New to Z

Back to discussions
Expand all | Collapse all

What is a 'Cyber Kill Chain' and why should I care?

  • 1.  What is a 'Cyber Kill Chain' and why should I care?

    IBM Champion
    Posted 19 days ago

    Foreword

    Security is all of our concern, whether you are a receptionist or an engineer, and whether you work in an office or from home.

    We all have a part to play, in ensuring our organisations and systems stay secure.

    As we continue through Cyber Security Awareness Month (CSAM),  I wanted to ensure that people are aware of some of the 'core' security concepts.

    Over the course of CSAM, I will be writing posts about aspects of cybersecurity / mainframe-security.

    In today's post, following the recent IBM Z Day, I shall briefly explain Lockheed Martin's "Cyber Kill Chain".

    |

    A Quick Overview

    Developed by Lockheed Martin, the Cyber Kill Chain® framework aids in the identification and prevention of cyber intrusions activity by encapsulating the main steps that threat agents must complete in order to achieve their objective.

    Lockheed Martin adapted the concept of the kill chain from a military setting to information security, using it as a method for modelling intrusions on a computer network

    This framework dissects the sequence of a cyberattack into distinct stages, providing a clear roadmap for understanding, which can enhance visibility into an attack and enrich analysts' understanding of an adversary's tactics, techniques and procedures.

    As organisations find themselves trying to secure a maze of interconnected systems and data, this framework provides a simple roadmap to understand when fortifying against digital risks.

    There are seven 'links' in the Cyber Kill Chain, with each link representing a different phase of a cyberattack that threat agents must progress through.

    From early reconnaissance to the goal of data exfiltration (start to end) each of these links, will be elaborated upon through the rest of this article.

    Throughout this article, we may also refer to the 'Cyber Kill Chain' with the acronym CKC.

    |

    1) Reconnaissance

    Much like the heist in Ocean's 11, there is a value from "Getting the lay of the land" and gathering intel on a target, and this value cannot be understated.

    This is the initial phase of the CKC where the attacker collects as much information about the target as possible, including system specifications and network infrastructure.

    Reconnaissance may involve scanning for vulnerabilities, researching potential entry points, and identifying potential targets within the organisation.

    In practice, attackers could sift through the World Wide Web looking for information within social media pages, websites, blogs, etc... or they may also use network tracing tools.

    OSINT (Open-Source Intelligence) also falls under reconnaissance, which involves collecting information from publicly available resources, such as the Government listings of the company's size, email addresses, and phone numbers.

    Ultimately, any information gathered by the attacker is at-risk of being used in later stages of the cyber kill chain, as this may assist Threat Agents in the design and delivery of a payload.

    |

    2) Weaponisation

    Using knowledge gained during a successful reconnaissance stage, the Weaponisation phase would involve the development of a deliverable payload,

    This is crafted by combining malware (e.g. Remote Access Trojans), exploits and other weaponized content.

    Threat agents are most likely to use automated tools to generate the malware, or may refer to the Dark Web to purchase the malware.

    However, some threat agents may actually write bespoke malware with a unique signature so this can evade detection on the target system.

    The less knowledge that was gained during reconnaissance, the more generic (and potentially less effective) the payload will be.

    |

    3) Delivery

    This stage involves transmitting / delivering the payload, which may be carried out by:

    • Sending-out (spear)phishing emails holding infected attachments.

    • Depositing virus-ridden USB sticks at a company's site.

    • Watering hole attacks designed to trigger a drive-by download.

    User actions could be required during this stage, such as clicking suspect web-links or actively downloading files that are malicious.

    The delivery stage involves the attackers seeking to exploit any/all vulnerabilities they can, so the best countermeasures for this are regular software patching, vulnerability scanning, and penetration testing to identify and neutralize potential weaknesses.

    Delivery attempts can also be mitigated through other means:

    • Physical countermeasures may include the locking down of USB ports and only accepting packages from trusted suppliers

    • Digital countermeasures may include using Email security settings (to block emails from unverified sources) and Firewalls preventing access to unknown websites.

    • Training to improve intrusion-detection and enhance end-user knowledge of risks and threats.

    |

    4) Exploitation

    After the payload reaches the target, the victim triggers the exploit by opening the email attachment or clicking on a malicious link, whereupon code is executed in the attacked environment to exploit vulnerabilities to establish the initial access to the network.

    After gaining access to the system, the malicious actor could exploit software, system, or server-based vulnerabilities to escalate the privileges or move laterally through the network.

    The attacker might also apply a "Zero-day Exploit" in this stage, which means the threat agents are utilising a software vulnerability that the software vendor is not yet aware of.

    |

    5) Installation

    Following the Exploitation phase, where vulnerabilities are used to the hackers' benefit, malicious code will be installed to ensure that access can be re-established in the future.

