With a decent force inside the network, the attacker has invested time and energy, but, as yet, has no reward. The execution phase is where the attacker actually leverages their advantage for their own ends. In the castle scenario, the attacking force defeats the remaining defenders, takes command of the castle, and plunders the treasury.
In this section, we will explain the distinguishing features of an intrusion in the installation, command and control, and action on objectives stages and how to defend against an attack at these points. These are sections 5.1e, f, and g in the 210-255 specification.
5.1 Classify intrusion events into these categories as defined by the Cyber Kill Chain model
5.1.e Installation
5.1.f Command and control
5.1.g Action on objectives
Once again, we will look at each category in turn. Remember, that for the exam, the requirement is to classify events into the appropriate category.