Marc Laliberte, has developed a modified version based on this model that can strengthen the process for preventing cyberattacks. Marc’s Cyber Kill Chain removes the weaponization stage and adds a “lateral movement” step just after the command and control stage. Why? Marc’s latest column on Dark Reading covers this in detail:
“Attackers usually compromise the most vulnerable system first instead of going directly to their end objective. After compromising an easy target behind the network perimeter, attackers will move laterally though the network to their actual objective. Weaponization is a step for the attacker, but not something you can defend against, so I don’t include it in the model. Lateral movement, however, can be detected and prevented by internal network segregation firewalls.”
Building on The Lockheed Martin Cyber Kill Chain:
1 – Reconnaissance: Attackers gather information on their target.
2 – Weaponization: Attackers develop their attack payload.
2 – Delivery: Attackers launch their intrusion.
3 – Exploitation: Attackers compromise their target.
4 – Installation: Attackers gain persistence on their target.
5 – Command and control: Attackers issue commands to their payload.
6 – Lateral movement: Attackers move laterally through the network to their objective.
7 – Actions on objectives: Attackers complete their end goal.
Although each attack is different, and some won’t match up perfectly with kill chain models, using one can help to identify vulnerabilities in the network perimeter and improve breach defenses. For more on this topic and to explore a practical example of Marc’s modified Cyber Kill Chain against a real-world JavaScript drive-by download attack, read the full article on Dark Reading: