Skip to content

Cyber Kill Chain & Ransomware

Nino Vales 2018-08-20
cyberkillchain-800x533

The Cyber Kill Chain model breaks down a Ransomware attack in seven stages. This article will give you an understanding of our security solutions and what is effective based on the current stage of the Ransomware. 

 

Cyber Kill Chain stages

 

Reconnaissance

The threat actor or attacker will gather all public information available for your organization. An example of which is the website's contact us page, phone numbers, or domain WHOIS information. Some attacks involve attackers running an automated script to guess the email addresses associated with the domain.

Recommended:

  • Better security practice and handling of public information
  • Cyber Security training to identify Phishing attempts

 

Stage

Once the threat actor gathers enough information, it now prepares to launch the attack. An example of which is a Phishing email with malicious attachments or URL's to be sent out to the users of the targeted organization.

Recommended:

  • User Security training to identify Phishing emails from legitimate emails (Cybersecurity training – KnowBe4)

 

Launch

If the user opens the attachment from a Phishing email or clicked the link then it could execute a script to infect the system.

Recommended:

  • Cisco Umbrella to filter DNS traffic
  • Meraki MX Firewall with intrusion prevention system
  • Office 365 spf, dkim, or dmarc records

 

Exploit

The stage where the malicious script looks for the vulnerability of the system. An example is an unprotected, unpatched system or outdated firmware. A network with a weak firewall system is severely at risk.

Recommended:

  • Cisco Umbrella for blocking suspicious traffic
  • Meraki MX Firewall with Intrusion Prevention System

 

Install

The stage where the Ransomware payload is installed on the vulnerable system. Workstations with no real-time antivirus protection are at risk.

Recommended:

  • Host-based antivirus or anti-malware products such as Webroot, Trend Micro, or Cisco AMP

 

Callback

The infected system contacts the attacker's command and control center to retrieve the key to encrypting the user files. It is also called as the Botnet command center.

Recommended:

  • Cisco Umbrella to block suspicious categories like newly created domains or known Botnet locations
  • Meraki MX Firewall to filter out suspicious traffic

 

Persist

The stage where the system files are already encrypted and a ransom note keeps popping up requesting the victim to pay the ransom.

Recommended:

  • A security professional to assist with assessing the impact and removal of the Ransomware
  • Meraki MX Firewall that logs all unusual traffic produced by the infected system to help with the investigation

 

You might notice that certain security solutions cover several stages of the Cyber Kill Chain model. Implementing these solutions will give you a better chance of avoiding a Ransomware infection.

In addition to this, having a reliable backup solution will save your files in case Ransomware still manages to infect your system.

This model is not perfect, but it gives your business better chances of stopping a Ransomware attack. The cost of these security solutions is minimal compared to the downtime or paying a ransom to recover your files.