What is the cyber kill chain and how can it help shape your security policy?
The idea of the cyber kill chain was first proposed by computer scientists at the defence contractor Lockheed Martin in 2011. Given the background of the business, it is not surprising that their approach to defining a cyber-attack was heavily influenced by the prevailing thinking about conventional warfare within the American military. In conventional warfare, a kill chain defines all the steps that need to be taken in order to: identify the enemy, find their location, track any movement, select a specific target and the weapon to use, fire the weapon and assess the results and repeat as required. If the process can be interrupted at any one of these stages, the attack is likely to fail. Hence referring to it as a chain (of events).
In a similar way, the various stages of a cyber-attack can be defined, and if the chain of events can be interrupted at any stage, the cyber-attack is likely to fail. With this in mind, security managers can consider whether they have implemented controls and defences for each stage of the cyber-kill-chain in order to ensure the security of their network.
The first step in the cyber kill chain is reconnaissance. During this phase, the would-be attacker is gathering as much information as they can about the target network and the organisation itself.
The reconnaissance itself takes two forms, active and passive.
Passive Reconnaissance is gathering published (public) information from sources such as LinkedIN, the company website, Shodan listings, WHOIS and DNS records, Job Listing, Google searches and internet registrar listings. Since passive reconnaissance is, by definition, happening off network it is impossible to detect. The only mitigation is to ensure that public records and systems do not convey sensitive information. For example, best not to post a job listing for: ‘Urgent IT Security Manager needed in order to resolve numerous security flaws discovered in our last penetration test. Expert skills in Cisco firewalls, Snort and Apache web servers (and how to apply security patches) needed’
In addition, default software banners and error messages should be changed as these can provide useful intelligence to would-be attackers about the exact versions of software you are running making it easier to target specific vulnerabilities in those systems.
Active Reconnaissance uses tools such as NMAP, port scanners and even vulnerability scanners (turned down to the lowest impact setting) to enumerate your external systems, ports and IP addresses. While these are detectable in theory, any public IP address is subject to a near continuous level of ‘internet background radiation’ of port scans and probes making it hard to determine if any one scan is the prologue to a more serious attack. Disabling unused ports and services, deploying honeypots to divert the more serious attackers, configuring Firewalls and IPS (Intrusion Prevention Systems) to block traffic from unexpected sources including TOR networks and unrecognised VPN systems are all defences against active reconnaissance.
The second step in the cyber kill chain is weaponisation. Having identified one or more possible means of attack the next move is the selection of one of more ‘weapons’ to exploit the vulnerabilities identified during the active reconnaissance and some targets for phishing or social engineering identified during the passive reconnaissance.
The attacker will likely make use of ready-made frameworks such as Metasploit rather than invent new tools from scratch. This means the attack can be prepared surprising quickly – in hours not days. For phishing and other social engineering attacks, there are also ready made toolkits that make it much easier to attackers to spoof emails to make them look like they came from within the target organisation, for example.
Since the weaponisation phase is aiming to select tools to exploit the vulnerabilities identified during the reconnaissance phase, the most effective defence is to ensure the number of vulnerabilities present is minimised through effective patch management. As email delivery of malware in office documents is one of the main attack vectors against businesses, ensuring macros are disabled in office applications (whether from Microsoft or open source alternatives) is key. Systems that scan email for malware before it enters your infrastructure (either in your perimeter firewall or in the cloud) can also be very helpful and desktop endpoint anti-virus systems are the final line of defence.
Now the weapons have been selected, the attack moves into the delivery phase – where the attacker attempts to get their malware into your network. There are a number of different avenues they can try, including:
- Exploit a browser vulnerability to deliver the malware by tricking your staff to visit a compromised website and so infect the computer they are using at their desk.
- Web applications that accept user input can be attacked by sending specially crafted data to forms in a web application (eg SQL injection attacks).
- Email containing malicious attachments, perhaps masquerading as a new customer order or an invoice to be paid – this makes it much more likely that your staff will open the attachment.
- The malware could also be loaded into a USB memory stick, or even a special cable (e.g. OMG cables) and left in your reception, dropped in the car park or even given away at a trade show in the hope staff will return to the office, plug the device into their computer and so infect their computer with the malware.
