Understanding the different steps attackers take is crucial to guarding against attacks.
A comprehensive, defense in depth strategy using layers of overlapping protection has proven to be one of the best approaches to cybersecurity. This is why studying the attack chain, or cyber kill chain, to understand the different steps attackers take, is so crucial.
The cyber kill chain identifies seven stages of a cyberattack:
6. Command and Control
However, the standard cyber kill chain is often more complicated than is necessary. Instead, it is sufficient to begin with a simpler, endpoint-specific attack chain that’s made up of just three major steps.
This stage begins with the attackers gaining a foothold in an environment by delivering their weapons and sending instructions to them, telling them what to do.
However, if the attacker gets past these layers in our defense we can still use endpoint security to block exploits used for distribution, detect malicious URLs and prevent weaponized documents. We also have an opportunity to detect communications with command and control servers.
Next, attackers look to exploit endpoints and execute malicious code.
Endpoint defenses are often heavily focused on stopping malicious executables, either using foundational approaches like signatures or newer approaches like machine learning.
However, other complimentary techniques should also be applied at this stage including anti-exploit technology to prevent credential theft, privilege escalation and application abuse.
Finally, we get to the “boom!”, also known as the action or post execution phase, where attackers inflict damage.
Even if an attacker is able to make it this far, there are layers of defense that can be applied. Data loss prevention (DLP) can be used to stop exfiltration of sensitive data.
Additionally, behavioral techniques, such as ransomware protection, can detect malicious activity in action and stop the attacker before they achieve their goals. Post execution analysis can also be applied to understand the details of the specific attack chain.
Often, endpoint defenses concentrate primarily on stopping executables; however, there are many other opportunities along the attack chain to disrupt an attack. Some defensive techniques might be very advanced, or they could be foundational approaches that have been in place for several years.
Regardless, the same mission is accomplished. If your layered defenses intercept an attack anywhere along the attack chain, you disrupt the entire attack.
Original post from Sophos.