Cyber Kill Chain and Courses of Action

  1. Cyber Kill Chain: This is a model that outlines the steps an attacker takes to compromise a target. It includes:

    • Reconnaissance: Gathering information about the target.

    • Weaponization: Creating a malicious payload.

    • Delivery: Sending the payload to the target (e.g., via phishing).

    • Exploitation: Using the payload to exploit a vulnerability.

    • Installation: Installing malware or gaining access.

    • Command and Control (C2): Establishing control over the compromised system.

    • Actions on Objectives: Achieving the attacker's goals, such as data exfiltration.

  2. Courses of Action Matrix: This model helps defenders decide how to respond to each phase of the Cyber Kill Chain. Actions can be:

    • Passive: Actions like discovering and detecting threats without directly affecting the attacker.

    • Active: Actions like denying, disrupting, degrading, deceiving, or destroying the attacker's efforts.

  3. Example: In a phishing scenario, during the delivery phase, you might:

    • Detect suspicious emails.

    • Deny by blocking the sender.

    • Disrupt by quarantining the email.

    • Degrade by stripping attachments.

    • Deceive by rerouting emails to a honeypot.

PreviousCyber Kill Chain and Diamond ModelNextCampaign Analysis

Last updated