A cyber kill chain is a security model, developed to assist in understanding and predicting various stages of a cyberattack. This scheme allows preparing for such common threats as ransomware and advanced persistent attacks, network breaches, and data thefts (Velimirovic, 2021). Each crime consists of a certain pattern, which includes reconnaissance of the target, delivery of weapons, installation, establishing a command and control (C&C, C2) channel, and accomplishing the mission – which is typically manifested through the process of data exfiltration (Velazquez, 2015). Understanding the methods used by hackers to commit a planned crime provides an opportunity to select the right tools for the detection of intruders, prevent the accomplishment of the attack, or minimize its potential risks. Command and control is the central stage of the operation, which implies taking control of the infected device by connecting it to the C2 computer with the help of a specially created communication channel. It is generally thought that understanding this process can help to prevent important data from being stolen.
The stage of control and command follows the previous steps, which include reconnaissance of the target, implying gathering of information, and delivery and installations of weapons necessary for performing a crime. After the intruder has positioned their management and communication APT code to the target network, they receive access to the victim’s system (Death, 2018). This software permits the attacker to work with the APT code to penetrate the network, remove data, and conduct destruction or denial of service operations. There are multiple options for attackers in achieving their goal. For example, they may use HTTP, HTTPS, or even DNS to send and receive data to a victim machine (Velazquez, 2015). C2 methods are typically divided into 2 categories, push and pull (Velazquez, 2015). It means that attackers can use “a hub to send commands through or can communicate directly out to machines” (Velazquez, 2015, p. 15). Understanding the mechanisms of the C2 stage can help Chief Information Security Officers (CISO) to detect the threat in time to prevent data from being stolen.
The process of command and control is characterized by the malware receiving patches, updates, and instructions from its controller after it is installed to the required device. Based on this knowledge, one of the ways of detecting an attack is revealing network traffic from the malware to the command and control servers. It can be done with the help of such tools as Intrusion Detection Systems (IDS) (Secure Team, 2019). It is also important to detect files using compressed methods, such as.RAR as they are often used by attackers (Velazquez, 2015). Moreover, today, there are many types of modern security services, which are often called “next generation firewalls” (Secure Team, 2019). These programs can subscribe to the known servers, block traffic, which is registered from those IP addresses, and identify the devices, which made the connection request. Threat intelligence sent to Security Information and Event Management (SIEM) tools can also help to reveal known C2 channels to see if this attack has already happened on one’s network in the past (Velazquez, 2015). Thus, there is a big range of measures, capable of preventing the crime on the stage of control and command.
In conclusion, cyber kill is a protection model, targeted at securing the devices and networks from potential attacks. Analyzing each step of a hacker’s activity helps to detect threats and allows preventing the crimes or minimizing their risks. Understanding the control and command stage is one of the crucial aspects of this process as it allows identifying the attackers’ actions in time to be able to prevent them from stealing data. The nuances of the malware performance allow Chief Information Security Officers to detect the activity of intruders with the help of specific firewalls and SIEM tools to minimize the risks from the attack.
Death, D. (2018). The cyber kill chain explained. Forbes. Web.
Secure Team. (2019). What is the cyber kill chain? Web.
Velazquez, C. (2015). Detecting and preventing attacks earlier in the kill chain. SANS Institute Information Security Reading Room. Web.
Velimirovic, A. (2021). What is a cyber kill chain? PhoenixNAP. Web.