What is the cyber kill chain? Why it's not always the right approach to cyber attacks

Lockheed Martin's cyber kill chain approach breaks down each stage of a malware attack where you can identify and stop it, but be aware of how attack strategies are changing.

quell cyber attacks primary
Thinkstock

As an infosec professional, you’ve likely heard about using a cyber kill chain, also known as a cyber attack lifecycle, to help identify and prevent intrusions. Attackers are evolving their methods, which might require that you look at the cyber kill chain differently. What follows is a recap of what the cyber kill chain approach to security is and how you might employ it in today’s threat environment.

What is a cyber kill chain?

In military parlance, a "kill chain" is a phase-based model to describe the stages of an attack, which also helps inform ways to prevent such attacks. These stages are referred to as:

  • Find
  • Fix
  • Track
  • Target
  • Engage
  • Assess

The closer to the beginning of the kill chain an attack can be stopped, the better. The less information an attacker has, for instance, the less likely someone else can use that information to complete the attack later.

The cyber kill chain is a similar idea, which was put forth by Lockheed Martin, where the phases of a targeted attack are described. Likewise, they can be used for protection of an organization's network. The stages are shown in the graphic below.

what is the cyber kill chain infographic Lockheed Martin

It's a lot like a stereotypical burglary. The thief will perform reconnaissance on a building before trying to infiltrate it, and then go through several more steps before actually making off with the loot. Using the cyber kill chain to keep attackers from stealthily entering your network requires quite a bit of intelligence and visibility into what's happening in your network. You need to know when something is there that shouldn't be, so you can set the alarms to thwart the attack

Another thing to keep in mind is the closer to the beginning of the chain you can stop an attack, the less costly and time-consuming the cleanup will be. If you don't stop the attack until it's already in your network, you'll have to fix those machines and do a whole lot of forensics work to find out what information they've made off with.

Let's look at the various stages to determine what questions you should be asking yourself to decide whether it's feasible for your organization.

Reconnaissance: Viewing your network from the outside

At this stage, criminals are trying to decide what are (and are not) good targets. From the outside, they learn what they can about your resources and your network to determine whether it is worth the effort. Ideally, they want a target that is relatively unguarded and with valuable data. What information the criminals can find about your company, and how it might be used, could surprise you.

Companies often have more information available than they realize. Are names and contact details of your employees online? (Are you sure? Think social networks too, not just your own corporate website.) These could be used for social engineering purposes, say, for getting people to divulge usernames or passwords. Are there details about your web servers or physical locations online? These could be used for social engineering too, or to narrow down a list of possible exploits that would be useful to break into your environment.

This is a tricky layer to control, particularly with the popularity of social networking. Hiding sensitive information tends to be a fairly inexpensive change, though being thorough about finding the information can be time-intensive.

Weaponization, delivery, exploit, installation: Attempting to enter

These stages are where the criminals craft a tool to attack their chosen target, using the information they have gathered, and putting it to malicious use. The more information they can use, the more compelling a social engineering attack can be. They could use spear-phishing to gain access to internal corporate resources with the information they found on your employee's LinkedIn page. Or they could put a remote access Trojan into a file that appears to have crucial information on an upcoming event in order to entice its recipient into running it. If they know what software your users or servers run, including OS version and type, they can increase the likelihood of being able to exploit and install something within your network.

These layers of defense are where your standard security wonk advice comes in. Is your software up to date? (All of it, on every machine. Most companies have that one box in some back room that is still running Windows 98. If it's ever connected to the Internet, it's like having a welcome mat outside your door.)

Do you use email and web filtering? Email filtering can be a good way to stop common document types that are used in attacks. If you require that files be sent in a standard way, such as in a password-protected ZIP archive, this can help your users know when files are being sent intentionally. Web filtering can help keep users from going to known bad sites or domains.

Have you disabled autoplay for USB devices? Giving files the chance to run without approval is seldom a good idea from a security perspective. It's better to give the user a chance to stop and think about what they're seeing before it launches. Do you use endpoint protection software with up-to-date functionality? While endpoint protection software is not intended to deal with brand-new targeted attacks, sometimes they can catch threats based on known suspicious behavior or known software exploits.

Command and control (C&C): The threat is checking in

Once a threat is in your network, its next task will be to phone home and await instructions. This may be to download additional components, but more likely it will be contacting a botmaster in a C&C channel. Either way, this requires network traffic, which means there is only one question to ask yourself here: Do you have an intrusion detection system that is set to alert on all new programs contacting the network?

If the threat has gotten this far, it's made changes to the machine and is going to require a lot more work from IT staff. Some companies or industries require that forensics be done on the affected machines to determine what data has been stolen or tampered with. Those affected machines will either need to be cleaned or reimaged. It can be less costly and time-consuming if the data has been backed up and there is a standard corporate image that can be quickly replaced onto the machine.

Some attacks follow their own rules

As this past year has amply demonstrated, attackers aren't following the playbook. They skip steps. They add steps. They backtrack. Some of the most devastating recent attacks bypass the defenses that security teams have carefully built up over the years because they're following a different game plan. According to a report released this fall by Alert Logic, 88 percent of attacks combine the first five steps of the kill chain into a single action.

