SlideShare a Scribd company logo

Cyber Kill Chain.pptx

Download as PPTX, PDF
V
Vivek Chauhan

The Cyber Kill Chain describes the typical stages of a cyberattack: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objective. Organizations can use this framework to understand attacks and develop defenses. They can also correlate security information and management (SIEM) data to detect attacks corresponding to each stage. Recommendations for prevention and detection include threat intelligence, malware analysis, email security, intrusion detection, access management, and incident response planning. The Cyber Kill Chain provides a high-level view, while the MITRE ATT&CK Framework details tactics and techniques, allowing comprehensive defenses.

Related slideshows

MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
1 of 13
Cyber Kill Chain Presenting by: Vivek Kumar Chauhan Harsh Gupta
Index  What is Cyber Kill Chain?  Stages of Cyber Kill Chain  Attacks based on each steps of cyber kill chain  correlation rules for SIEM of cyber kill chain  recommendations for each stage of the Cyber Kill Chain  cyber kill chain related to mitre framework
What is Cyber Kill Chain?  The Cyber Kill Chain is a framework used in cybersecurity to describe the stages of a cyberattack. It was developed by Lockheed Martin and is widely used by cybersecurity professionals to understand, prevent, and respond to cyber threats.  The Cyber Kill Chain framework is part of the Intelligence Driven Defense model for identification and prevention of cyber intrusions activity.
The Cyber Kill Chain consists of the following stages:
Attacks based on each steps of cyber kill chain  Reconnaissance: In this stage, attackers gather information about the target system or organization. Examples of attacks at this stage include: Phishing, Social engineering.  Weaponization: In this stage, attackers create a malicious payload, such as a virus or Trojan horse, and prepare to deliver it to the target. Attacks: Malware, Exploit kits.  Delivery: In this stage, attackers deliver the weaponized payload to the target. Examples of attacks at this stage include: Email attacks, Drive- by downloads.  Exploitation: In this stage, attackers take advantage of vulnerabilities in the target system or network to gain access and establish a foothold in the system. Examples of attacks at this stage include: SQL injection, Remote code execution.
to be continue….  Installation: In this stage, attackers install malware or other tools to maintain access and control over the compromised system. Examples of attacks at this stage include: Backdoors, Rootkits.  Command and control: In this stage, attackers establish a command-and-control (C&C) channel to communicate with the compromised system and issue commands. Examples of attacks at this stage include: Botnets, Remote access trojans (RATs)  Actions on objective: In this stage, attackers achieve their ultimate goal, such as stealing data, disrupting operations, or causing damage to the system. Examples of attacks at this stage include: Data theft, Ransomware
correlation rules for SIEM of cyber kill chain  Reconnaissance: Alert when a large number of DNS queries are made for domains that are not typically accessed by users within the organization. • Alert when an IP address from a known malicious actor or country accesses the organization's external facing systems.  Weaponization: Alert when an email attachment contains a known malware signature or hash.  Delivery: Alert when a user clicks on a suspicious link or attachment within an email. • Alert when a user enters credentials on a spoofed login page.  Exploitation: Alert when a user or device attempts to communicate with known command and control servers. • Alert when a user or device attempts to access a system or resource that they do not typically access.
to be continue….  Installation: Alert when a device begins communicating with a new IP address or domain associated with malware installation or data exfiltration. • Alert when a new application is installed on a device that is not on the organization's approved list of software.  Command and control: Alert when a device begins communicating with a known malicious IP address or domain. • Alert when a device sends a large amount of data to an external IP address or domain.  Actions on objective: Alert when a user account is locked out after multiple failed login attempts. • Alert when large amounts of data are being exfiltrated from the organization's systems.
recommendations for each stage of the Cyber Kill Chain  Reconnaissance: Focus on identifying potential sources of threat intelligence, such as dark web forums and threat intelligence feeds. • Develop and implement threat modeling processes to identify potential threats and vulnerabilities, and use this information to develop risk management strategies.  Weaponization: Implement endpoint protection software to detect and block malware, and configure firewalls to block known malicious domains and IP addresses. • Use advanced threat analysis tools to identify and block new and emerging malware threats, and work with vendors and industry groups to share threat intelligence and improve threat detection capabilities.
to be continue….  Delivery: Train employees to recognize and report suspicious emails, and implement email filtering software to block malicious emails. • Use advanced email security tools to identify and block sophisticated phishing and spear phishing attacks.  Exploitation: Implement intrusion detection and prevention software to detect and block attacks, and configure firewalls to block known exploit techniques. • Implement advanced intrusion detection and prevention systems that use machine learning and other advanced techniques to detect and block attacks.  Installation: Implement multi-factor authentication and privilege access management to limit the ability of attackers to gain persistent access to systems. • Implement advanced identity and access management systems that use biometrics and other advanced authentication techniques to limit the
to be continue….  Command and control: Use network monitoring tools to detect and block communications with known malicious actors. • Develop and implement advanced threat intelligence and analysis processes that can quickly identify and respond to new and emerging threats.  Actions on objective: Implement backup and recovery procedures to minimize the impact of successful attacks, and use incident response planning to quickly respond to and contain successful attacks. • Develop and implement advanced incident response planning and testing procedures that can quickly detect, contain, and remediate successful attacks.
cyber kill chain related to mitre framework  The Cyber Kill Chain provides a high-level view of the different stages of an attack, while the MITRE ATT&CK Framework provides a detailed understanding of the specific tactics and techniques used by attackers at each stage.  By using both frameworks together, organizations can develop a comprehensive understanding of the threats they face and develop more effective defense strategies.  For example, an organization can use the Cyber Kill Chain to identify the different stages of an attack and then use the MITRE ATT&CK Framework to understand the specific techniques used by attackers at each stage, allowing them to develop more targeted and effective defenses.
Cyber Kill Chain.pptx

