Skills and qualifications in Cyber ops are going to become in big demand in the future and they are expected by the year 2020 there is going to about 6 million Cyber Ops jobs out there and approximately a fourth of those jobs will be unfilled. So if this is an industry that you think you would be interested in you might want to look at steering your certification course in this direction. Cisco now has introduced its own Cyber ops certification that you can now go take to become qualified in this area of expertise. One section of this training will cover a topic called the Intrusion kill-chain or sometimes referred to as the cyber kill chain or Lockheed Martin kill-chain because these are the names of two fellows who first documented it.
So what is the cyber kill chain? The cyber kill chain simply put refers to the sequence of the seven steps that an attacker goes through as they are trying to compromise your system and try and get in and do malicious damage to your systems. By understanding this sequence of steps the attacker goes through then we can better plan and implement measures to protect ourselves to stop these attackers from getting in.
1st Step – Reconnaissance.
The first of these seven steps is reconnaissance. This is where the attacker investigates and gathers information about your systems There are different ways an attacker can retrieve this information. One of the more popular and obvious ways is by searching online either by going to LinkedIn or a Job ad website to retrieves information like what do the current I.T staff have qualifications on which will then point to the types of systems they may have in place, or if there is a job advert at this organisation, what sort of qualifications are they after. If these results come back with Windows Server qualifications and particular manufacture of firewall then you already have a good idea of what makes up part of their network and then these attackers can then target weaknesses in these systems.
2nd Step – Weaponization.
The second step will be weaponisation. This is where the attacker will plan on what sort of process and tools they will use to try to infiltrate the system. Once the attackers have information regarding the systems and the vulnerabilities that they can attack they can then decide what tools they will use.
3rd Step – Delivery
The third step is the Delivery of the attack. So this means once the attacker has found the weakness they will try and deliver a piece of software into the target systems that they can then use to take out the attack. Sometimes you may want to get the software inside the network first before you can carry out the attack so you find a way to deliver that software onto one of the systems inside of the network. A phishing attack is one of these methods to get that software onto one of the systems
4th Step – Exploitation
The 4th step is the exploitation phase. This is where the attacker has launched the attack and is taking advantage of the weakness that they have identified.
5th Step – Installation
The next phase is Installation. The installation phase is where the attacker installs the software and finally gaining access to the organisation’s systems.
6th Step – Command and control
The sixth step is called “Command and control”. Once the software is installed the attacker can start remote controlling and taking control of the systems.
7th Step – Action on Objectives
The final phase of the intrusion kill-chain is called “Action on Objectives”. Now that the attacker has full control of the systems then the attacker can now perform the action which they came to do in the first place. So basically they are taking action on their objective, whether it be for financial gain, or to steal or manipulate data.
The idea of the intrusion kill-chain is to understand the thought process of potential attackers and try and catch attackers at a very early stage of the process. There are a variety of things you can do to recognise signs you are being attacked at each step in the kill chain. It’s a good idea to spend more time monitoring abnormalities at the edge of your network and catch these actions early at the reconnaissance stage which will flag that someone is trying to gather information about your systems. The CCNA certification in Cyber ops will go through some of these methods to detect this suspicious activity. If you decide to participate in this certification course it is a good idea to understand the 7 steps outlined above.