WEBVTT

00:00.000 --> 00:01.800
>> Hey guys and welcome back

00:01.800 --> 00:03.899
>> to the cyber kill
chain course on Cybrary.

00:03.899 --> 00:05.280
>> This is Abdulrahman
A. Alnaim.

00:05.280 --> 00:06.480
Today's episode we're going to

00:06.480 --> 00:08.460
talk about the cyber kill chain.

00:08.460 --> 00:09.960
In this video,

00:09.960 --> 00:11.939
>> we're going to cover
the cyber kill chain.

00:11.939 --> 00:13.590
>> We're going to
briefly talk about

00:13.590 --> 00:15.229
the steps of the
cyber kill chain

00:15.229 --> 00:17.130
>> and we're going to end with

00:17.130 --> 00:19.814
>> how to use the cyber
kill chain in defense.

00:19.814 --> 00:22.695
>> If you go ahead and
Google cyber kill chain,

00:22.695 --> 00:24.600
you might find the
number of varieties.

00:24.600 --> 00:26.910
However, one of the
most accepted ones

00:26.910 --> 00:28.964
>> by the Cyber
Security Community

00:28.964 --> 00:31.080
>> is the Lockheed
Martin's cyber kill chain.

00:31.080 --> 00:33.710
It was derived from the
military kill chain

00:33.710 --> 00:36.179
>> which describe the
structure of an attack.

00:36.179 --> 00:39.391
>> Military they have
two different varieties

00:39.391 --> 00:40.340
>> or a number of varieties.

00:40.340 --> 00:44.780
>> One of the most
popular is the F2, T2 EA,

00:44.780 --> 00:47.885
which stands for find
fixed target, sorry,

00:47.885 --> 00:51.500
find fixed track target,
engage and assess.

00:51.500 --> 00:53.240
There's a number of other ones

00:53.240 --> 00:55.760
>> such as find fixed,
fight and finish.

00:55.760 --> 00:59.390
>> But these are a
legacy terminology

00:59.390 --> 01:00.784
or an oldest terminology.

01:00.784 --> 01:04.280
Luckily, the cyber security
kill chain is none of these

01:04.280 --> 01:07.970
we don't have finish
in our terminology.

01:07.970 --> 01:11.000
However, in this case
it's the seven case

01:11.000 --> 01:13.669
>> or seven step description
of a targeted attack.

01:13.669 --> 01:15.200
>> It starts with recon,

01:15.200 --> 01:18.410
or reconnaissance, which
includes research, identity,

01:18.410 --> 01:20.030
and selection of target,

01:20.030 --> 01:23.895
and this might be one of
the most overlooked phases.

01:23.895 --> 01:25.910
However, in my own opinion,

01:25.910 --> 01:30.610
I think this might be
the most important one.

01:30.610 --> 01:33.440
It's crucial to have
good reconnaissance

01:33.440 --> 01:35.870
>> because you're
going to use each of

01:35.870 --> 01:38.029
>> the information that you
gain through reconnaissance

01:38.029 --> 01:42.310
throughout the rest of
the cyber kill chain.

01:42.310 --> 01:45.210
The next step is weaponization,

01:45.210 --> 01:48.620
in this step you're going
to use the information

01:48.620 --> 01:51.890
>> that you gain during
the reconnaissance

01:51.890 --> 01:55.592
>> and create weapons
based on your research.

01:55.592 --> 01:58.609
>> Once this weapon or
the payload is created,

01:58.609 --> 01:59.854
>> you go to delivery.

01:59.854 --> 02:01.580
>> Again. you're going to use

02:01.580 --> 02:03.515
the information you get
from reconnaissance,

02:03.515 --> 02:05.720
so if you know they
have an FTP port open,

02:05.720 --> 02:08.780
you can deliver it using
that and open FTP port.

02:08.780 --> 02:11.300
If you know that
the system admin

02:11.300 --> 02:14.060
>> is interested in cars,

02:14.060 --> 02:16.970
>> you can create a social
engineering campaign

02:16.970 --> 02:20.210
that would actually be
of interest to them.

02:20.210 --> 02:22.490
This is why again,
reconnaissance is

02:22.490 --> 02:25.805
one of the most important steps.

02:25.805 --> 02:28.680
After that we move
to exploitation.

02:28.680 --> 02:32.600
An exploitation, we merge or mix

02:32.600 --> 02:35.259
>> the organization
with reconnaissance.

02:35.259 --> 02:38.150
>> Because we're using
the vulnerabilities

02:38.150 --> 02:39.080
or the vulnerabilities

02:39.080 --> 02:40.889
>> that we learned
about reconnaissance

02:40.889 --> 02:42.230
>> and we designed our weapons

02:42.230 --> 02:44.600
>> for during
exploitation to be able

02:44.600 --> 02:49.880
to exploit this vulnerability
on the targeted system.

02:49.880 --> 02:51.335
Once this is done,

02:51.335 --> 02:54.920
our payload is going to
install a backdoor for us.

02:54.920 --> 02:56.270
Now that we have a backdoor,

02:56.270 --> 03:01.250
now that we have a input inside

03:01.250 --> 03:02.509
>> or an application

03:02.509 --> 03:05.180
>> or a malware inside
the environment,

03:05.180 --> 03:06.440
we need some way

03:06.440 --> 03:08.389
>> or some channel to
communicate with it.

