Cybersecurity conversations often fall on the pessimistic side, and for good reason. The cyber threat landscape is vast, ever-changing, and largely uncharted. The mood was especially sour in the earlier days, when research and talent in the field was virtually non-existent. This melancholy persists today and translates into defensive models that view every node on the Internet as perpetual prey to hackers and crooks.
The common perception is that a computer security system has to succeed every single time, while a hacker only has to succeed once. Counter-terrorists and epidemiologists express similar attitudes about ISIS and disease. However, this attitude is fundamentally flawed and places IT staff and leadership at a serious disadvantage. Organizations either take a defeatist approach, where cybersecurity is seen as a futile endeavor, or a paranoid one, where excessive controls hamper business operation.
The cyber kill chain model, originally developed by researchers at Lockheed Martin, reverses this dynamic: It is in fact the adversary who must succeed in several stages. If the defender can foil him at any one of those stages, the adversary is defeated and must start over. This upends the notion that a hacker need only succeed once and places the stakeholders on the high ground.
The notion of a kill chain derives from military doctrine the U.S. Air Force uses in fighting wars. During combat missions, an aerial attacker will follow a six step process to kill an enemy. The six phases of the Air Force kill chain are abbreviated as F2T2EA: Find, Fix, Track, Target, Engage, and Assess. A defender in turn can attempt to deceive, deny, degrade, disrupt, or destroy the attacker.
Suppose a weaponized drone is flying over a hostile area and finds an enemy cargo truck carrying weapons. It can use its sensors to fix the exact location of the truck. The drone can then remain in the air over the truck and track it returning to the enemy base. Having discovered the enemy encampment, the drone targets the enemy soldiers. The drone then engages the enemy with its weapons. The drone can then assess whether or not the enemy has been destroyed or if the drone needs to attack again.
If the enemy is able to thwart the drone during any stage of this process then the drone is defeated and the entire procedure must start over again. For example, the enemy could disguise the cargo truck as a civilian vehicle, deceive the drone, and avoid being found. They could change vehicles or take tunnels and disrupt the drone’s tracking. They could hide their base inside a mountain and deny the drone from targeting and engaging them. If the drone attacks but fails to get all the soldiers, the remaining enemy could destroy the drone.
The Cyber Kill Chain
Compromising a system’s security is almost never a single-step process. Like the drone, a hacker must complete a multi-phase campaign of information gathering and scheming to accomplish his goals. The cyber kill chain identifies the stages of this process. If the attacker is thwarted at any point in the process, then he is defeated and must completely start over. The cyber kill chain is as follows:
- Reconnaissance – The attacker researches and selects his targets. He then begins information gathering on his chosen targets. He looks for vulnerabilities, possibly using automated tools like NMAP.
- Weaponization – The attacker creates a piece of malware that will exploit a specific vulnerability on a target machine and permit remote access. The malware could be created using automated tools like MSFvenom.
- Delivery – The attacker transmits the malware to the target. Email with malicious attachments, SQL injection, and physical media are all plausible methods of delivery.
- Exploitation – Once the malware arrives on the target host, the exploit is triggered. An exploit that provides root control of a target would permit the attacker to execute any commands that the most privileged user could execute.
- Installation – The attacker installs a backdoor or remote access malware on the target system. This malware will likely have some stealthy and persistent traits. It will be difficult for a user to detect and will survive a machine reboot.
- Command and Control (C2) – The victim beacons out to a C2 server, through which the attacker controls the victim. This provides the attacker access to the target network. The C2 server may be owned by the attacker. The more likely scenario is that it is yet another victim being used as a jumping point to attack other systems.
- Actions on Objectives – Having successfully completed all six previous phases, the attacker can now pursue his goal. This may involve exfiltrating data, or simply using the system as a jumping off point to attack yet another system.
The attacker must defeat the defender in all seven phases to win, while the defender only has to defeat the hacker once. This perspective avoids the defeatist trap and encourages building a practical defense in depth (DiD) strategy. DiD involves adopting multiple layers of security controls with the assumption that at least two controls will fail. Implementing security controls that correspond to each phase of the cyber kill chain would make for a robust DiD posture. Go back through the seven phases and start examining your company’s existing controls. Are you covering every phase of the kill chain? Ask questions like:
- How much can someone learn about our company and our employees through our official websites? Can any of that information be used maliciously?
- Could an attacker leverage information that our employees post on their Facebook, LinkedIn, and Twitter accounts?
- Can we take steps to eliminate or mitigate known software vulnerabilities on our systems?
- Are there any out-of-date or legacy systems on our network?
- Are our employees trained to recognize phishing emails and social engineering attempts?
- What is our company policy regarding employees using personal devices at work? Do employees understand the risk involved in connecting unapproved devices to the network?
- How many employees have administrative privileges on their computers?
- Has anyone installed programs on the machines that are not work related?
- Is our antivirus up to date? How frequently is antivirus updated?
- Does our security suite include a way of detecting unexpected changes to the file system?
- How frequently do we review network logs to check for strange activity?
- Does our security suite include a way of detecting known C2 traffic patterns?
Action on Objectives:
- Is it necessary for every system to be online and connected to the internet at all times, or for every employee to have full access to his network account 24 hours a day?
- Does every system need to be able to connect to every other system, or can some be segregated from the rest of the network?
Author: Louis Papa
Silent Storm Security Contributor | Security Engineer