Using the Cyber Kill Chain to Map Cyber Defenses with Practical Reality

Author: Don Category: Opiniestuk

In an effort to better understand the structure and approach of “APT Attacks”, which was at the time virtually a euphemism for cyber-attacks coming from China, researchers investigated hundreds of successful incursions into networks.  The professional air to the attacks that was long suspected was confirmed, as all attacks followed the same 7-step procedure: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control and finally Actions on Objectives. It was dubbed the ‘Cyber Kill Chain’, and it has since been all the rage.

Cyber Kill Chain

Figure 1: The Cyber Kill Chain

As an interesting side-note: Defense contractor Lockheed Martin claims it as their own work, first presented in 2011, but this claim is demonstrably incorrect. Jeffrey Carr, well known for running OSINT project Grey Goose, which gathered intelligence on the cyber-attacks against Georgia in 2008 and provided strong evidence of Russian involvement, coined the phrase in that same year. I personally attended a lecture at Hacker Halted in Miami around that same time where the Cyber Kill Chain was explained in great detail. While the contact details of the speaker in question have sadly faded from my memory, I can in fact confirm that both the term and the content of that term existed well before 2011, as claimed by Lockheed Martin.

The 7 phases, or steps, cover the following procedures:

Reconnaissance
During the Reconnaissance phase, the attacker (or attacking team) collects as much information on the target as possible. Some of this gathering is passive, meaning the target defender cannot detect this collection of data, but some are active and may be detected by someone looking for such signs. Active gathering attempts include gathering any valid email address belonging to the targeted organization, looking up which IP address blocks are registered to the target, what domains are registered by the target, who works for the company (through social media such as LinkedIn) et cetera. Active reconnaissance may include exploring weaknesses in the public-facing websites such as SQL Injection, or port scanning various systems (very cautiously, so as not to trip sensors) to obtain banner information that gives away exactly what kind of system is answering.

Weaponization
In this stage the information that was gathered earlier is turned into specialized weaponry. Malware that is effective against the systems of the target is wrapped into files that are most likely to be opened by the unsuspecting target, such as PDF or Word files.

Delivery
The customized weaponry is then sent to the target by the most practical and effective means, which can include sending it by email, placing it on a USB stick which is then dropped near a target employee who is likely to insert it into his or her system, or target employees are lured to a specially prepared malicious website from where the target employee will be infected.

Exploitation
Once delivered and opened by the target victim, the malware is executed. This exploits one or more weaknesses in the user system. The ‘payload’ of the malware is then deployed onto the system through this weakness. Most commonly the exploit used will yield the attacker the highest privileges on the system (Administrator or Root access), and clear the way to install various malicious tools.

Installation
The malware ‘payload’ can consist of a variety of malicious applications. What is installed on the target system is at the discretion of the attacker. Most deployed is a variant of a Remote Administration Tool (RAT) that gives the attacker the opportunity to take complete control of the target system. Also popular are keyloggers to log everything the user types, and ‘downloaders’ that then go on to download more elaborate malware onto the target system. Almost all attackers make use of ‘rootkits’, which has the express task of permanently burrowing into the target system and hiding its presence for defensive applications such as antivirus products. Once this is done, it is especially difficult to discover whether a system has been compromised, and the only reliable way to ensure its removal is a complete re-install of the target system.

Command & Control
Once the foothold has been created in the target network via the initial attack, the attacker will use that system to further explore the network around the compromised system. Because the target system is generally assumed to be ‘trusted’, the defenses inside the network tend to be much less stringent, and such exploration can yield an incredible amount of information. The attacker carefully selects other systems to compromise and ‘pivots’ his way through the target network from one compromised system to the next, until a solid Command & Control network is established through which the attacker can enter the network at will.

Actions on Objectives
At this final stage, the attacker executes any action that is required to reach their objectives. This can be stealing of data, corrupting of systems or even the simple act of listening in on what is going on in the network. It is at the sole discretion of the attacker until the compromise is detected. In many registered cases this has been anywhere between 6 months to 1.5 years.

Aside from being useful in gaining insight of how structured cyber-attacks generally work, it is also quite a useful tool for hammering patchwork security defenses into a sensible and practically effective whole. This becomes clear once we put the steps on a timeline, and show where the first point of active contact with the target network is; shown in Figure 2 as t0. Also shown is where defenders have reactive defenses, indicated by the marked area to the right.

