{"id":33776,"date":"2016-11-28T09:00:37","date_gmt":"2016-11-28T17:00:37","guid":{"rendered":"http:\/\/blogs.microsoft.com\/microsoftsecure\/?p=33776"},"modified":"2023-06-23T09:51:55","modified_gmt":"2023-06-23T16:51:55","slug":"disrupting-the-kill-chain","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/","title":{"rendered":"Disrupting the kill chain"},"content":{"rendered":"<p><em>This post is authored by Jonathan Trull, Worldwide Executive Cybersecurity Advisor, Enterprise Cybersecurity Group.<\/em><\/p>\n<p>The cyber kill chain describes the typical workflow, including techniques, tactics, and procedures or TTPs, used by attackers to infiltrate an organization\u2019s networks and systems.&nbsp; The Microsoft Global Incident Response and Recovery (GIRR) Team and Enterprise Threat Detection Service, Microsoft\u2019s managed cyber threat detection service, identify and respond to thousands of targeted attacks per year.&nbsp; Based on our experience, the image below illustrates how most targeted cyber intrusions occur today.<\/p>\n<p>The initial attack typically includes the following steps:<\/p>\n<ul>\n<li><strong>External recon<\/strong> &#8211;&nbsp; During this stage, the attacker typically searches publicly available sources to identify as much information as possible about their target.&nbsp; This will include information about the target\u2019s IP address range, business operations and supply chain, employees, executives, and technology utilized.&nbsp; The goal of this stage is to develop sufficient intelligence to increase the chances of a successful attack. If the attacker has previously penetrated your environment, they may also refer to intelligence gathered during previous incursions.<\/li>\n<li><strong>Compromised machine<\/strong> \u2013 Attackers continue to use socially engineered attacks to gain an initial foothold on their victim\u2019s network.&nbsp; Why?&nbsp; Because these attacks, especially if targeted and based on good intelligence, have an extremely high rate of success.&nbsp; At this stage, the attacker will send a targeted phishing email to a carefully selected employee within the organization.&nbsp; The email will either contain a malicious attachment or a link directing the recipient to a watering hole.&nbsp; Once the user executes the attachment or visits the watering hole, another malicious tool known as a backdoor will be installed on the victim\u2019s computer giving the attacker remote control of the computer.<\/li>\n<li><strong>Internal Recon and Lateral Movement<\/strong> \u2013 Now that the attacker has a foothold within the organization\u2019s network, he or she will begin gathering information not previously available externally.&nbsp; This will include performing host discovery scans, mapping internal networks and systems, and attempting to mount network shares.&nbsp; The attacker will also begin using freely available, yet extremely effective tools, like Mimikatz and WCE to harvest credentials stored locally on the initially compromised machine and begin planning the next stage of the attack.<\/li>\n<li><strong>Domain Dominance<\/strong> \u2013 At this stage, the attacker will attempt to elevate their level of access to a higher trusted status within the network.&nbsp; The attacker\u2019s ultimate goal is to access your data and the privileged credentials of a domain administrator offers them many ways to access to your valuable data stores.&nbsp; Once this occurs, the attacker will begin to pivot throughout the network either looking for valuable data or installing ransomware for future extortion attempts or both.<\/li>\n<li><strong>Data Consolidation and Exfiltration<\/strong> \u2013 Now that the attacker has access to the valuable data within the organization\u2019s systems, he or she must consolidate it, package it up, and send it out of the network without being detected or blocked.&nbsp; This is typically accomplished by encrypting the data and transferring it to an external system controlled by the attacker using approved network protocols like DNS, FTP, and SFTP or Internet-based file transfer solutions.<\/li>\n<\/ul>\n<h3>Microsoft Secure and Productive Enterprise<\/h3>\n<p>The Microsoft Secure and Productive Enterprise is a suite of product offerings that have been purposely built to disrupt this cyber attack kill chain while still ensuring an organization\u2019s employees remain productive.&nbsp; Below, I briefly describe how each of these technologies disrupts the kill chain:<\/p>\n<ul>\n<li><strong>Office 365 Advanced Threat Protection<\/strong> \u2013 <em>This technology is designed to disrupt the \u201cinitial compromise\u201d stage and raise the cost of successfully using phishing attacks.<\/em><br \/>\nMost attackers leverage phishing emails containing malicious attachments or links pointing to watering hole sites. Advanced Threat Protection (ATP) in Office 365 provides protection against both known and unknown malware and viruses in email, provides real-time (time-of-click) protection against malicious URLs, as well as enhanced reporting and trace capabilities.&nbsp; Messages and attachments are not only scanned against signatures powered by multiple antimalware engines and intelligence from Microsoft\u2019s Intelligent Security Graph, but are also routed to a special detonation chamber, run, and the results analyzed with machine learning and advanced analysis techniques for signs of malicious behavior to detect and block threats. Enhanced reporting capabilities also make it possible for security teams to quickly identify and respond to email based attacks when they occur.