The main defence in the delivery phase is user training and awareness. Helping your staff to identify emails which may contain malware attachments for example, is a vital last line of defence against zero-day exploits which sail past the technology protections.
Additional steps you can take to disrupt the delivery phase include web filtering systems which prevent users within your network from visiting known bad websites and DNS filtering which can block traffic on ports other than 80/443 which are used for web traffic.
Once the malware or weapons package has been delivered into your network, on one or more systems, the exploitation phase begins. The exploitation could take the form of simply executing malware on a Windows PC or the running of an SQL Injection or forcing a buffer overflow on a web application or API in order to execute the attacking code.
Defending against exploitation is the purpose of security hardening. This is the processes of configuring servers, devices and networks to reduce the attack surface and minimise the possible attack vectors that the attackers can use. Tools such as Microsoft Defender ATP and methodologies such as the Microsoft Security Configuration Framework provide useful starting points.
Regular Network Penetration Testing will identify the likely routes an attacker will exploit and allow them to be shut down and protected before an attack occurs.
In parallel with the Exploitation phases, attackers typically seek to establish a beach-head into the target network by installing a persistent back door. The aim is to ensure that the remote access into your network will survive a reboot of the compromised devices.
You can defend against the Installation phase by disabling the tools that are typically used, if possible – such as PowerShell on Microsoft platforms.
Another key to defending against the installation of persistent threats is monitoring. Monitoring for unexpected changes to key configurations (such as the CRON on Lunix or Registry on Windows) or changes to application configuration files are indicators of compromise. File Change Monitoring tools can be configured to monitor keys directories and files and automatically raise an alert whenever changes are detected.
Tools such as SIEM (Security Information & Event Management) help by gathering and correlating events and alerts from multiple systems and can reveal patterns of activity that allow a possible exploitation and installation attack to be identified. The key to effective use of SIEM tools is to ensure they are monitored in real time so that any threats they identify are responded to promptly.
Command and Control
Once the persistent beach-head has been established in your network, the malware will phone home in order to receive patches, functional updates and instructions from its controller. Detecting the outbound network traffic from the malware to the command and control servers is one way to detect the ongoing attack. Tools such as Intrusion Detection Systems (IDS) can help spot the activity of the malware. Many modern firewalls (often referred to as ‘next generation firewalls’) can subscribe to lists of known command and control servers and automatically block traffic bound for those IP addresses on the internet and identify the internal devices that made the connection request.
Actions on Objectives
With the malware installed and communication established back to the command and control systems, the attacker is now free to get on with the job they came to do. Taking time to consider what the objective of an attacker might be can be helpful to design the detection and mitigation systems you need to put in place. For example, if your organisation processes card payments then it is likely an attacker may seek to steal card details as they are relatively easy to re-sell to other criminals or exploit directly. Nation state actors may wish to disrupt utility companies or obtain commercial secrets and intellectual property. Political activists could seek information about figures in the public eye, from health records, shopping lists or financial details.
If the compromised system does not contain the final objectives the attackers will then attempt to move laterally across your network by restarting the cyber kill chain focusing on other internal systems. This is why internal network segmentation is such a valuable tool in limiting the impact of cyber-attacks as it can mean the compromise of a single system does not easily compromise the whole network as the malware cannot escape from its current network segment.
Do not overlook the possibility that the attack on your systems could simply be a link in a larger cyber kill chain which is focusing on one of your customers or suppliers. It could be that your relationship with them is being exploited in order to use your systems to deliver malware into your customers network (by email compromise or across VPN links for example).
Using Cyber Kill Chain as a health check
An effective security programme employs defence in depth – more than one layer of protection needs to be bypassed for an attack to succeed. Using the cyber kill chain model, security managers have a useful structure to build the layers of their security protections. By ensuring mitigations and defensive tools exist for each step of the cyber kill chain an effective and deep security architecture can be achieved.
You can also use the cyber kill chain model to evaluate your existing security infrastructure. Take each step of the kill chain model, and assess how effective your defences are at that stage of the chain. Assume an attacker had successfully defeated your defences for the previous steps – how long do you think it would take them to move on to the next phase? You may find it helpful to engage a security consultant to help with this assessment. A network penetration test is the best way to get an independent analysis of your defences at each link in the cyber kill chain.