If you're one of those folks who read a lot of InfoSec news, you've no doubt heard a lot of mention of the effectiveness of a Cyber Kill Chain approach to security. If you managed to miss the hubbub, you may be wondering if that's the latest sci-fi movie starring the usual muscle-bound action hero. In this article we'll talk about what a Cyber Kill Chain approach is, and whether it might be a good fit for your organization.
In military parlance, a "Kill Chain" is a phase-based model to describe the stages of an attack, which also helps inform ways to prevent such attacks. These stages are referred to as:
Ideally, the further towards the beginning of the Kill Chain an attack can be stopped, the better. The less information an attacker has, for instance, the less likely someone else can use that information to complete the attack at a later date.
The Cyber Kill Chain is a similar idea, which was put forth by Lockheed Martin, where the phases of a targeted attack are described. And likewise, they can be used for protection of an organization's network. The stages are:
Command & Control
In essence, it's a lot like a stereotypical burglary -- the thief will perform reconnaissance on a building before trying to infiltrate it, and then go through several more steps before actually making off with the loot. Using the Cyber Kill Chain to keep attackers from stealthily entering your network requires quite a bit of intelligence and visibility into what's happening in your network. You need to know when something is there that shouldn't be, so you can set the alarms to thwart the attack.
Another thing to keep in mind is the closer to the beginning of the chain you can stop an attack, the less costly and time-consuming the cleanup will be. If you don't stop the attack until it's already in your network, you'll have to fix those machines and do a whole lot of forensics work to find out what information they've made off with.
Lockheed Martin recently released details of its own success using a kill chain tactic to stop someone who had intruded on its network. It's not just something that applies to government contractors or giant corporations, though it does take quite a bit of work if you're not already set up to gather a whole lot of data about your digital resources.
Let's look at the various stages to determine what questions you should be asking yourself to decide whether it's feasible for your organization.
Reconnaissance: Viewing Your Network From the Outside
This is the stage where the criminals are trying to decide what are (and are not) good targets. From the outside, they try to find out what they can about your resources and your network to determine whether it is worth the effort. Ideally, they would like a target that is relatively unguarded and with valuable data. What information the criminals can find about your company, and how it might be used, could surprise you.
Companies often have more information available than they realize. Are names and contact details of your employees online? (Are you sure? Think social networks too, not just your own corporate website.) These could be used for social engineering purposes, say, for getting people to divulge usernames or passwords. Are there details about your web servers or physical locations online? These could be used for social engineering too, or to narrow down a list of possible exploits that would be useful to break into your environment.
This is a very tricky layer to try to control, particularly with the popularity of social networking, but it's also a fairly low-cost layer. Hiding sensitive information tends to be a fairly inexpensive change, though being thorough about finding the information can be time-intensive.
Weaponization, Delivery, Exploit, Installation: Attempting to Enter
These stages are where the criminals craft a tool to attack their chosen target, using the information they have gathered, and put it to malicious use. The more information they can use, the more compelling a social engineering attack can be. They could use spear-phishing to gain access to internal corporate resources with the information they found on your employee's LinkedIn page. Or they could put a remote access Trojan into a file that appears to have crucial information on an upcoming event in order to entice its recipient into running it. If they know what software your users or servers run, including OS version and type, they can increase the likelihood of being able to exploit and install something within your network.
These layers of defense are where your standard security wonk advice comes in. Is your software up to date? (No really, all of it, on every machine. Most companies have that one box in some back room that is still running Windows 98. If it's ever connected to the Internet, it's like having a welcome mat outside your door.)
Do you use email and web filtering? Email filtering can be a good way to stop common document types that are used in attacks. If you require that files be sent in a standard way, such as in a password-protected ZIP archive, this can help your users know when files are being sent intentionally. Web filtering can help keep users from going to known bad sites or domains.
Have you disabled autoplay for USB devices? Giving files the chance to run without approval is seldom a good idea from a security perspective. It's better to give the user a chance to stop and think about what they're seeing before it launches. Do you use AV software with more-advanced functionality like IPS? While AV software is not intended to deal with brand-new targeted attacks, sometimes they can catch threats based on known suspicious behavior or known software exploits.
Command & Control: The Threat is Checking In
Once a threat has got in to your network, its next task will be to phone home and await instructions. This may be to download additional components, but more likely it will be contacting a botmaster in a Command & Control (C&C) channel. Either way, this requires network traffic, which means there is only one question to ask yourself here: Do you have a firewall that is set to alert on all new programs contacting the network?
If the threat has gotten this far, it's made changes to the machine and is going to require a lot more work from IT staff. Some companies or industries require that forensics be done on the affected machines to determine what data has been stolen or tampered with. And those affected machines will either need to be cleaned or reimaged -- it can be less costly and time-consuming if the data has been backed up and there is a standard corporate image that can be quickly replaced onto the machine.
Actions: Time to Wreak Havoc
What the threats do at this point is entirely up to the attacker. It may steal data, it may spew spam or DDoS traffic, or it may steal CPU cycles for other purposes. If the threat has gotten this far, you can count on having to do all the work from the previous stages, but on a larger scale. It may have gone from one machine within the network to many (or all) of the machines in your network, it may have done a lot more damage or stolen a whole lot more data. If nothing has detected the file at this point, you may be dealing with an "Advanced Persistent Threat," which is a fancy way of saying that sufficient security measures were not in place to detect the threat.
Will Kill Chain Tactics Work for Your Organization?
If you don't already have security and visibility built into your corporate environment, this may seem like an impossible hill to climb. But implementing a Cyber Kill Chain doesnt have to be done overnight. Take smaller measures, completing stages as you are able. Do a check of your web presence to see what information it could give an attacker. Have each of your sites do an inventory of all computers so you can update them all. Implement layered security to decrease the possibility that threats will slip through unnoticed. Create a policy for dealing with malware events. Educate your staff about what to do with unexpected, suspicious emails.
With each step taken, you'll get more information about your environment. And the more information you have, the more likely you will be able to identify anomalous behavior.
Lysa Myers is a virus hunter for Intego and contributor to the InfoSec Institute.