Building Effective Defense with the Phishing Kill Chain

July 26, 2018 by Tyra Appleby

What is the Phishing Kill Chain?

Many people have heard of the cyber kill chain, but what about the phishing kill chain? Like the cyber kill chain, this model of phishing attacks can be used to help identify and stop phishing attempts. The phishing kill chain flows as follows:

  1. Targeting. The potential phisher determines their next target and create the phishing email and email list
  2. Delivery. The phishing email attempt is sent to the person or persons on the email list
  3. Deception. The phishing email uses deceptive information within the email to trick the user
  4. Click. The victim clicks on the malicious link(s) in the email
  5. Surrender. The victim inputs data, normally some personal data, into the malicious site
  6. Extraction. The malicious site sends the information to the attacker
  7. Action. The attacker uses the stolen information to commit cybercrime

Using the Phishing Kill Chain

Using the phishing kill chain to create defensive techniques is an effective method to assist in preventing successful phishing attempts. The human is often the weakest link in protecting computer systems, and implementing extra defenses offsets the potential damage caused when an unsuspecting user clicks a malicious links.

The first two steps in the kill chain can prove very important to picking defense mechanisms for your organization. Understanding who would target your organization could help you better understand the delivery capabilities of your potential attacker(s).

Take, for example, the Department of Defense. Any branch of the military could safely assume that any of their networks are a desired target for foreign entities. These potential bad actors could be funded by governments, meaning they would have the ability to finance sophisticated tools and continuous phishing attempts. Knowing this would encourage the owners of military systems to invest in strong defense mechanisms. By comparison, a smaller firm with only a few employees that does not process any payments on their website might be less vulnerable to phishing attempts. They would still want to use strong defense mechanisms, but would be less inclined to spend big bucks on high-security items that they may not need.

No matter what sector, understanding the third part of the chain is also important to building a suitable defense strategy. Knowing the potential criminals who would target your particular business will also help you understand the types of techniques used. Again, if you suspect your line of business would be a target for highly-sophisticated criminals, your implemented defenses may differ from those of a business that is a less-desirable target.

Defense Mechanisms

There are many defense mechanisms to help protect organizations against phishing attacks. Some are embedded in the browsers and email applications we use every day. They are seamless, so we may not even realize they are being used.

Hackers have increase their techniques’ sophistication since the first “Nigerian Prince” email scam was circulated, but there are still some similarities in the wording and techniques used in phishing emails. Most of the well-established email providers are able to use this collected data to implement phishing protection within their mail servers.

But some of these emails still make it through those initial safeguards, so even more mechanisms must be put in place. A few such defenses are:

Google’s Safe Browsing API protects at the “Click” part of the phishing chain. If a malicious website is already a part of a knowledge database and a unsuspecting user clicks on it, the Chrome browser will notify the user and warn them to turn back.

Microsoft’s Phishing Filter protects at the “Click” part of the phishing chain. Just like Google’s Safe Browser API, if a malicious website is already a part of a knowledge database and a unsuspecting user clicks on it, the Internet Explorer browser will notify the user and warn them to turn back.

Gmail’s Gold Key works at the “Deception” point of the chain. Provides an image that validates that an image is trusted.

Domain-based Message Authentication, Reporting and Conformance (DMARC) works at the “Delivery” portion of the chain. Domains that support DMARC create virtual handshakes to verify an email actually came from the intended domain. Fake emails are rejected or destroyed.

But even with all of this technology, the biggest defense mechanism is still education. Making sure users know how to identify phishing attempts will always be important. That is why resources like SecurityIQ are useful in keeping the workforce and all Internet users up-to-date on current phishing trends, and best ways to avoid them if they make it into their inbox.



Step by step through the ‘Phishing Kill Chain,’ SC Media

Posted: July 26, 2018
Tyra Appleby
View Profile

Tyra Appleby is a CISSP certified lover of all things cybersecurity. After serving 4 years in the Navy as a Cryptologic Technician, she continued supporting various DoD and government agencies as a Systems Security Engineer. She has a passion for writing and research, particularly in the areas of Reverse Engineering and Digital Forensics. When she’s not working, you can find her at the beach with her Rottweiler Ava.