The fourth step of the Cyber Kill Chain is the "Exploitation" stage. The attacker ensures that the malicious content provided to the victim in the previous step gets activated in this stage. During the exploitation step, the process of running the malware transmitted to the victim's device is carried out. The initial operation in the system is performed by the attacker at this stage.The exploit operation performed here is a precursor of the attack activities that will be carried out in the subsequent phases. The next phases of the cyber attack cannot be carried out if the exploit fails here for a reason, or if the delivered malware cannot be run.

Adversary

The attacker has some basic knowledge about the program or system intended to be exploited in the target and has prepared the appropriate attack tools beforehand in the "Exploitation" stage. This is the step the attacker's exploit or tool is run/tested. This step may be failed if the exploit or tool is not suitable to be utilized on the victim's system. At this level, the attacker can perform the following operations:

• Executing the exploit that exploits the hardware vulnerability
• Executing the exploit that exploits the vulnerability of the software or operating system
• Running malware

Defender

Defending against exploitation poses a significantly more intricate and labor-intensive task for Blueteams compared to other stages. This is primarily due to the potential encounter with previously unseen malware or exploits, which adds a layer of complexity to the defense process. To elucidate, the use of zeroday exploits can complicate the detection and prevention procedures during this phase. The following points may be considered to detect and prevent malicious activities:

• Training the employees of the organization on when it is/is not necessary to open a file uploaded on the systems and what issues should be considered
• Constantly monitoring system security operations on the assets belonging to the organization and detecting anomalies
• Tracking the security vulnerabilities published for the assets belonging to the organization, writing the appropriate monitoring rule, and detecting them when they are exploited
• Following the security updates of the assets belonging to the organization and installing them immediately
• Monitoring activities on endpoints using EDR products
• Providing secure coding training to software developers in order to prevent security vulnerabilities in locally developed applications
• Conducting pentests on assets of the organization on a regular basis
• Regular automated vulnerability scanning and monitoring of reports
• Organizing the authorizations on the assets belonging to the institution and giving each account the authority needed

The "Exploitation" phase, which is the fourth step in the Cyber Kill Chain, is covered in this section of the training, along with some activities that attackers can take in this step and some measures that Blueteams can perform at this stage. The "Installation" step is explained in the following section of the course.

quiz