Information security researchers who study the actions and behavior of sophisticated hackers use the term “cyber kill chain” to describe some of the strategies used in modern cybercrime. To a certain extent, the cyber kill chain is similar to strategies used by military units and career thieves who take pride on pulling off complex heights.
When hackers attack business targets, they usually follow the seven steps of the cyber kill chain process:
This step can be as rudimentary as scanning for open ports or as involved as stealing login credentials to access networks. Reconnaissance may also involve selecting targets that have not applied security patches to fix vulnerabilities.
The next step is to code malicious software to use against the target.
In this step, the malware can be injected into a network or sent by means of a Trojan horse attack such as an email with a malicious attachment.
Hackers will code malware to execute itself automatically, upon a prompt by a computer user or remain in a dormant state until activating at a later date. Cryptocurrency miners are likely to execute on their own.
Malware can also be installed by means of remote code execution. If the intent of the hackers is to steal information such as payment data, they may install file transfer utility software.
Connection to Remote Systems
Extremely damaging attacks may feature malware such as rootkits that force servers to connect to command and control centers, which in turn will give remote access to networks. In some cases, servers may be conscripted into a botnet for the purpose of distributing spam or carrying out distributed denial of service attacks.
The final step in the cyber kill chain prompts hackers to carry out the final phase of their attack. In the case of ransomware, the ultimate action is to encrypt all files and display a ransom note explaining how users can pay for the encryption key.
The cyber kill chain is used by information security experts to develop protective and mitigation solutions. Each step must have at least one defense measure; for example, the reconnaissance step can be mitigated with firewalls, network security audits, and updates to the operating systems.