<\/li>\n<li><strong>Windows 10<\/strong> &#8211;&nbsp; <em>This technology disrupts the compromised machine and lateral movement stages by raising the difficulty of successfully compromising and retaining control of a user\u2019s PC and by protecting the accounts and credentials stored and used on the device.<\/em><br \/>\nIf an attacker still manages to deliver malware through to one of the organization\u2019s employees by some other mechanism (e.g., via personal email), Windows 10\u2019s security features are designed to both stop the initial infection, and if infected, prevent further lateral movement. Specifically, <strong>Windows Defender Application Guard<\/strong> uses new, hardware based virtualization technology to wrap a protective border around the Edge browser.&nbsp; Even if malware executes within the browser, it cannot access the underlying operating system and is cleaned from the machine once the browser is closed.&nbsp; <strong>Windows Device Guard<\/strong> provides an extra layer of protection to ensure that only trusted programs are loaded and run preventing the execution of malicious programs, and <strong>Windows Credential Guard<\/strong> uses the same hardware based virtualization technology discussed earlier to prevent attackers who manage to gain an initial foothold from obtaining other credentials stored on the endpoint.&nbsp; And finally, <strong>Windows Defender Advanced Threat Protection<\/strong> is the DVR for your company\u2019s security team.&nbsp; It provides a near real-time recording of everything occurring on your endpoints and uses built-in signatures, machine learning, deep file analysis through detonation as a service, and the power of the Microsoft Intelligent Security Graph to detect threats.&nbsp; It also provides security teams with remote access to critical forensic data needed to investigate complex attacks.<\/li>\n<li><strong>Microsoft Advanced Threat Analytics<\/strong> \u2013 <em>This technology disrupts the lateral movement phase by detecting lateral movement attack techniques early, allowing for rapid response.<\/em><br \/>\nIf an attacker still manages to get through the above defenses, compromise credentials, and moves laterally, the Microsoft Advanced Threat Analytics (ATA) solution provides a robust set of capabilities to detect this stage of an attack.&nbsp; ATA uses both detection of known attack techniques as well as a user-based analytics that learns what is \u201cnormal\u201d for your environment so it can spot anomalies that indicate an attack. Microsoft ATA can detect internal recon attempts such as DNS enumeration, use of compromised credentials like access attempts during abnormal times, lateral movement (Pass-the-Ticket, Pass-the-Hash, etc.), privilege escalation (forged PAC), and domain dominance activities (skeleton key malware, golden tickets, remote execution).<\/li>\n<li><strong>Azure Security Center<\/strong> \u2013 While Microsoft ATA detects cyber attacks occurring within an organization\u2019s data centers, Azure Security Center extends this level of protection into the cloud.<\/li>\n<\/ul>\n<p>And now for the best part.&nbsp; As shown in the image below, each of the above listed technologies is designed to work seamlessly together and provide security teams with visibility across the entire kill chain.<\/p>\n<p>Each of these technologies also leverage the power of the Microsoft Intelligent Security Graph, which includes cyber threat intelligence collected from Microsoft\u2019s products and services, to provide the most comprehensive and accurate detections.<\/p>\n<ul>\n<li><strong>Cloud App Security, Intune, Azure Information Protection, and Windows 10 Information Protection<\/strong> \u2013 And finally, the Microsoft Secure and Productive Enterprise Suite provides significant capabilities to classify and protect data and prevent its loss.&nbsp; Among other capabilities, <strong>Microsoft Cloud App Security<\/strong> can identify and control the use of unsanctioned cloud applications.&nbsp; This helps organizations prevent data loss, whether from an attack or rogue employee, via cloud-based applications.&nbsp; <strong>Intune<\/strong> and <strong>Windows 10 Information Protection<\/strong> prevent corporate data from being intermingled with personal data or used by unsanctioned applications whether on a Windows 10 device or on iOS or Android based mobile devices.&nbsp; And finally, <strong>Azure Information Protection<\/strong> provides organizations and their employees with the ability to classify and protect data using digital rights management technology.&nbsp; Organizations can now implement and enforce a need-to-know strategy thereby significantly reducing the amount of unencrypted data available should an attacker gain access to their network.<\/li>\n<\/ul>\n<p>Finally, Microsoft\u2019s Enterprise Cybersecurity Group (ECG) also offers a range of both proactive and reactive services that leverages the capabilities of the Secure and Productive Enterprise suite in combination with the Intelligent Security Graph to help companies detect, respond to, and recover from attacks.<\/p>\n<p>In the coming weeks, I will be following up with blogs and demos that go deeper into each of the above listed technologies and discuss how companies can most effectively integrate these solutions into their security strategies, operations, and existing technologies.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This post is authored by Jonathan Trull, Worldwide Executive Cybersecurity Advisor, Enterprise Cybersecurity Group. The cyber kill chain describes the typical workflow, including techniques, tactics, and procedures or TTPs, used by attackers to infiltrate an organization\u2019s networks and systems.