Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/qeeqbox/cyber-kill-chain
Cyber Kill Chain is a model that Lockheed Martin created for understanding (Describe the sequence of events) and stopping cyberattacks
https://github.com/qeeqbox/cyber-kill-chain
chain cyberattack infosecsimplified kill lifecycle qeeqbox
Last synced: 2 days ago
JSON representation
Cyber Kill Chain is a model that Lockheed Martin created for understanding (Describe the sequence of events) and stopping cyberattacks
- Host: GitHub
- URL: https://github.com/qeeqbox/cyber-kill-chain
- Owner: qeeqbox
- License: agpl-3.0
- Created: 2022-08-22T17:56:33.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2024-01-29T01:14:19.000Z (10 months ago)
- Last Synced: 2024-05-01T11:27:22.832Z (7 months ago)
- Topics: chain, cyberattack, infosecsimplified, kill, lifecycle, qeeqbox
- Homepage:
- Size: 117 KB
- Stars: 4
- Watchers: 1
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
## Cyber Kill Chain
Cyber Kill Chain is a model that Lockheed Martin created for understanding (Describe the sequence of events) and stopping cyberattacks
## Steps
#### Reconnaissance
Threat actor gathers information about the target
- Passive
- Active
##### Security controls
- Detect: NIDS, Threat Intelligence, Logs (SIEM)
- Deny: Information Sharing Policies, Firewall ACL
- Disrupt: Active Defenses
- Degrade: Honeypot, Redirect Loops, Active Defenses
- Deceive: Create Fake Posting, Degrade cell
#### Weaponization
Threat actor creates an attack vector (malware, email attachments, web pages, links, pop-ups, messages, social engineering, etc..) that can exploit the vulnerabilities from the reconnaissance step. The attack vector will be the entry point
##### Security controls
- Detect: NIDS, Threat Intelligence
- Deny: NIPS
#### Delivery
The threat actor delivers the attack vector to the target
##### Security controls
- Detect: NIDS, HIDS\AV
- Deny: Web/Email/Proxy Filter, Application Whitelisting, AV
- Disrupt: Web/Email/Proxy Filter, AV
- Degrade: Sinkhole, Queuing, Deny, and Distrubt cells
- Deceive: Honeypot
#### Exploitation
Once the attack vector is on the target, the target is either breached or ready to be breached (The threat actor needs to execute the attack vector)
- Detect: NIDS, HIDS\AV
- Deny: HIPS, AV, Secure Password, Hardened systems (Patch Management)
- Disrupt: Deny cell, DEP
- Degrade: Restrict User Accounts
- Deceive: Honeypot
#### Installation
The attack vector will be installed on the victim’s system
##### Security controls
- Detect: HIDS\AV, Logs (SIEM), AV
- Deny: Application Whitelisting, Block Execution, Firewall ACL, Privilege separations
- Disrupt: HIPS, DEP
- Degrade: Deny cell, Disrupt cell
- Deceive: Honeypot
#### Command & Control (C2)
The threat actor is now controlling the victim’s system, and this is where the threat actor moves laterally
##### Security controls
- Detect: HIDS\AV, NIDS
- Deny: Firewall ACL, Egress Filter, Sinkhole, Network Segmentation
- Disrupt: DEP, Sinkhole
- Degrade: Deny cell, Disrupt cell
- Deceive: Honeypot, Sinkhole, DNS Redirect
#### Actions on Objective
The threat actor will carry out their objectives (Data exfiltration, destruction, and extortion)
##### Security controls
- Detect: Logs (SIEM)
- Deny: Firewall ACL, Egress Filter, Network Segmentation
- Disrupt: Network Segmentation, DLP, NIPS, HIPS
- Degrade: Network Segmentation, Quality of Service
- Deceive: Honeypot
## ID
b35c2204-7d11-4472-8923-91fdb380b454
## References
- https://en.wikipedia.org/wiki/Kill_chain
- https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
- https://csrc.nist.gov/CSRC/media/Presentations/The-Cyber-OODA-Loop-How-Your-Attacker-Should-Help/images-media/day3_security-automation_930-1020.pdf