In today’s wildly unpredictable threat landscape, the modern enterprise should be familiar with the cyber kill chain concept. A cyber kill chain describes the various stages of a cyberattack pertaining to network security. Lockheed Martin developed the cyber kill chain framework to help organizations identify and prevent cyber intrusions.

The steps in a kill chain trace the typical stages of an attack from early reconnaissance to completion. Analysts use the framework to detect and prevent advanced persistent threats (APT).

Organizations can use the cyber kill chain to defend themselves against many complex attacks, such as last year’s Uber hack. If you recall, back in September of 2022, a threat actor successfully infiltrated the company’s Slack application by convincing an employee to grant them access. The attacker spammed the employees with multi-factor authentication (MFA) push notifications until they could gain access to internal systems and browse the source code.

This article will walk you through the kill chain of this specific attack twice. First, we’ll take the perspective of the attacker, and then we’ll outline the prevention strategies organizations can take at each step of the chain.

Each step of the cyberattack kill chain

Recon

This first step is about information gathering. Like in many attacks, threat actors use social engineering tactics to gain access to employee information. Attackers typically gather intelligence from scraping data readily available from public sources, called open source intelligence (OSINT). Thanks to social media and publicly documented online activities, attackers can easily profile an organization or employee.

Weaponize

The next step is essentially the preparation stage. The bad actor is now armed and ready to deploy these compromised credentials and any other relevant information they need to log in to the target employee’s account.

Delivery

Delivery is all about set-up: like a boxer’s jabs before landing the knockout punch. In this step during the Uber hack, the attacker spammed the employee with push notifications (this can be called MFA fatigue or prompt bombing). Then, he contacted the employee through social media channels, posing as IT, asking them to accept the notifications so they would stop.

Exploit

Staying with the boxer analogy, exploit is like a right hook. In the Uber attack, the attacker gained access to the employee’s VPN once the MFA fatigue attack was successful.

Install

Install is where the bad actor officially launches the malicious and dangerous part of the attack. In the Uber hack, the attacker was able to scan the network and discover a power shell script on a shared drive. The script contained an admin user credential for the company’s PAM solution that provided the attacker with further access to multiple services.

Callback

For attackers, callback is all about taking control of the target’s systems so they can launch more attacks. For victims, this is the step in which prevention is much more difficult. In the Uber attack, the bad actor proceeded to wrangle access to other internal systems and steal confidential data.

Persist

When attackers reach this stage, they’ve essentially gained enough rights to continuously execute attacks. This may come in the form of ransomware, data exfiltration for monetary gain or launching DOS attacks.

How the enterprise can prevent attacks at each stage

Recon and weaponize

The strategies for Recon and Weaponize prevention are the same at both stages.

One of the most crucial prevention strategies is eliminating the use of passwords whenever possible. While the password will probably never die, going passwordless is typically a positive step in the right direction. That said, it shouldn’t be the only authentication method. Passwordless should be the first factor to be combined with another form of authentication.

Adding or changing contact info for key employees is another way to keep attackers guessing.

Delivery

Deploying high-assurance MFA options like a FIDO2 key, mobile smart credential or other passkeys is one of the best ways to prevent MFA-based attacks. After all, MFA is not foolproof.

Another great way to ensure an attack like the Uber hack doesn’t happen in your organization is to send a notification to the user whenever the account logs in from a new location for the first time.

Adopting zero trust principles is always recommended here (and at any stage).

Exploit

Using a physical token is one of many secure authentication methods. By deploying risk-based adaptive authentication, authentication requests can trigger a defined action or set of actions based on predetermined risk factors. Potentially malicious requests may trigger an email or SMS notification or be blocked outright. This could (and should) include VPN authentication requests.

Much like for the delivery stage, it’s wise to consider location-based notifications for first-time access.

Install

For the install stage, all the same prevention strategies relevant to the exploit stage also apply. But here, organizations can bolster security for desktops, servers, hidden folders and other resources by applying adaptive MFA.

Privileged Access Management (PAM) solutions should also be secured with high assurance MFA.

Callback/Persist

Here is where real-time monitoring of any suspicious data movement and detecting suspicious behavior is critical. At this stage, bad actors are motivated to move and act quickly, and timing for the security team is crucial. The key is the ability to be proactive instead of reactive.

How IBM X-Force addresses cyberattacks with preparation and execution frameworks

IBM Security X-Force cyberattack preparation and execution frameworks build upon the industry-standard conceptual approaches to analyzing a cyberattack, including the Cyber Kill Chain, MITRE ATT&CK and Mandiant’s Attack Lifecycle.

The X-Force cyberattack preparation and execution frameworks provide a logical flow representative of attacks today and also incorporate increasingly relevant phases not typically included in other frameworks.

These frameworks characterize threat data and communicate threat intelligence, explaining the full range of activities that occur prior to and during an actual compromise.

The process provides incident responders and threat intelligence analysts with a model they can use to track data, conduct peer review research and communicate analysis with greater clarity and consistency. The X-Force cyberattack preparation and execution frameworks also provide organizations with an easy and efficient way to compare different cyberattack threat vectors relevant to their industries.

Read more about the X-force cyberattack preparation framework here.

To schedule a no-cost consult with X-Force, click here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today