Skills and qualifications in Cyber ops are going to become in big demand in the future and they are expecting by the year of 2020 there is going to about 6 million Cyber Ops jobs out there and approximately a forth of those jobs will be unfilled. So if this is an industry that you think you would be interested in you might want to look at steering your certification course in this direction. Cisco now has introduced their own Cyber ops certification that you can now go take to become qualified in this area or expertise. One section of this training will cover a topic called the Intrusion kill-chain or sometime referred to as the cyber kill chain or Lockheed Martin kill-chain because these are names of two fellows who first documented it.
So what is the Intrusion Kill chain? The Intrusion kill-chain simply put refers to the sequence of the seven steps that an attacker goes through as they are trying to compromise your system and try and get in and do malicious damage to your systems. By understanding these sequence of steps the attacker goes through then we can better plan and implement measures to protect ourselves to stop these attackers from getting in.
1st Step. The first of theses seven steps is reconnaissance. This is where the attacker investigates and gathers information about your systems There are different ways an attacker can retrieve this information. One of the more popular and obvious ways is by searching online either by going to LinkedIn or a Job ad website to retrieves information like what do the current I.T staff have qualifications on which will then point to the types of systems they may have in place, or if there is a job advert at this organisation, what sort of qualifications are they after. If these results come back with Windows Server qualifications and a particular manufacture of firewall then you already have a good idea on what makes up part of their network and then these attackers can then target weaknesses in these systems.
2nd Step. The second step will be weaponisation. This is where the attacker will plan on what sort of process and tools they will use to try to infiltrate the system. Once the attackers have information regarding the systems and the vulnerabilities that they can attack they can then decide what tools they will use.
3rd Step. The third step is the Delivery of the attack. So this means once the attacker has found the weakness they will try and deliver a piece of software into the target systems that they can then use to take out the attack. Sometimes you may want to get the software inside the network first before you can carry out the attack so you find away to deliver that software onto one of the systems inside of the network. A phishing attack is one of these methods to get that software onto one of the systems
4th Step. The 4th step is the exploitation phase. This is where the attacker has launched the attack and is taking advantage of the weakness that they have identified.
5th Step. The next phase is Installation. The installation phase is where the attacker installs the software and finally gaining access to the organisations systems.
6th Step. The sixth step is called “Command and control”. Once the software is installed the attacker can start remote controlling and taking control of the systems.
7th Step. The final phase of the intrusion kill-chain is called “Action on Objectives”. Now that the attacker has full control of the systems then the attacker can now perform the action in which they came to do in the first place. So basically they are taking action on their objective, whether it be of financial gain, or to steal or manipulate data.
The idea of the intrusion kill-chain is to understand the thought process of potential attackers and try and catch attackers at a very early stage of the process. There are a variety of things you can do to recognise signs you are being attacked at each step in the kill-chain. Its a good idea to spend more time monitoring abnormalities at the edge of your network and catch these actions early at the reconnaissance stage which will flag that someone is trying to gather information about your systems. The CCNA certification in Cyber ops will go through some of these methods to detect this suspicious activity. If you decide to participate win this certification course it is a good idea to understand the 7 steps out lined above.