Understanding The Cyber Kill Chain
The cyber kill chain is a way to understand the sequence of events involved in cyberattacks from the early reconnaissance stages to data exfiltration.
The cyber kill chain is a way to understand the sequence of events involved in cyberattacks from the early reconnaissance stages to data exfiltration. The kill chain helps cybersecurity professionals understand and combat malware such as ransomware, security breaches, and advanced persistent threats (APTs). The Lockheed Martin version of the cyber kill chain consists of seven (7) steps:
1. Reconnaissance. In the reconnaissance stage, attackers assess the target from outside the organization from both a technical and non-technical perspective. In this stage, the attacker, through active or passive means, works on determining which targets will return the most benefit for the resources expended in exploiting the target's information systems. The attacker will be looking for information systems with few protections or exploitable vulnerabilities. For example, through active information gathering, an attacker could identify the version of a mail server.
With this information, the attacker can research known vulnerabilities or discover new unpublish vulnerabilities that can be leveraged to access the system. Organizations should have measures to prevent the disclosure of sensitive information such as version numbers to the public. Security awareness training is also necessary to sensitize staff on social engineering tactics attackers would employ as well as how to dispose of sensitive information appropriately.
2. Weaponization. During weaponization, the threat actor develops malware crafted explicitly to the vulnerabilities discovered during the reconnaissance phase of the cyber kill chain. Based on the intelligence gathered in the reconnaissance phase, the attacker will tailor their toolset to meet the target network's specific requirements. For example, let us say the attacker found that the mail server version identified in the reconnaissance phase had an open relay vulnerability. Such a vulnerability would allow the attacker to send potentially malicious emails on behalf of internal staff. The best measure to have in place to mitigate against this phase is patch management. Ensuring that all your systems are up to date can make it difficult for attackers to weaponize findings from stage one. Again, security awareness training is critical for the human element of things.
3. Delivery. This stage of the cyber kill chain, involves transmitting the malicious payload from the attacker to the target information system for exploitation. Research as shown that a network attack is most likely to originate from a spear-phishing attack targeting an internal employee of the organization. For example, leveraging the open relay vulnerability, the attacker sends a crafted email carrying a link or document that would download the attacker's malware. The delivery path or vector is via email. Security awareness training is critical at this stage so that employees know to be aware of attachments or links within emails, even if it is coming from a trusted source.
4. Exploitation. During the cyber kill chain's exploitation phase, the attacker's malicious payload is executed on the target network through remote or local mechanisms. After executing, the malware can take advantage of discovered vulnerabilities to gain administrative access to the targeted organizational information system. For example, let's say an employee received the phishing email sent by the attacker via the open relay vulnerability and opened the document within the email because the CEO of the company addressed it. Upon opening the document (stager), malicious code is executed in the background, giving the attacker remote access to the target network. At this phase, organizations can employ several controls to mitigate or even prevent such an event. The use of network and host intrusion detection and prevention systems are one such mechanism that can be used as security controls at this phase.
5. Installation. After successfully exploiting the targeted system, the malware moves to install itself onto the targeted information system. At this point, the malware begins to download additional payloads if network access is available. This approach allows the delivery payload size to remain small and undetectable. The small size of the malware in this example would have limited functionality. Therefore, the malware will download additional components to have better control of the exploited information systems and to penetrate further into the target organization's network. A security control that could be implemented at this phase is a zero-trust approach.
Zero trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters. Instead, they must verify anything and everything trying to connect to its systems before granting access. Such an approach would mitigate against the installation of unverified software that could potentially be malicious.
6. Command and Control. Command and control, or C2 for short, is when the attacker has placed a management and communication mechanism within the payload that infected the target network. This mechanism allows the attacker to manage the malware in the environment remotely. It will enable the attacker to move deeper into the network, exfiltrate data, and deny service operations or conduct destruction. For example, the malware that infected the network is continuously listening on port 31337 for instructions on what action to carry out on the target machine. To mitigate against this, administrators should have adequately configured network access control lists so that malware cannot use ports that are not within a whitelisted range of ports.
7. Actions on Objectives. The activities and objectives of the malware are dependent on its specific mission. For example, the malware could be focused on data exfiltration, denial of service, or destruction. The deployment of honeypots across the network is a reasonable security control to implement to identify the actions and objectives of an attacker, and the malware delivered. A honeypot is a network-attached system set up as a decoy to lure attackers and to detect, deflect, or study hacking attempts to gain unauthorized access to information systems. The function of a honeypot is to represent itself on the internet as a potential target for attackers, usually a server or other high-value target and to gather information and notify defenders of any attempts to access the honeypot by unauthorized users.
It is good to note that no one security measure is 100% effective against cyber-attacks. Similarly to how attackers may employ the cyber kill chain, organizations should employ a Defense in Depth approach in protecting their assets. Defense in Depth is an approach to cybersecurity in which a series of defensive mechanisms are layered to protect valuable data and information. This multi-layered approach with intentional redundancies increases the security of a system and addresses many different attack vectors.