The cyber kill chain is a 7-step process to hack into targets. Examples of targets might include devices, networks, or organizations. Just as how computer networking has a conceptual model of layers, hacking has phases. The violent “kill” aspect of the term stems from its heritage in military operations. It all starts of with:

(1) Reconnaissance. There's never enough scouting and research to prep in advance before an engagement. Reconnaissance doesn't mean host and port scanning and service enumeration. It can also include methods OSINT, in-person scouting, and pattern-of-life analysis. The more diligence performed at the recon stage, the easier it is to hack later on in the cyber kill chain.

(2) Weaponization. This might be the most involved stage of the cyber kill chain. A better word might be "payload-ization." Cyber tools aren't kinetic weapons that create kinetic destruction. Rather they are more like spells to give the caster access and influence over a target. To hack, you need both an exploit and a payload. The exploit lets you take control over the thread of execution for a victim process. The payload is the code you want to run on top of the hijacked process. Often, for client-side attacks, you’ll have to hide both in a benign file or webpage to have a user start the hack.

(3) Delivery. There's a lot of ways to send data from Point A to Point B. Getting remote execution at the same time is the hard part. Sometimes this involves co-opting a user to help you. Other times you can fire off an exploit at a running service directly across the Internet. In some cases, you can have malware installed on a system en-route from the factory. Client-side, service-side, and supply-chain attacks are all forms of delivery methods.

(4) Exploitation. The point of code execution is where all the magic happens. This determines whether the hack actually succeeds. But exploitation isn't just a singular event. There's a ton of engineering time required to turn a proof-of-concept into a reliable tool. Bypassing memory protections or sandboxing methods are examples of feats needed for execution.

(5) Installation. Hacking is much more than remote access. It means maintaining persistence so you can access on-demand. Hand-in-hand with installation in the cyber kill chain is maintaining persistence. To survive a reboot or even re-format is important to make sure the previous steps don't go to waste. Persistence does increase the potential for detection though. Memory-only installation, rootkits, encrypted virtual file systems are some ways to maintain stealth.

(6) Command & Control. E.T. needs to phone home. If there's a network, the problem lies in keeping stealthy. If there's no network, then the problem lies phoning home without a phone. The C2 aspect of the cyber kill chain determines successful follow-on objectives. If you can’t communicate without detection, it'll be a short-lived hacking operation.

(7) Actions on the Objective. Real hacking always has a purpose to it. There’s little point in all the hard work of Steps 1-6 of the cyber kill chain if there’s no end-state to achieve. Depending on the threat actor, it can be for intel gathering, espionage, or financial gain. The actions on the objectives should support the end state. Tactically, this may be stealing data and expanding access to other devices.

---- RESOURCES ----

Intelligence-Driven Computer Network Defense, Lockheed Martin:
https://www.lockheedmartin.com/conten...

The Unified Kill Chain, Paul Pols:
https://www.csacademy.nl/images/scrip...

00:00 Different Levels of Warfare and Cyber Operations
00:46 The Cyber Kill Chain Framework
01:41 How Hacking Parallels Military Operations
02:42 Step 1: Reconnaissance
04:23 Step 2: Weaponization
05:53 Step 3: Delivery
08:18 Step 4: Exploitation
09:35 Step 5: installation
10:52 Step 6: Command-and-Control
12:55 Step 7: Actions on the Objective
13:21 Strategic Considerations of Hacking

#Hacking #KillChain #Cyberspatial