    Attackers may lose their connection to a system or be detected and 'evicted' from the system, so they will want to guarantee that they can return at their own convenience, which can be achieved by installing a persistent backdoor.

    The exact method used during the Installation phase can vary, with some hackers using Web Shells or the modification of Windows Services, but these all function towards helping the attacker establish control and manage their illicit activities while evading detection.

    Installation of malware and backdoors can be prevented or mitigated through the use of application whitelisting, which only allows authorised software to run in the system.

    |

    6) Command & Control

    This phase is also known as C&C or C2 Beaconing.

    Attackers will attempt to establish communication channels with the target system, in order to maintain control and to manage illicit activities whilst avoiding detection.

    Until recently, Internet Relay Chat (IRC) was the traditional C&C channel used by attackers, however modern security solutions are getting better at detecting malicious IRC traffic, so we now find that the two most commonly used channels are:

    • Internet protocols HTTP on port 80 and/or HTTPS on port 443 - This channel blends malicious traffic with the legitimate traffic, which helps the attacker to evade detection.

    • Domain Name Server (DNS) Tunnelling - The infected system makes recurring requests to a DNS server that belongs to the attacker.

    C&C can be disrupted by maintaining vigilant network monitoring and advanced threat detection, whereupon C&C channels can be unmasked and blocked.

    |

    7) Actions on Objectives

    After going through the last six phases of the CKC, the attackers can start taking actions towards their original objectives.

    With consistent access from the C&C channels, the attacker will work towards whichever of the following goals are relevant to them:

    • Collect and exfiltrate sensitive data, or ransom valuable data.

    • Overwrite, manipulate or corrupt important data.

    • Accumulate information about users, from login credentials to personal details.

    • Perform privilege escalation (e.g. gaining elevated access by exploiting the misconfiguration).

    • Internal reconnaissance (e.g. studying internal software to find its vulnerabilities).

    • Delete backups and shadow copies (a technology which takes snapshots of files / volumes).

    Here, a well-drilled incident response plan, robust encryption, and data loss prevention measures are your last line of defence.

    |

    Defensive Actions for each Step

    Actions to defend against the seven links in the CKC were outlined by John Franco in 2010:

    1. Reconnaissance - Organisations should use Web Analytics for detection, as well as employing the use of Firewalls for denying access to hackers.

    2. Weaponisation - Organisations should use Network Intrusion Detection (NIDS) for detection and Network Intrusion Prevention (NIPS) for denying access and contain the issue from spreading across the network.

    3. Delivery - Organisations should train staff with regular security awareness training to keep them vigilant of threats. Proxy Filters and Antivirus software should be used for denying access, while using App-Aware Firewalls to contain the payload from being spread across a network.

    4. Exploitation - Organisations should introduce up-to-date patches in order to fix any vulnerabilities that the attackers may exploit, and should use Host-Based Intrusion Detection System (HIDS) for detection of any intruders. Antivirus software can be used to disrupt the payload, while Data Execution Prevention (DEP) can prevent executable code from launching.

    5. Installation - Organisations should consistently introduce up-to-date patches in order to fix any vulnerabilities that the attackers may exploit, and should use Host-Based Intrusion Detection System (HIDS) for detection of any intruders. Endpoint Protection Platform (EPP) can be used to disrupt the installation of backdoors.

    6. Command & Control - Organisations should use Network Intrusion Detection (NIDS) for detection and Network Intrusion Prevention (NIPS) for denying access across the network, while using ACLs and Trust Zones can help to contain and mitigate the threat.

    7. Actions on Objective - Organisations should thoroughly check their Audit logs to detect any unexpected and suspicious actions and introduce Honeypots to deceive the threat agent, while using ACLs and Trust Zones to contain and mitigate the threat.

    |

    Conclusion

    In the dynamic realm of cybersecurity, fortifying against each step of the Cyber Kill Chain is an ongoing and persistent battle.

    Not only that, but this persistent battle which necessitates a blend of technical countermeasures, employee education and up-to-date threat intelligence.

    |

    A Final Note:  The CKC is not always gospel!

    The Cyber Kill Chain is one concept of many, so acceptance of this model is not universal, with some critics pointing out perceived flaws in the model.

    Cybersecurity company Trellix (formerly FireEye and McAfee Enterprise) proposes a model similar to Lockheed-Martin's but where the persistence of threats is emphasized, with their own model emphasising that a threat does not end after a single cycle

    A new form of 'kill chain' was developed in 2017 to overcome common critiques against the traditional cyber kill chain, by uniting and extending Lockheed Martin's Cyber Kill Chain and MITRE's ATT&CK framework (which are both based on the "Get In, Stay In, and Act" model).

    Titled the "Unified Kill Chain" this model is an ordered arrangement of 18 unique attack phases that may occur in an end-to-end cyberattack.



    ------------------------------
    Niall Ashley (he/him)
    Consultant in Mainframe Security (RACF)
    Vertali Ltd
    ------------------------------