Newsletter Series: The Cybersecurity Kill Chain
Month 4: Phase 4 – Exploitation: The Attack Begins

After successfully delivering a malicious payload, the attacker now moves to the fourth phase of the Cybersecurity Kill Chain: **Exploitation**. This is when the attack officially begins. The goal is simple - trigger the malicious code and gain control over the target system.

What Happens During Exploitation?
In this phase, the attacker takes advantage of a system vulnerability to execute their code. The exploitation might occur through:

- A user opening a malicious email attachment

- A browser loading a malicious ad or link

- Exploiting an unpatched software vulnerability (like Log4j or EternalBlue)

- Triggering macros embedded in Office documents

At this point, the malware activates, either immediately or on a delay to evade detection. Exploitation is often fast, stealthy and requires no further input from the victim.

Real-World Example:
In the 2017 WannaCry ransomware outbreak, attackers exploited a vulnerability in the Windows SMB protocol. Once the exploit code was executed, WannaCry spread rapidly across networks, encrypting data and demanding ransom - without any user interaction.

How to Prevent Exploitation:
- Apply Security Updates Promptly: Patch known vulnerabilities as soon as updates are released.

- Use Modern Endpoint Protection: Behavioral analysis can detect exploitation even when the
specific malware is unknown.

- Block Macros and Scripts: Disable macros in Office files from unknown sources and restrict
script execution.

 - Limit User Privileges: If users don’t have admin rights, exploits are less likely to succeed.

- Run Security Awareness Training: Help staff recognize suspicious documents, links, and
downloads.

Key Takeaway:
The exploitation phase is where an attack goes from theory to reality. Once triggered, the attacker has access to your systems - so stopping them before this point is ideal. But if they succeed, containment and rapid detection are your next best defense.

Next month: The Installation Phase - where the attacker works to ensure long-term access to your environment.

NetCenter Technologies
Empowering Businesses Through Cybersecurity