This is the framework that delivers our very ambitious vision and mission. It followed a revised version of the LockHeed Martin Cyber Attack Kill Chain, and that’s based on our conviction that organizations should rather invest resources on STOPPING BREACHES than overly been carried away by STOPPING MALWARE. Below is a diagrammatic outlay of our framework vis the revised CAKC.
Description of SMSAM SYSTEM’s version of the LHM CAKC & Recommended Solutions
Reconnaissance – The first stage in reconnaissance is identifying potential targets (companies or individuals) that satisfy the mission of the attackers (e.g. financial gain, targeted access to sensitive information, brand damage, etc.). Once the target or targets are identified, the attackers determine their best mode of entry. They determine what defences you have in place and choose their initial weapon based on what they discover during their reconnaissance, whether it is a zero-day exploit, a spear-phishing email campaign, physical compromise, bribing an employee, or some other means.
Recommended Solution (RiskIQ, Digital Shadows, Q6 Cyber)
Initial Compromise – The initial compromise is usually in the form of hackers bypassing your perimeter defences and, in one way or another, gaining access to your internal network through a compromised system or user account. Compromised systems might include your externally facing servers or end-user devices, such as laptops or desktops. Recent breaches have also included systems that were never traditionally considered as intrusion entry points, such as point-of-sale (POS) devices, medical devices, personal consumer devices, networked printers, and even IoT devices.
Recommended Solution ( ThreatARMOR, Ericom Sheild, Proofpoint BEC, iBoss, VOTIRO)
Command and Control – The compromised device is used as a beachhead into your organisation. Typically, this involves the attacker surreptitiously downloading and installing a remote-access Trojan (RAT) so they can establish persistent, long- term, remote access to your environment. Once the RAT is in place, they can carefully plan and execute their next move using covert connections from attacker-controlled systems on the internet. Recommended Solution (Visibility Fabric, Duo Security, Akamai EAA, AppGate, Certes Networks, SpyCloud, ForeScout, ThreatARMOR, Data Sunrise, Crowdstrike, LightCyber, Javelin Networks)
Lateral Movement – Once the attacker has an established (persistent) connection to your internal network, they seek to compromise additional systems and user accounts. First, they take over the user account on the compromised system. This account helps them scan, discover, and compromise additional systems from which additional user accounts can be stolen. Because the attacker is often impersonating an authorised user, evidence of their existence can be hard to see.
Recommended Solution (Javelin Networks , LightCyber & CrowdStrike)
At this stage of the Kill Chain, the attacker typically has multiple remote access entry points and may have compromised hundreds (or even thousands) of your internal systems and user accounts. They have mapped out and deeply understand the aspects of your IT environment of highest interest to them. Ultimately, they are within reach of their target(s), and they are comfortable that they can complete their ultimate mission at the time of their choosing.
Recommended Solution (NopSec, LightCyber, CyberX, Crowdstrike & LogPoint)
Exfiltration, Corruption, and Disruption – The final stage of the attack kill chain, and is where cost to your business rises exponentially if the attack is not defeated. This is the stage where the attacker executes the final aspects of their mission, stealing intellectual property or other sensitive data, corrupting mission-critical systems, and generally disrupting the operations of your business. In the event of data theft, data is often transmitted via covert network communications across days, weeks, or even months. Attackers will also hide activity by using seemingly legitimate cloud-storage applications such as Dropbox and Google Drive to steal data.
Recommended Solution (Netskope, Seclore,GTB, Demisto)
The ability to DETECT and RESPOND to the threat early in the Kill Chain is the key to protecting your organization from a BREACH. The earlier an attack is detected and SWIFTLY mitigated, the less the ultimate cost to the business will be. If a compromised endpoint is quickly removed from the environment, the cost of cleaning up additional compromised systems due to successful lateral movement is avoided.