More Related Content

Cyber Kill Chain.pptx

  • 1. Cyber Kill Chain Presenting by: Vivek Kumar Chauhan Harsh Gupta
  • 2. Index  What is Cyber Kill Chain?  Stages of Cyber Kill Chain  Attacks based on each steps of cyber kill chain  correlation rules for SIEM of cyber kill chain  recommendations for each stage of the Cyber Kill Chain  cyber kill chain related to mitre framework
  • 3. What is Cyber Kill Chain?  The Cyber Kill Chain is a framework used in cybersecurity to describe the stages of a cyberattack. It was developed by Lockheed Martin and is widely used by cybersecurity professionals to understand, prevent, and respond to cyber threats.  The Cyber Kill Chain framework is part of the Intelligence Driven Defense model for identification and prevention of cyber intrusions activity.
  • 4. The Cyber Kill Chain consists of the following stages:
  • 5. Attacks based on each steps of cyber kill chain  Reconnaissance: In this stage, attackers gather information about the target system or organization. Examples of attacks at this stage include: Phishing, Social engineering.  Weaponization: In this stage, attackers create a malicious payload, such as a virus or Trojan horse, and prepare to deliver it to the target. Attacks: Malware, Exploit kits.  Delivery: In this stage, attackers deliver the weaponized payload to the target. Examples of attacks at this stage include: Email attacks, Drive- by downloads.  Exploitation: In this stage, attackers take advantage of vulnerabilities in the target system or network to gain access and establish a foothold in the system. Examples of attacks at this stage include: SQL injection, Remote code execution.
  • 6. to be continue….  Installation: In this stage, attackers install malware or other tools to maintain access and control over the compromised system. Examples of attacks at this stage include: Backdoors, Rootkits.  Command and control: In this stage, attackers establish a command-and-control (C&C) channel to communicate with the compromised system and issue commands. Examples of attacks at this stage include: Botnets, Remote access trojans (RATs)  Actions on objective: In this stage, attackers achieve their ultimate goal, such as stealing data, disrupting operations, or causing damage to the system. Examples of attacks at this stage include: Data theft, Ransomware
  • 7. correlation rules for SIEM of cyber kill chain  Reconnaissance: Alert when a large number of DNS queries are made for domains that are not typically accessed by users within the organization. • Alert when an IP address from a known malicious actor or country accesses the organization's external facing systems.  Weaponization: Alert when an email attachment contains a known malware signature or hash.  Delivery: Alert when a user clicks on a suspicious link or attachment within an email. • Alert when a user enters credentials on a spoofed login page.  Exploitation: Alert when a user or device attempts to communicate with known command and control servers. • Alert when a user or device attempts to access a system or resource that they do not typically access.
  • 8. to be continue….  Installation: Alert when a device begins communicating with a new IP address or domain associated with malware installation or data exfiltration. • Alert when a new application is installed on a device that is not on the organization's approved list of software.  Command and control: Alert when a device begins communicating with a known malicious IP address or domain. • Alert when a device sends a large amount of data to an external IP address or domain.  Actions on objective: Alert when a user account is locked out after multiple failed login attempts. • Alert when large amounts of data are being exfiltrated from the organization's systems.
  • 9. recommendations for each stage of the Cyber Kill Chain  Reconnaissance: Focus on identifying potential sources of threat intelligence, such as dark web forums and threat intelligence feeds. • Develop and implement threat modeling processes to identify potential threats and vulnerabilities, and use this information to develop risk management strategies.  Weaponization: Implement endpoint protection software to detect and block malware, and configure firewalls to block known malicious domains and IP addresses. • Use advanced threat analysis tools to identify and block new and emerging malware threats, and work with vendors and industry groups to share threat intelligence and improve threat detection capabilities.
  • 10. to be continue….  Delivery: Train employees to recognize and report suspicious emails, and implement email filtering software to block malicious emails. • Use advanced email security tools to identify and block sophisticated phishing and spear phishing attacks.  Exploitation: Implement intrusion detection and prevention software to detect and block attacks, and configure firewalls to block known exploit techniques. • Implement advanced intrusion detection and prevention systems that use machine learning and other advanced techniques to detect and block attacks.  Installation: Implement multi-factor authentication and privilege access management to limit the ability of attackers to gain persistent access to systems. • Implement advanced identity and access management systems that use biometrics and other advanced authentication techniques to limit the
  • 11. to be continue….  Command and control: Use network monitoring tools to detect and block communications with known malicious actors. • Develop and implement advanced threat intelligence and analysis processes that can quickly identify and respond to new and emerging threats.  Actions on objective: Implement backup and recovery procedures to minimize the impact of successful attacks, and use incident response planning to quickly respond to and contain successful attacks. • Develop and implement advanced incident response planning and testing procedures that can quickly detect, contain, and remediate successful attacks.
  • 12. cyber kill chain related to mitre framework  The Cyber Kill Chain provides a high-level view of the different stages of an attack, while the MITRE ATT&CK Framework provides a detailed understanding of the specific tactics and techniques used by attackers at each stage.  By using both frameworks together, organizations can develop a comprehensive understanding of the threats they face and develop more effective defense strategies.  For example, an organization can use the Cyber Kill Chain to identify the different stages of an attack and then use the MITRE ATT&CK Framework to understand the specific techniques used by attackers at each stage, allowing them to develop more targeted and effective defenses.