Cyber Kill Chain - Lockheed Martin

Cyber Kill Chain – Lockheed Martin

Security incidents are events that may indicate that an organization’s systems or data have been compromised or that measures put in place to protect them have failed.

In IT, a security event is anything that has significance for system hardware or software, and an incident is an event that disrupts normal operations. Security events are usually distinguished from security incidents by the degree of severity and the associated potential risk to the organization.
Although an organization can never be sure which path an attacker will take through its network, hackers typically employ a certain methodology — i.e., a sequence of stages to infiltrate a network and steal data. Each stage indicates a certain goal along the attacker’s path. This security industry-accepted methodology, dubbed the Cyber Kill Chain, was developed by Lockheed Martin Corp.
According to Lockheed Martin, these are the stages of an :
    • Reconnaissance (identify the targets)The actor assesses the targets from outside the organization to identify the targets that will enable him to meet his objectives. The goal of the attacker is to find information systems with few protections or with vulnerabilities that he can to access the target system.
    • Weaponization (prepare the operation). During this stage, the attacker creates designed specifically for the vulnerabilities discovered during the reconnaissance phase. Based on the intelligence gathered in that phase, the attacker customizes his toolset to meet the specific requirements of the target network.
    • Delivery (launch the operation). The attacker sends the malware to the target by any intrusion method, such as a email, a man-in-the-middle attack or a watering hole attack.
    • Exploitation (gain access to the victim). The threat actor exploits a vulnerability to gain access to the target’s network.
    • Installation (establish a beachhead at the victim). Once the hacker has infiltrated the network, he installs a persistent or implant to maintain access for an extended period of time.
    • Command and control (remotely control the implants). The malware opens a command channel, enabling the attacker to remotely manipulate the target’s systems and devices through the network. The hacker can then take over the control of the entire affected systems from its administrator.
    • Actions on objectives (achieve the mission’s goals). What happens next, now that the attacker has the command and control of the target’s system, is entirely up to the attacker, who may corrupt or steal data, destroy systems or demand ransom, among other things.


Leave a Reply