03:08.389 --> 03:11.440
>> That's when commanding
control comes in.

03:11.440 --> 03:13.790
In commanding control
we're trying to do is

03:13.790 --> 03:15.530
>> we're trying to
control our payload

03:15.530 --> 03:20.720
>> or control our backdoor
that we installed in Phase 5,

03:20.720 --> 03:23.075
>> as you can see, we're
building up every step,

03:23.075 --> 03:25.100
builds on the one before.

03:25.100 --> 03:27.185
Again, going back to
the reconnaissance,

03:27.185 --> 03:29.270
reconnaissance is the
phase that you build

03:29.270 --> 03:33.235
the whole cyber chain on top of.

03:33.235 --> 03:35.600
Once we have this
command and control,

03:35.600 --> 03:38.360
we completed the
first except now

03:38.360 --> 03:40.040
>> there's an objective

03:40.040 --> 03:43.334
>> that I created this
targeted attack for,

03:43.334 --> 03:46.040
>> and the seventh phase
or the seven steps of

03:46.040 --> 03:49.295
the cyber kill chain
reaction on the subjective,

03:49.295 --> 03:51.710
whether it was data leakage,

03:51.710 --> 03:53.120
whether it was destruction,

03:53.120 --> 03:54.665
or any other objectives,

03:54.665 --> 03:58.770
that happens in Phase 6.

04:00.230 --> 04:04.915
Now we talked about using
the cyber kill chain,

04:04.915 --> 04:10.700
an attack, but we can
also use it for defense.

04:10.860 --> 04:14.155
Because as I said in
the previous video,

04:14.155 --> 04:16.765
the best way to protect

04:16.765 --> 04:20.780
from a hacker is to
think like a hacker.

04:20.970 --> 04:23.905
As a cybersecurity professional,

04:23.905 --> 04:25.810
our goal is to break this chain

04:25.810 --> 04:27.330
>> and any step of this chain,

04:27.330 --> 04:29.650
>> if we can break it, protect
the rest to the system,

04:29.650 --> 04:32.660
they cannot build on top of it.

04:32.660 --> 04:35.550
Again, our goal is
to break this chain,

04:35.550 --> 04:36.940
and each one of these

04:36.940 --> 04:39.415
step present an
opportunity to detect,

04:39.415 --> 04:41.140
deny, disrupt, degrade,

04:41.140 --> 04:44.580
deceive or contain
that targeted attack.

04:44.580 --> 04:48.470
That's great. Now that we
went over the kill chain,

04:48.470 --> 04:51.065
let's see if we can
answer these questions.

04:51.065 --> 04:52.850
The first question is,

04:52.850 --> 04:54.895
who created the
cyber kill chain?

04:54.895 --> 04:57.105
That's kind of a trick question.

04:57.105 --> 04:58.760
Although I said Lockheed Martin

04:58.760 --> 05:00.965
created the one that
is widely accepted.

05:00.965 --> 05:05.330
However, Lockheed
Martin's kill chain

05:05.330 --> 05:08.190
is just a reflection
of targeted attack.

05:08.190 --> 05:10.115
I think it might
be safe to stay.

05:10.115 --> 05:13.910
The hackers actually created
the cyber kill chain.

05:14.420 --> 05:19.895
Second is what are the seven
phases of the kill chain?

05:19.895 --> 05:22.595
As I said, we start
with the reconnaissance

05:22.595 --> 05:25.385
and then we build on top
of it weaponization,

05:25.385 --> 05:28.850
delivery, exploitation,
commanding, control,

05:28.850 --> 05:30.654
>> and action and objectives.

05:30.654 --> 05:32.420
>> However, that's incorrect

05:32.420 --> 05:34.310
>> because I skipped
installation

05:34.310 --> 05:37.160
>> so going back
as reconnaissance,

05:37.160 --> 05:40.010
>> weaponization delivery,
exploitation, installation,

05:40.010 --> 05:44.320
command and control, and
finally action on objectives.

05:44.320 --> 05:47.870
The last question of
this post assessment is

05:47.870 --> 05:50.675
how do cybersecurity
professionals

05:50.675 --> 05:53.090
use the cybersecurity
kill chain?

05:53.090 --> 05:56.360
As I said, each
and every steps of

05:56.360 --> 05:59.900
the cyber kill chain
presents an opportunity

05:59.900 --> 06:02.914
>> to defend against
a targeted attack.

06:02.914 --> 06:04.610
>> That's how we use

06:04.610 --> 06:08.940
>> the cybersecurity
kill chain for good.

06:09.889 --> 06:13.220
>> Today's video we
covered steps of

06:13.220 --> 06:14.600
the cybersecurity kill chain

06:14.600 --> 06:15.710
>> or the cyber kill chain,

06:15.710 --> 06:17.315
>> in the next video,

06:17.315 --> 06:20.105
we're going to start
our targeted attack

06:20.105 --> 06:22.220
and do some reconnaissance.

06:22.220 --> 06:24.150
>> See you then.