Y - Kill Chain
The Y - Kill chain is formed out of two frameworks. It includes Lockheed Martin’s kill-chain, which is part of a framework for identification and prevention of cyber intrusions activity. Additionally, it includes the MITRE ATT&CK® framework. The MITRE ATT&CK framework is a curated knowledge base and model for cyber adversary behavior. The kill chain is used to describe our attack path taken during the simulation and is divided into the below phases:
Reconnaissance | Reconnaissance is used to collect information about the target in scope and build an initial attack plan. Collected information aims at identifying security controls in place, the external attack surface, and internal structures of the organization. | |
Initial Access | Initial Access is used to gain a digital or physical foothold to the target. Actions performed are one of the most crucial steps. They rely on the Reconnaissance phase as collected information, such as in-use technology, needs to be evaluated when building the toolkit and preparing exploitation of services. | |
Control & Movement | Control & Movement is used to collect information about the network to reach the goals of the assessment while moving around and analyzing procedures. Further actions during this phase include reconnaissance on the target for security controls and bypassing them as well as escalating privileges. | |
Persistence | Persistence is the fourth step of the attack chain in which permanent access to the target is ensured. Ensuring persistence is an important, but also critical task as in some cases the configuration of the system needs to be changed. | |
Data Exfiltration | Data Exfiltration describes the way how communication is handled with the Command & Control Server. It also describes general data exfiltration out of the network, such as the goal (e.g., a dummy database) set in the assessment. | |
Impact | The Impact phase of the attack can be used in the attack simulation to proof that a pre-defined goal has been reached. Attackers may use it to manipulate, interrupt or destroy a system. |