&nbsp; The Microsoft Global Incident Response and Recovery (GIRR) Team and Enterprise Threat Detection Service, Microsoft\u2019s managed [&hellip;]<\/p>\n","protected":false},"author":61,"featured_media":75276,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3663],"topic":[3674,3687],"products":[3854,3720],"threat-intelligence":[3727],"tags":[],"coauthors":[1916],"class_list":["post-33776","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-research","topic-incident-response","topic-threat-intelligence","products-microsoft-incident-response","products-microsoft-security-experts","threat-intelligence-attacker-techniques-tools-and-infrastructure"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Disrupting the kill chain | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Disrupting the kill chain | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"This post is authored by Jonathan Trull, Worldwide Executive Cybersecurity Advisor, Enterprise Cybersecurity Group. The cyber kill chain describes the typical workflow, including techniques, tactics, and procedures or TTPs, used by attackers to infiltrate an organization\u2019s networks and systems.&nbsp; The Microsoft Global Incident Response and Recovery (GIRR) Team and Enterprise Threat Detection Service, Microsoft\u2019s managed [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2016-11-28T17:00:37+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-06-23T16:51:55+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/12\/Attack-Kill-Chain-1024x542.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"542\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Microsoft Security Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Security Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-secure-blog-staff\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Security Team\"}],\"headline\":\"Disrupting the kill chain\",\"datePublished\":\"2016-11-28T17:00:37+00:00\",\"dateModified\":\"2023-06-23T16:51:55+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/\"},\"wordCount\":1460,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/12\/Attack-Kill-Chain-1024x542.jpg\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/\",\"name\":\"Disrupting the kill chain | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/12\/Attack-Kill-Chain-1024x542.jpg\",\"datePublished\":\"2016-11-28T17:00:37+00:00\",\"dateModified\":\"2023-06-23T16:51:55+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/12\/Attack-Kill-Chain-1024x542.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/12\/Attack-Kill-Chain-1024x542.jpg\",\"width\":1024,\"height\":542},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Disrupting the kill chain\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Disrupting the kill chain | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/","og_locale":"en_US","og_type":"article","og_title":"Disrupting the kill chain | Microsoft Security Blog","og_description":"This post is authored by Jonathan Trull, Worldwide Executive Cybersecurity Advisor, Enterprise Cybersecurity Group. The cyber kill chain describes the typical workflow, including techniques, tactics, and procedures or TTPs, used by attackers to infiltrate an organization\u2019s networks and systems.&nbsp; The Microsoft Global Incident Response and Recovery (GIRR) Team and Enterprise Threat Detection Service, Microsoft\u2019s managed [&hellip;]","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/","og_site_name":"Microsoft Security Blog","article_published_time":"2016-11-28T17:00:37+00:00","article_modified_time":"2023-06-23T16:51:55+00:00","og_image":[{"width":1024,"height":542,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/12\/Attack-Kill-Chain-1024x542.jpg","type":"image\/jpeg"}],"author":"Microsoft Security Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Microsoft Security Team","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-secure-blog-staff\/","@type":"Person","@name":"Microsoft Security Team"}],"headline":"Disrupting the kill chain","datePublished":"2016-11-28T17:00:37+00:00","dateModified":"2023-06-23T16:51:55+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/"},"wordCount":1460,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/12\/Attack-Kill-Chain-1024x542.jpg","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/","name":"Disrupting the kill chain | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/12\/Attack-Kill-Chain-1024x542.jpg","datePublished":"2016-11-28T17:00:37+00:00","dateModified":"2023-06-23T16:51:55+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/12\/Attack-Kill-Chain-1024x542.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2017\/12\/Attack-Kill-Chain-1024x542.jpg","width":1024,"height":542},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/11\/28\/disrupting-the-kill-chain\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Disrupting the kill chain"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/33776"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/61"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=33776"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/33776\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/75276"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=33776"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=33776"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=33776"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=33776"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=33776"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=33776"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=33776"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}