This year, we also saw the rise of cryptocurrency mining malware, says Matt Downing, principal threat researcher at Alert Logic, Inc. "And the techniques they used ignored the traditional steps. All the early-stage mitigation and detection techniques wouldn't work." Plus, the attackers don't have to exfiltrate valuable data and then try to sell it on the black market, he adds. "They can directly monetize a compromised asset."

Attacks featuring compromised credentials, where attackers log in using seemingly legitimate data and use those accounts to steal data, would not fit the traditional attack framework. "That's a case where very obviously the Lockheed Martin kill chain doesn't apply," Downing says.

According to a report released this spring by RedLock, 25 percent of companies have cryptojacking activity in their environments, and 27 percent experienced potential account compromises.

Another type of attack that doesn't fit the traditional model is the web application attack. "When you have an application that's exposed to the Net, anyone can come and visit," says Satya Gupta, founder and CTO at Virsec Systems, Inc. "It's like having a door open in your home."

This year, web applications attacks were the most common type of data breach, according to this year's Verizon Data Breach Investigations Report. Last year's Equifax breach was just the latest high-profile example. It can be hard to spot this kind of attack. Equifax didn't spot suspicious network traffic on its website for more than two months. Equifax wasn't alone in failing to spot the attack. According to the Verizon DBIR, 68 percent of breaches took "months or longer" to discover, but it took attackers just minutes or less to compromise a system in 87 percent of breaches.

The Equifax breach was traced back to a vulnerability in the Apache Struts web server software. If the company had installed the security patch for this vulnerability it could have avoided the problem, but sometimes the software update itself is compromised, as was the case in last year's Avast's CCleaner software update.

According to RedLock, 24 percent of organizations have services running in the cloud that are missing high-severity patches. There could be other problems with patches as well, and it takes time for companies to test patches and identify and update the vulnerable systems. Meanwhile, the attackers aren't wasting time when it comes to take advantage of new vulnerabilities. "From the time of a vulnerability disclosure to the time of widespread automated attacks is typically around a single day," says Jeff Williams, CTO and cofounder at Contrast Security.

Attackers increasingly use a "spray and pray" tactic, experts say, throwing out everything they've got to see what sticks, instead of doing the kind of research and development that goes into a targeted attack, or one using zero-day malware. "It's so much easier to leverage existing vulnerabilities," says Ofer Schreiber, partner at YL Ventures.

According to Gartner, zero-day vulnerabilities made up only 0.4 percent of vulnerabilities during the past decade. "In the past few years, there was a big buzz around advanced persistent threats and zero days and finding all these sophisticated and stealthy attacks," says Schreiber. "But these are not the majority of cases. Organizations get breached and lose very important data due to misconfigurations and known vulnerabilities that they were too late to remediate. This is the burning issue of the cybersecurity industry, not necessarily how to identify these super-sophisticated attacks."

For example, according to RedLock, 51 percent of organizations have accidentally exposed at least one cloud storage service to the public. In addition to prompt patching, and making sure that systems are configured properly -- that Amazon buckets containing sensitive data aren't open to the public -- companies should also start embedding security controls directly into applications themselves. It's called runtime application self-protection, and Transparency Market Research predicts a 32 percent compound annual growth rate for this market segment, expected to pass $3 billion by the end of 2025.

"Security needs to move closer to the application, and go deeper into core processes and memory usage," says Gupta. "New control flow technology, embedded at the application level, understands application protocols and context, and can map the acceptable flow of an application--similar to a Google map. If the application is supposed to go from point A to point B, but makes an unexpected detour, then something is definitely wrong."

Attackers can also use a compromised credential or take advantage of weak, default or nonexistent passwords. No malware needs to be installed, there's no communications with a C&C server, and no lateral movement. Default and hard-coded passwords can get him into most companies, says Joe Neuman, a penetration testing expert at Coalfire Labs. "For example, the latest Cisco release includes hard-coded passwords -- the seventh time they have had this problem recently."

Other transformative technologies -- Internet of Things, DevOps, and robotic process automation -- are also increasing the attack surface in ways that don't fit with the traditional cyber killchain model, says Lavi Lazarovitz, cyber research team leader, at CyberArk Labs.

Another example of a transformative technology is Google's BeyondCorp strategy, he says. "It shifts access controls from the network perimeter to individual users and devices without a traditional VPN," he says., "It requires organizations to expose infrastructure in order to work, potentially also exposing mistakes they've made."

Monetizing the attack: It ain't over till it's over

In the denial of service example, disruption isn't necessarily the last step of an attack. Once they've successfully disrupted, corrupted or exfiltrated, attackers can go back in and do it all over again.

Or they can move on to another stage -- monetization. According to Ajit Sancheti, CEO at Preempt Security, that can take any number of forms. For example, they can use compromised infrastructure to commit ad fraud or send out spam, extort the company for ransom, sell the data they've acquired on the black market, or even rent out hijacked infrastructure to other criminals. "The monetization of attacks has increased dramatically," he says.

1 2 Page 1
Page 1 of 2
The 10 most powerful cybersecurity companies