Building a Kill Chain to Boost Your IT Security

[vc_row][vc_column][vc_column_text]When hackers try to penetrate your databases and IT infrastructure (or perpetrate any other cybercrime), they often plan a sequence of steps to get what they want. Individual steps may seem innocent or meaningless.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_single_image image=”5632″ img_size=”full” alignment=”center” image_hovers=”false” lazy_loading=”true”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]Linked one to the other, however, they are the stepping stones that take the hackers to their target. Lockheed Corporation coined the term “kill chain” to describe this sequence.

Once you know kill chains exist and see how cybercriminals plan them, you can get ahead of the curve by following kill chains yourself and breaking the links in as many places as possible. Here’s an example.

Social engineering is a common tactic of attackers. Phishing emails are often effective for this. Here are kill chain steps and possible blocking moves (in parentheses like this) for a phishing email attack supposedly bringing information about “New Employee Stock Option Rules”.

  • The phishing mail with a malicious link arrives at your company’s email server (use anti-spam detection to isolate the email for treatment).
  • The phishing mail escapes detection and is forwarded to the relevant user’s mailbox.
  • The user opens the email and clicks on the link (run awareness campaigns to get employees to be cautious or avoid clicking on such links).
  • The click opens a website page with a download of a file called “New Employee Stock Option Rules” – but which in fact is an “exe” file (block connections to suspicious URLs).
  • The user downloads the file (block the file by recognizing its type or its signature via antivirus software).
  • The user double-clicks to open the file, which installs malware that opens a connection to a remote machine (detect suspicious IP address and block the connection).
  • The attacker uses this connection to enter the user’s PC.
  • The attacker exfiltrates files and data including account credentials to enterprise servers (use system logs to detect unusual events, possibly also using user and entity behaviour analytics).

Of course, there are many kill chains possible. However, blocking and protective measures often work on different kill chain variants. The more kill chains you can map out and block, the safer your enterprise will be.