The Cyber Kill Chain
The Cyber Kill Chain (aka Intelligence-Driven Computer Network Defense) is an attack model proposed by Lockheed Martin. It puts forward the idea that an attack is a phased event. Each stage can be detected and analyzed, and such information can be leveraged as intelligence, helping to build a proactive defensive security posture.
In principle, the concept of proactive posture goes against the general idea of responding only after attackers have already infiltrated the organizational network and most probably acted upon their objectives (e.g., data exfiltration, compromising information integrity, or denying access to critical systems). The kill chain model doesn’t question the validity of computer incident response but instead critiques only implementing this control, forming a predominantly reactive security program.
To provide assertive security controls, the Cyber Kill Chain supports leverage intelligence on threat actors, feeding into and from risk assessment and management, i.e., “an intelligence feedback loop.” It’s an iterative effort, proposing initial countermeasures, collecting and analyzing data on further attacks (and their stages), and from them, continuously improving the overall cybersecurity program implemented. From this process, this model helps prioritize cybersecurity resource investment and measure controls’ effectiveness and performance against attacks.
The idea of an attack as a sequence of phases isn’t new. Mandiant’s Exploitation Lifecycle and models on insider threats brought up this concept before Lockheed Martin, although without mapping countermeasures to attack phases. From a kinetic action perspective, US Military doctrine also establishes different stages of an attack, from IED to air operations, from recon the target, selecting payload, and executing the attack. Lockheed Martin derived the Cyber Kill Chain from them, applying it as a model to cyber threat actors.
Kill Chain Phases
The Cyber Kill Chain, as a “systematic process to target and engage an adversary,” has 7 stages:
1. Reconnaissance: the attacker researches the target organization systems — and its probable vulnerabilities –, employees, and potentially valuable assets considering the established objectives for the attack. Typical methods involve open-source intelligence (OSINT), like company websites, social media, and vulnerability databases. Non-technical methods can also be used, like dumpster diving. The recon phase ends when the threat actor determines the victim as a viable target and the initial attack vector.
2. Weaponization: engineering the payload by developing malware and coupling it with a delivery method, like a text editor’s document. Such personalized solutions are typically aimed at zero-day vulnerabilities. For well-known vulnerabilities, there are “off-the-shelf” solutions. This phase concludes when the threat actor has a viable piece of malware.
3. Delivery: initiating the attack by delivering the payload into the target system. Common vectors include social engineering (e.g., phishing), web-based attacks, and plugging in malicious hardware (e.g., a USB stick).
4. Exploitation: the malware’s code is executed/triggered by exploiting the system’s or user’s behavior.
5. Installation: the malware is stealthily installed on target systems, typically with a back door or a remote access trojan (RAT), providing necessary persistence.
6. Command and Control (C2): the installed malware establishes a communication channel with the threat actor’s external systems (e.g., a server). The malware receives commands and transmits data through this channel, providing remote access to adversary operators (real-time [direct terminal access] or delayed [e.g., through social media or email messages]).
7. Action on Objectives: the threat actor executes the attack objectives, which can be pretty varied, from data exfiltration (confidentiality violation), compromising the integrity of relevant information (integrity violation), blocking system access (availability violation), or moving laterally for further infiltration and increased stealth.
Indicators of Compromise
To identify each attack stage, Lockheed Martin’s paper proposed the idea of Indicators of Compromise (IoC), a fundamental concept in today’s cybersecurity practice. They signalize possible malicious activity. Therefore, they help identify basic parameters for each attack stage. There are three types of IoC:
- Atomic: data that has value in itself, without the need for further analysis or processing. In other words, they can’t be broken down further. Email and IP addresses are examples of atomic IoCs.
- Computed: indicators derived from computing on raw data obtained from an incident. Examples are hashes from malware or regular expressions (regex).
- Behavioral: a set of indicators, atomic and computed, often further associated with measures or combined into sequences. They are generated by the interaction of the threat actor with the system’s environment, so they delineate an action profile for an attack. An example of a behavioral indicator is “a certain amount of traffic from a particular source to a specific destination IP at a certain time of day.”
Organizations encounter IoC by detecting them during an attack. Upon discovery, the IoC is inserted into detection tools (appliances/applications), where they mature as functional parameters, helping identify new attacks. This process may yield additional indicators previously undetected, which will go through the same steps of discovery, maturing, and utilization. In the Cyber Kill Chain model, this process is called the IoC lifecycle. Implementing this lifecycle provides crucial insights.
First, it enables the operationalization of specific security controls for different attack stages. A matrix for different courses of action illustrates those controls and the security role each of them fills: “detect, deny, disrupt, degrade, deceive, and destroy.” It’s derived from the US Department of Defense Information Operations (IO) doctrine.
Metrics further improve this set of actions by showing which mitigations the organization achieved, and which security gaps allowed unforeseen attacks to happen.
Secondly, it shows that threat actors display regular attack patterns, often using the same infrastructure, tactics, techniques, and procedures (TTPs) due to APTs’ operational and budget constraints. When leveraged through IoCs, such predictability provides applicable countermeasures, even against zero-day attacks: the exploit may be used in one of the phases, but controls can be deployed to stop the attack further down the chain since the adversary reuses methods on the other chain’s links.
Overall, the idea is, whenever and however possible, to increase the (financial, organizational, and technical) costs for threat actors to perform an attack. So, even if they may adapt (and they can do that), the amount of effort necessary to do so surpasses the offensive benefit. It’s an iterative and continuous process, making the detection and analysis go up the chain and enabling organizations to “maintain a tactical advantage” over adversaries.
On a broader level, it’s possible to aggregate multiple attacks based on their commonalities, which may reveal entire campaigns that a threat actor executes against its targets. A campaign analysis provides data with a double benefit: it helps to improve the organization’s security program continuously and, as collateral, helps with threat actor attribution by identifying capabilities, infrastructure, intent, and general threat doctrine.
Shortcomings
Although quite innovative and operationalizable, the Cyber Kill Chain has two main limitations. First, it focuses on intrusions based on malware. It’s established today that attacks may be performed without malware, like in remote access using stolen credentials. Second, when proposed initially, the model didn’t consider that the same threat actor may perform multiple attacks simultaneously against the same organization.
The Diamond Model of Intrusion Analysis, which the next post will discuss, covers those shortcomings while taking full advantage of the general kill chain concept.
References
Duran, Felicia, et al. “Building a system for insider security.” IEEE Security & Privacy 7.6 (2009): 30–38.
Hutchins, Eric M., Michael J. Cloppert, and Rohan M. Amin. “Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains.” Leading Issues in Information Warfare & Security Research 1.1 (2011): 80.
Mandiant. M-Trends: The Advanced Persistent Threat, January 2010. URL http://www.mandiant.com/products/services/m-trends.
