Cyber Kill Chain Model
In military strategy, a 'Kill Chain' is a phase model to describe the stages of an attack, which also helps inform ways to prevent attacks
- Situational Awareness - Ability to identify what is happening in the networks and system landscape
- Reconnaissance - Identification and selection of the target/s host or network by active scanning
- Weaponization & delivery - Transmission / Inject of the malicious payload in to the target/s
- Lateral Movement - Detect, exploit and compromise other vulnerable hosts
- Data Exfiltration - Steal and exhilarate data
- Persistency - Establish a foothold in the corporate network
Situational Awareness
- Outbound protocols
- Outbound protocols by size
- Top destination Countries
- Top destination Countries by size
Reconnaissance
- Port scan activity
- ICMP query
Weaponization & delivery
- Injection
- Cross Site Scripting
- Cross Site Request Forgery
- Failure to Restrict URL
- Downloaded binaries
- Top email subjects
- Domains mismatching
- Malicious or anomalous Office/Java/Adobe files
- Suspicious Web pages (iframe + [pdf|html|js])
Lateral Movement
- Remove or add account
- Remote WMI communications
- Remote Group Policy Editor
- Remote Session Communications (during outside working hours?)
- Antivirus terminated
Data Exfiltration
- Upload on cloud storage domains
- Suspicious HTTP Methods (Delete, Put)
- Uploaded images
- FTP over non standard port
- IRC communication
- SSH | ICMP Tunneling
Persistency
- Unusual User Agents
- Outbound SSL VPN
- Outbound unknown
Comments