Cyber Kill Chain Timeline internal-external

Figure 2: The Cyber Kill Chain on a timeline

 With this information we can map out what countermeasures are most effective against each of the 7 phases. Each phase can be taken as one layer of defenses. When done so, the countermeasures that are most effective against the actions undertaken by the attacker become part of a cohesive defensive strategy with very little overlap. It is also an excellent way to estimate whether a new defensive measure will add additional value to ones’ overall strategy. The strategy would then look like Figure 3 shown below.

Cyber Kill Chain versus Countermeasures

Figure 3 Defensive layers per phase

 Per phase in the Cyber Kill Chain the following defenses can be undertaken. Please note that this list is by no means exhaustive; the intent is to illustrate how countermeasures address the steps of the attack methodology.

Reconnaissance
Because this phase is all about gathering information about the target network, good countermeasures revolve around denying the attacker information, or to provide false information.

  • Applying “cyber hygiene” to websites (limit the amount of email addresses on external websites etc);
  • Obfuscating banner information of externally reachable servers and services so that attackers receive no –or false- information when probing;
  • ‘Anonymizing’ information on IP ranges owned by the company;
  • Running awareness programs to limit sensitive information posted on social media by the staff;
  • Request any running (or planned) penetration testing programs to scan especially for system-identifying information gained. The systems broadcasting this information can be modified to provide different (or no) information.

Weaponization
Large portions of this phase are passive, meaning they are executed on systems belonging to the attacker. This makes it difficult to directly influence, let alone counter-act. The countermeasures that are most effective for this phase are also part of the Delivery phase.

Delivery
Delivery is only successful when the recipient accepts. Successful countermeasures in this layer interrupt this process.

  • Security Awareness training for the staff focusing on not picking up USB devices they found, not blindly open any documents they did not expect or click links in emails or text messages (including WhatsApp or other mobile messaging);
  • Malware scanning on email;
  • Next-Generation Firewalls protecting the access to the network;
  • Use of security hardened applications for popular malware delivery vehicles such as the Fox-It Reader or, for internet browsing, secure browsers such as Google Chrome or its security-minded offspring Aviator;
  • Next-generation malware protection software;
  • Blocking the use of USB drives on user systems (physical, logical or both);
  • Proactive blocking user access to identified malicious URL’s.

Exploitation

  • Structural security updates and patch management to minimize attack surface;
  • System hardening in the area of reducing the number of running services, to reduce the attack surface;
  • Next-generation anti-virus or anti-malware software that runs applications in a secure sandbox before executing on the actual user system, such as Palo Alto Wildfire or FireEye;

Installation

  • System hardening in the area of privilege escalation prevention, which may include modifying settings in the system back-end infrastructure such as Microsoft Active Directory;
  • Specialized software to prevent further damage after malware infection such as Microsoft EMET;
  • System configuration detection mechanisms such as Tripwire;
  • Application whitelisting to block installation of non-approved software;
  • Removal of Local Administrator rights for the users.

Command & Control

Establishing Command & Control inside a network involves basic repeats of the previous steps until all useful systems are equally compromised and backdoor access can be guaranteed. This means that above countermeasures should be implemented across the board, not just at edge systems. On top of that, the following countermeasures provide additional value:

  • Internal network monitoring with anomaly detection or internal next-generation firewalls with DPI capability and a measure of network intelligence;
  • Network segmentation between security levels (VRF-like technology has preference over VLAN tagging);
  • 802.1x Network Access Control (preferably based on certificates) on all systems;
  • End-to-end encryption between all systems to prevent network sniffing (where feasible, with respect to performance).

Action on Objectives
Due to the fact that every foe has its own agenda, the countermeasures here must be especially tailored to the nature of the defending party. R&D-oriented firms generally focus on theft of intellectual property, where enterprises in the Critical Infrastructure sector tend to focus on service interruptions. Their countermeasures should be tuned to fit the defenders’ business concerns.

  • Scanning of outbound network traffic to detect data exfiltration and other anomalous traffic patterns;
  • Four-eyes principle programs embedded in critical operations;
  • Identity & Access management tooling with approval flows;
  • Data-at-rest encryption schemes;
  • Data Vaults for storing of critical data.

The list of countermeasures is already considerable in these examples, but many more can be found at each phase. Some are overlapping and some will provide added security to multiple phases; naturally it is up to the security strategist or architect to determine what set of security measures provides the most value to the organization.