Delivery in Cybersecurity – The 3rd Phase of Cyber Kill Chain

Written By Sambita Panigrahy  
Anuraag Singh
Approved By Anuraag Singh 
Published On April 25th, 2023
Reading Time 5 Minutes Reading

This post is the continuation of the IT security model and here we’ll discuss the 3rd phase i.e. the delivery phase of Cyber Kill Chain

In case, adversaries succeed in executing the 2nd phase then it’s more likely that they will start throwing their weaponized punches in the Delivery phase. Since sophisticated cyber attackers are persistent in their approach while carrying out an attack, they spend a significant amount of time in the first two phases i.e. Reconnaissance and Weaponization. In these steps, they usually stay in the shadow and secretly gather information, and create malicious files & software as weapons.

After that, they cross the threshold and jump to the delivery phase to launch the weapons into the target environment.

Delivery Stage of Cyberattack – What Do Attackers Do In This Phase? 

In this phase, the determined cybercriminals take the help of attack vectors or a path to exploit vulnerabilities by delivering malicious payloads. In earlier days and even now, attackers preferred email attachments, websites, and USB media as delivery vectors for weaponized payloads. 

delivery in cyber kill chain

Out of the above three vectors, two of them rely on humans or any form of human interaction. Through human instinct or gut feeling, the delivery of malicious software can be prevented in a few cases. But, sophisticated cases need more attention to detail.

Which is The Most Common Technique of Delivery in Cybersecurity Followed by Attackers to Send Exploits?

Delivery techniques may vary, but ironically, through the ‘Phishing’ method, attackers still manage to evade technical defenses. The technique is nothing but a combination of Social Engineering and email. 

Social engineering takes advantage of people’s emotional receptivity to persuade them to act in an unreasonable manner. Surprisingly, through this, they manipulate users to do something they wouldn’t want to do if they were aware of the consequences. And, emails are their weapon to carry out Phishing attacks. They insert weaponized attachments or malicious URLs into an email and deliver them to an unaware user in the hope that they will open the intended attachment or URL.

To combat the damage of any attempt or form of cyberattack, it’s essential to be aware of the keen understanding of the adversary.

Adversary’s Perspective in the Delivery Stage of Cyberattack 

The first thing we need to understand is that the attackers behind a persistent attack are not ordinary hackers. They are well-trained as well as well-funded sophisticated cybercriminals. So, once they successfully gather sensitive information about the target and create weaponized payloads, they will think of every possible way to deliver them.

As discussed earlier, delivery techniques may vary. For starters, let’s take a look into the two categories adversaries could use to launch their operation.

  1. Adversary Controlled Delivery: This approach is pretty direct against web servers.
  2. Adversary Released Delivery: This approach includes malicious emails (Phishing), malware on USB sticks, Social media interaction, and Watering holes or compromised websites. They will use these as carriers to deliver the intended malware.

Thus, it’s important to understand the adversary’s perspective to prevent the attempt of delivery.

Delivery Phase of Cyber Attack Lifecycle – How Defenders Think in This Stage?

This is the stage where defenders get the opportunity to terminate or block the operation. The percentage of intrusion attempts that are stopped at the delivery stage is a crucial indicator of effectiveness.

Hence, experienced security experts;

  • Analyze the delivery medium and understand the upstream.
  • Get familiar with targeted servers & people, their roles & responsibilities, and what information is available.
  • Use targeting to infer the adversary’s objective.
  • Utilize weaponizer artifacts to spot fresh malicious payloads at the delivery point.
  • Examine what time of day the operation started.
  • Gather email and browser logs for forensic reconstruction. By this, defenders can pinpoint when and how delivery started, even if an intrusion is discovered after the fact.

Actionable Intelligence Aligned by Defenders to Rectify Security Gaps

Security experts align enterprise defensive capabilities to processes an adversary undertakes to target that enterprise. Through this, they can measure the performance as well as the effectiveness of these actions. And then plan investment roadmaps to finetune any capability gap. 

The primary goal of the defender is to follow a course of action matrix for each phase of the kill chain. The 6D’s of the matrix include Detect, Deny, Disrupt, Degrade, Deceive, and Destroy.

In the delivery stage, four courses of action matrices are utilized.

  1. Detect Vigilant user
  2. Deny Proxy Filter
  3. Disrupt In-line AV 
  4. Degrade Queueing

Final Thought

To fight today’s Advanced Persistent Threat, intelligence-driven security measures are required that can establish resilience. If taken the necessary steps rightly there’s a big chance of preventing security damages even in the 3rd phase i.e. in the delivery stage.

As the saying goes prevention is better than cure, it applies to the world of IT security as well. Security experts suggest that to protect business assets and sensitive data of the organization it’s beneficial to opt for Managed Cybersecurity Services from the beginning.