In today’s wildly unpredictable threat landscape, the modern enterprise should be familiar with the cyber kill chain concept. A cyber kill chain describes the various stages of a cyberattack pertaining to network security. Lockheed Martin developed the cyber kill chain framework to help organizations identify and prevent cyber intrusions.

The steps in a kill chain trace the typical stages of an attack from early reconnaissance to completion. Analysts use the framework to detect and prevent advanced persistent threats (APT).

Organizations can use the cyber kill chain to defend themselves against many complex attacks, such as last year’s Uber hack. If you recall, back in September of 2022, a threat actor successfully infiltrated the company’s Slack application by convincing an employee to grant them access. The attacker spammed the employees with multi-factor authentication (MFA) push notifications until they could gain access to internal systems and browse the source code.

This article will walk you through the kill chain of this specific attack twice. First, we’ll take the perspective of the attacker, and then we’ll outline the prevention strategies organizations can take at each step of the chain.

Each step of the cyberattack kill chain

Recon

This first step is about information gathering. Like in many attacks, threat actors use social engineering tactics to gain access to employee information. Attackers typically gather intelligence from scraping data readily available from public sources, called open source intelligence (OSINT). Thanks to social media and publicly documented online activities, attackers can easily profile an organization or employee.

Weaponize

The next step is essentially the preparation stage. The bad actor is now armed and ready to deploy these compromised credentials and any other relevant information they need to log in to the target employee’s account.

Delivery

Delivery is all about set-up: like a boxer’s jabs before landing the knockout punch. In this step during the Uber hack, the attacker spammed the employee with push notifications (this can be called MFA fatigue or prompt bombing). Then, he contacted the employee through social media channels, posing as IT, asking them to accept the notifications so they would stop.

Exploit

Staying with the boxer analogy, exploit is like a right hook. In the Uber attack, the attacker gained access to the employee’s VPN once the MFA fatigue attack was successful.

Install

Install is where the bad actor officially launches the malicious and dangerous part of the attack. In the Uber hack, the attacker was able to scan the network and discover a power shell script on a shared drive. The script contained an admin user credential for the company’s PAM solution that provided the attacker with further access to multiple services.

Callback

For attackers, callback is all about taking control of the target’s systems so they can launch more attacks. For victims, this is the step in which prevention is much more difficult. In the Uber attack, the bad actor proceeded to wrangle access to other internal systems and steal confidential data.

Persist

When attackers reach this stage, they’ve essentially gained enough rights to continuously execute attacks. This may come in the form of ransomware, data exfiltration for monetary gain or launching DOS attacks.

How the enterprise can prevent attacks at each stage

Recon and weaponize

The strategies for Recon and Weaponize prevention are the same at both stages.

One of the most crucial prevention strategies is eliminating the use of passwords whenever possible. While the password will probably never die, going passwordless is typically a positive step in the right direction. That said, it shouldn’t be the only authentication method. Passwordless should be the first factor to be combined with another form of authentication.

Adding or changing contact info for key employees is another way to keep attackers guessing.

Delivery

Deploying high-assurance MFA options like a FIDO2 key, mobile smart credential or other passkeys is one of the best ways to prevent MFA-based attacks. After all, MFA is not foolproof.

Another great way to ensure an attack like the Uber hack doesn’t happen in your organization is to send a notification to the user whenever the account logs in from a new location for the first time.

Adopting zero trust principles is always recommended here (and at any stage).

Exploit

Using a physical token is one of many secure authentication methods. By deploying risk-based adaptive authentication, authentication requests can trigger a defined action or set of actions based on predetermined risk factors. Potentially malicious requests may trigger an email or SMS notification or be blocked outright. This could (and should) include VPN authentication requests.

Much like for the delivery stage, it’s wise to consider location-based notifications for first-time access.

Install

For the install stage, all the same prevention strategies relevant to the exploit stage also apply. But here, organizations can bolster security for desktops, servers, hidden folders and other resources by applying adaptive MFA.

Privileged Access Management (PAM) solutions should also be secured with high assurance MFA.

Callback/Persist

Here is where real-time monitoring of any suspicious data movement and detecting suspicious behavior is critical. At this stage, bad actors are motivated to move and act quickly, and timing for the security team is crucial. The key is the ability to be proactive instead of reactive.

How IBM X-Force addresses cyberattacks with preparation and execution frameworks

IBM Security X-Force cyberattack preparation and execution frameworks build upon the industry-standard conceptual approaches to analyzing a cyberattack, including the Cyber Kill Chain, MITRE ATT&CK and Mandiant’s Attack Lifecycle.

The X-Force cyberattack preparation and execution frameworks provide a logical flow representative of attacks today and also incorporate increasingly relevant phases not typically included in other frameworks.

These frameworks characterize threat data and communicate threat intelligence, explaining the full range of activities that occur prior to and during an actual compromise.

The process provides incident responders and threat intelligence analysts with a model they can use to track data, conduct peer review research and communicate analysis with greater clarity and consistency. The X-Force cyberattack preparation and execution frameworks also provide organizations with an easy and efficient way to compare different cyberattack threat vectors relevant to their industries.

Read more about the X-force cyberattack preparation framework here.

To schedule a no-cost consult with X-Force, click here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Incident Response

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today