What Is the Actions on Objectives Stage of the Cyber Kill Chain?
After making it through the six previous stages of the cyber kill chain — reconnaissance, weaponization, delivery, exploitation, installation, and command and control (C2) — attackers do eventually end up at their ultimate goal: actions on objectives.
At the actions on objectives stage of the cyber attack chain, threat actors have all but accomplished their designs or have at least put themselves in prime position to do so. They’ve scoped out and researched their target, crafted malware, launched it, established persistence and remained undetected. Now all that’s left to do is take what they came for.
These actions on objectives can include:
Exfiltrating or deleting data
Encrypting files with ransomware
Launching a DDoS attack using a botnet
Collecting user credentials
Or potentially bringing down the entire network with some other form of disruption.
How Actions on Objectives Works
Threat actors work hard to achieve the actions on objectives stage. However, up until this point, most of that action is unlikely to show; at least, if attackers have done their jobs well. At the reconnaissance stage, it is easy enough for attackers to do their research unnoticed. While weaponizing, those actions are only happening on the cybercriminal’s side. During the delivery and exploitation stages, chances of catching the attack go way up; this is the part where SOCs can spot phishing emails and detect exploited vulnerabilities. And then at the installation (establishing persistence) and command and control stages, security teams get another good shot if they have advanced detection and response tooling that can uncover anomalies and catch malicious outbound C2 traffic.
That said, nothing is more obvious than the ultimate attack that happens when attackers reach the end of the cyber kill chain. A ransomware attack is meant to be discovered, a DDoS attack is hard to hide, and exfiltrated data and credential lists end up on the dark web sooner rather than later. To add insult to injury, many cybercriminal groups (if not all) like to croon about their ill deeds and publicly “out” their victims, ruining their reputations. Additionally, many will use compliance lapses as leverage to get them to pay out, threatening to report them to regulatory bodies if a ransom isn’t paid for their stolen information. As the stats show, there’s only so much honor among thieves; among those that did pay the ransom, 40% had their data leaked anyway and nearly a third got hit again.
That is why it is so important for companies to do all they can to thwart these attacks — even while they are in progress.
Disrupting Actions on Objectives with Fortra
Before we get into the strictly offensive measures against actions on objectives, it is good to reiterate that the best offense is still a great defense. Organizations need to take the opportunity to break the cyber kill chain at every previous stage, from reconnaissance down to C2.
Preventative Measures Against Actions on Objectives
There are myriads of chances for prevention within the first six steps of the cyber kill chain: blocking a phishing attempt, spotting deviations from behavioral baselines, implementing multi-factor authentication (MFA). Here are some of the elements and solutions that can facilitate those preventative measures, and more.
Security frameworks and protocols: Optional, industry-standard frameworks like the CIS Controls, NIST CSF, NIST RMF, MITRE ATT&CK, and Zero Trust all provide a strong foundation against cyberattacks. Mandatory ones like HIPAA, PCI DSS, GDPR, and CMMC help protect specific sectors and geographies even further, bolstering defenses against even the first steps of the attack chain.
Data classification: Attackers are on the hunt for loose, unprotected sensitive data. Having a data classification program in place assures that each new piece of data (structured or unstructured) gets labelled, stored, and protected according to its severity.
Data loss prevention (DLP): DLP programs can encompass data loss prevention at several levels: network DLP, email DLP, and endpoint DLP. They implement necessary safeguards that set policies, monitor traffic, and secure the intellectual property and sensitive information attackers are after.
Employee training and awareness: Weaponizing your employee base with security awareness training (SAT) gives them the knowledge they need to spot suspicious actions early in the attack chain.
Real-time and Offensive Security Measures Against Actions on Objectives
For those perfect storms when an attack might come through, Fortra still has ways to stop it. The primary strategy when a compromise is already underway is rapid detection and lightning-fast incident response. Fortra Extended Detection and Response helps teams catch the slightest variations in behavioral norms and eliminate blind spots in network visibility, enabling SOCs to spot misdeeds fast. For teams that need an extra hand, Fortra Managed Security Services can keep a 24/7 eye on the network to add an additional layer of lightning-fast detection.
And for those that don’t want to sit around and risk being surprised, you can always put your team through its paces with cutting-edge offensive security drills from solutions like Fortra Cobalt Strike (red teaming) and Fortra Outflank Security Tooling. That way, when the “real deal” attack is underway, your team and your solutions will both be ready.
Being quick to respond could mean the difference between a few hundred credentials being stolen and admitting to hundreds of thousands lost. Or, between being down for a few minutes due to a DDoS attack and losing potentially millions due to outage-induced downtime.
It’s up to you. However you choose to break the cyber kill chain, Fortra is ready to make that happen.
Want to learn more?
Start at the beginning and master the basics: What Is the Cyber Attack Chain?