To Beat a Hacker, Think Like One: Using the Cyber Kill Chain to Fight Cyberattacks

Jun 22, 2017 2:41:53 PM

As hackers become more inventive and sophisticated, organizations must up the ante with better cybersecurity. Unfortunately, most cybersecurity still focuses on preventing cyberattacks. 


The fact is, 55% of small businesses have experienced a cyberattack in the past year. To limit the damage, you need technology and a hacker mindset to better target countermeasures by:

  • Performing vulnerability assessments to probe existing security for weaknesses.
  • Prioritizing your most valuable data.
  • Understanding the phases of a cyberattack and steps hackers take to target networks and exfiltrate data.

This final point – the phases of a cyberattack – are known as the Cyber Kill Chain (CKC). Understanding it is key to detecting and resolving threats.

Cyber Kill Chain Steps and Cybersecurity Counter Strategies

The cyber kill chain is an intelligence-driven network defense process based on the steps cyber attackers take to achieve a mission — whether to encrypt files or steal data. Here are the steps and associated cybersecurity counter strategies:

  1. Reconnaissance — involves information collection on a target and identifying which attack methods would work best and be easiest to execute. Security at this stage requires regular audits, threat intelligence and software application security testing to identify vulnerabilities and information on your security that is available or being sold online.

  2. Weaponization or Packaging — refers to the creation of malware to use in an attack, based on intelligence from reconnaissance. Staying abreast of new vulnerabilities and the weaponized exploits targeting them is key in this phase. Use this intelligence to prioritize patching and implementation of mitigation controls such as intrusion prevention systems (IPS).

  3. Delivery — by targeting users through phishing, SQL injection or other forms of compromise. This is where traditional IT security such as firewalls, IPS, web gateway security, DDoS prevention and DNS security comes into play.

  4. Exploitation — focuses on compromising an asset and gaining a foothold in your environment after the malicious payload is delivered — usually by exploiting a known vulnerability for which a patch may have been previously available. Use network, host and server technologies such as SIEM, IPSs and web application firewalls (WAF) with continuous monitoring and on-time patching to detect and block access.

  5. Installation —  usually of an application that communicates with external parties to achieve persistence or “dwell time.”  Host-specific methods such as EPPs, EDR, enterprise mobility management and DNS filtering can all help detect the execution of malicious content. Mitigation and recovery is necessary at this point.

  6. Command and Control — with remote controlling of an asset to gather sensitive information such as secure passwords, customer records and intellectual property, and copy it onto a staging host for exfiltration. At this stage, use IP and DNS reputation filtering and security, network monitoring and application controls to detect remote control of internal assets. Leverage threat intelligence and SIEM to inform detection of abnormal behavior.

  7. Action on Targets — to successfully exfiltrate data or compromise assets. Next-generation firewalls, intrusion prevention systems and network behavioral analyses can all be used to monitor malicious activity or data moving against policy. At this stage, attackers act as trusted users. SIEM, UEBA, data loss prevention and other continuous monitoring tactics can identify malicious users.

Cyber criminals are more sophisticated than ever. Not only do you need to think like a hacker, you need the best technology and security experts on your side. A partner of Fortinet, Istonish can deliver a strategy that weaves together intelligence and best-in-class technology to thwart threats wherever they are in the attack cycle. Contact us.

James Mathis

Written by James Mathis

James Mathis is a Systems Administrator at Istonish.

Lists by Topic

see all

Posts by Topic

see all

Recent Posts