What is a cyber kill chain?
- 16 July, 2018 14:19
The American military was the first to formalise the concept of a 'kill chain', loosely defined as the six steps in a chain to go through to eliminate a target. These steps fall under the acronym F2T2EA: Find, Fix, Track, Target, Engage, Assess.
It's a chain because if any of these points are missed the whole process can unravel. In 2011, defence contractor Lockheed Martin came up with a kill chain model to be applied to cyber security threats, and this is the 'cyber kill chain'.
The cyber kill chain therefore refers to the seven steps that are generally taken to successfully pull off a cyber attack. These are:
- Reconnaissance: collecting information and scouting the target. This could be through gathering email addresses, or social engineering techniques. Looking up the target on social networks, or any other available information about them on the open web. It could also mean scanning for open servers, or internet-facing servers to target that might have default credentials (openly available info – through Shodan for example).
- Weaponisation: Lockheed describes this as "coupling exploit with backdoor into deliverable payload". In other words, building a system of attack – a way to compromise the network, finding the right malware for the job, e.g. a remote access trojan, and a technique that will lure the target to execute it.
- Delivery: Lockeed says: "Delivering a weaponized bundle to the victim via email, web, USB, etc.". Pretty self-explanatory, it's the logistics of getting the payload from A to B to C.
- Exploitation: using a vulnerability on the target system to execute the malicious code.
- Installation: installing said code.
- Command and Control: "Command channel for remote manipulation of victim" – now that the target is fully compromised, the compromised system will ping back to the attacker, often by way of a bot, zombie, or other compromised system to further abstract the trail from the initial attacker.
- Actions on Objectives: this is where the attacker achieves what they set out to in the first place. It could be anything from espionage, to compromising deeper systems on the network, stealing credentials, installing ransomware, or simply causing havoc.
Like the military kill chain, the anatomy of a typical attack will usually require all of these steps to be successful for the attack as a whole to succeed.
At present, the majority of attacks are likely to follow this blueprint – while more sophisticated attacks may well be under development or out there in the wild that make more use of automation, or even AI, most go for the low-hanging fruit. Phishing, ransomware worms, and so on.
Cyber kill chain and defence
In a 2015 Lockheed Martin whitepaper (PDF), the authors run through some precautionary measures that organisations can take to limit the damage each step of the way.
Reconnaissance is difficult to defend against because it can often rely on the exploiting of innocent information available on the open web to build up a detailed profile of the target. When data breaches happen, more often than not these details end up for sale on the dark web for mere dollars, and often on the open web for free, too, for example on Pastebin. What you can do, however, is collect visitor logs so that you can search through these at a later date if an attack does happen. Look at browser analytics, Lockheed Martin says, and build detections for browsing behaviours that are known to attacker recon. Then if you're suspicious of a recon attempt taking place, it can give you the considerable advantage of allocate defence resources around those people or technologies.
Weaponizationwill largely be occurring on the attackers' side so you're unlikely to have a clue about the payload itself until it strikes. But what you can do is enforce rigorous patching rules across your organisation, and encourage employee training. Two of the most common lines in for attackers are bad patching/update compliance and plain human error. If you do notice an attack on its way in, if you've got the resources, forensically analyse the malware itself, perhaps in a walled off, secure virtual machine. If you can understand why and how this malware was built you can also learn a thing or two about the vulnerabilities at your organisation. Examine everything!
Delivery – any organisation with a rudimentary understanding of security best practice should have perimeter protection solutions in place ie firewalls and ideally active threat scanning on the network itself, for anomalies. But having the shiniest firewall is all well and good but if it hasn't been configured properly by someone who knows what they're doing it might just be logging activity rather then preventing or flagging up malicious activity. Again, Lockheed Martin recommends user awareness training and email testing for employees – there are plenty of dummy email attacks you can send out to employees to try to get an idea of cyber hygiene at your organisation. But, again, humans are human – and we make mistakes. So on the technical side you're going to want to run regular vulnerability scans and get red teams in for regular penetration testing. Lockheed Martin recommends endpoint hardening measures such as restricting admin privileges, using Microsoft Enhanced Mitigation Experience Toolkit (EMET), and introducing custom endpoint rules to stop shellcode execution. And audit everything, especially endpoints, to try to figure out the root of the exploit.
Installation– if you've detected that malware has been executed on your network, try not to panic. Do your best to isolate the attack, and this might mean reducing operations for the day. Audit endpoint processes to look for unusual new files, and use a Host Intrusion Prevention System to either alert or block common installation paths. Again you're going to want to do your best to try to understand the malware: is it a 0-day, is it old or new, what privileges does it need to execute, where is it, and how does it work?
Command and controlis described by Lockheed Martin as the "defender's last best chance to block the operation… if adversaries can't issue commands, defenders can prevent impact". This won't be true for all instances of malware, especially types that are intended to automatically sabotage or cause chaos. Here's what you can do according to Lockheed: discover the infrastructure through malware analysis, harden the network by consolidating the number of internet points of presence, and require proxies for all types of traffic, including both HTTP and DNS. You can also introduce proxy category blocks, DNS sink-holing, and simple research: look online to see what's known about the attack and about the attack infrastructure.
Actions on Objectives –many attacks go undetected for days, weeks, months, or even years. So if you've detected an intrusion then that is half of the battle. But it will mean damage mitigation and quick: find out which data's been exfiltrated, where the malware has spread to (particularly lateral movement), look for unauthorised credentials. Time to bring out the incident response playbook, says Lockheed Martin, and that includes speaking with execs at the highest level – and most likely your comms department too. You will probably have to speak with local data authorities and the police, and possibly have to divulge the attack to the public too. Attacks are more 'when' over 'if', and this is increasingly being understood by the wider public, so it will look better from a PR perspective if you're open and transparent from the beginning rather than keeping quiet (like Uber did). Depending on the severity of the attack, you might be required to bring in expert outside help. Try to learn from the attack and improve security processes within your organisation to mitigate against similar attacks taking place in future.