What is a Cyber Kill Chain?
A Cyber Kill Chain, also known as a Cyber Attack Lifecycle, is the series of stages in a cyberattack, from reconnaissance through to exfiltration of data and assets. By understanding the cyber kill chain model, organizations can better identify, prevent, and mitigate ransomware, security breaches, and advanced persistent threats (APTs).
The History of the “Cyber Kill Chain”
The term “Kill Chain” originates from a military concept and phased-based attack structure. The structure is as follows:
- Target identification
- Force dispatch to target
- Decision and order to attack the target
- Destruction of the target
Lockheed Martin was the first to take this concept and apply it to information security, using it as a method for modeling intrusion on a computer network. Computer scientists at Lockheed Martin found that cyberattacks often occur in phases and can be disrupted through controls established at each phase.
The Phases of Lockheed Martin’s Kill Chain Model:
- Command & Control
- Actions on Objectives
Since its inception, the kill chain has evolved to better anticipate and understand modern cyberthreats and has been adopted by data security organizations and professionals to help define stages of an attack.
Although many have adopted the cyber kill chain, acceptance still isn’t universal and there are many critics that point to, what they believe to be, fundamental flaws.
Critiques of the Cyber Kill Chain
Current critiques can be bucketed into two main categories: Perimeter Security and Attack Vulnerabilities.
One of the biggest critiques of Lockheed’s cyber kill chain model is the fact that the first phases (reconnaissance, weaponization) of an attack occur outside the target network, which makes it difficult to understand or defend against actions occurring in these phases.
Some critics believe that the methodology also reinforces traditional perimeter-based and malware-prevention based defensive strategies, which aren’t enough in today’s cybersecurity climate.
One final critique states that the traditional cyber kill chain isn’t a suitable model when thinking about insider threats. Because of this, organizations are potentially more at risk, given the likelihood of successful attacks that breach a target’s internal network perimeter.
The Future of the Cyber Kill Chain
Because of the constantly evolving nature of cyber threats, the future of the Cyber Kill Chain is up in the air. As extended detection and response (XDR) becomes increasingly important for modern cybersecurity strategy, many believe a new framework needs to be created, envisioning an XDR framework or kill chain that leverages MITRE ATT&CK on known root causes and attackers’ objectives but then going further regarding other data sources.
MITRE ATT&CK Framework
The MITRE ATT&CK framework was created as a model to document and track techniques that attackers use throughout the varying stages of a cyberattack.
ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge and has become one of the most respected and referenced resources in cybersecurity.
The Stages of MITRE ATT&CK Kill Chain Model include:
- Initial Access
- Privilege Escalation
- Defense Evasion
- Credential Access
- Lateral Movement
- Command and Control
MITRE ATT&CK Evaluations use adversary emulation to mimic an adversary’s known Tactics, Techniques, and Procedures (TTPs). The aim is to construct a logical, complete attack that progresses through all the stages of a comprehensive, successful attack from initial compromise, lateral movement, data exfiltration, and so on.
While ATT&CK Evaluation 2019 (the first year of testing) was based on APT3 (Gothic Panda), and ATT&CK Evaluation 2020 focused on TTPs associated with APT29 (Cozy Bear), this year’s evaluations focus on emulating financial threat groups Carbanak and FIN7.
The Unified Kill Chain Model
The Unified Kill Chain was developed in 2017 by Paul Pols in collaboration with Fox-IT and Leiden University to overcome common critiques against the traditional cyber kill chain, uniting and extending Lockeed’s kill chain framework and the MITRE ATT&CK framework. It was designed to defend against end-to-end cyber attacks from a variety of advanced attackers and provide insights into the tactics that hackers employ to attain their strategic objectives.
The Unified Kill Chain is broken into three main phases: Initial Foothold → Network Propagation → Action on Objectives
Each of these phases are made up of additional attack phases. In total, there are 18 phases:
- Reconnaissance: Researching, identifying, and selecting targets through active or passive surveillance.
- Weaponization: Methods of preparation aimed at setting up the required infrastructure for the attack.
- Delivery: Techniques that aid in the transmission of a weaponized object to the target environment.
- Social Engineering: Methods aimed at manipulating people to perform unsafe actions.
- Exploitation: Tactics to exploit system vulnerabilities that may result in code execution.
- Persistence: Any action, access or change to a system that grants an attacker persistent presence on the system.
- Defense Evasion: Evasion tactics an attacker may specifically use to avoid detection or other defenses.
- Command and Control: Techniques that enable attackers to communicate with controlled systems within a target network.
- Pivoting: Using a controlled system to tunnel traffic to other systems that are not directly accessible.
- Discovery: Methods that enable an attacker to obtain knowledge about a system and its network environment.
- Privilege Escalation: The outcome of techniques that provide higher permissions on a system or network for an attacker. Common methods include brute force attacks and exploiting zero day vulnerabilities.
- Execution: Tactics that result in execution of attacker-controlled code on a local or remote system.
- Credential Access: Strategies that result in access or control over system, service or domain credentials.
- Lateral Movement: Techniques that enable adversaries to laterally move to gain more leverage like access and control other remote systems. Attackers can also seek out critical data and sensitive information via IT resources and built-in tools like PowerShell.
- Collection: Methods to identify and gather data from a target network before exfiltration.
- Exfiltration: Tactics that aid in or result in an attacker removing data from a target network. This can include strategies like obfuscation (e.g. falsifying timestamps, deleting or modifying logs, etc.) or Denial of Service (DoS).
- Impact: Techniques to manipulate, interrupt, or destroy the target system or data.
- Objectives: Socio-technical attack objectives aimed at achieving a strategic goal.
How Can The Cyber Kill Chain Improve Security
With the changing nature of cyber threats, organizations need to implement a layered approach to cybersecurity, one that encompasses administrative, technical, and physical security controls. The Cyber Kill Chain reveals the active state of a breach and allows organizations to better prepare for potential and current threats.
Enterprises can use the Cyber Kill Chain to guide strategy, training and tool selections, as it sheds light on aspects of its security strategy that may or may not need updating. Think employee training, endpoint protection software, VPNs, etc.
An Example of the Cyber Kill Chain in Action
Let’s say you’re a threat actor targeting a large retail conglomerate – you’ll want to utilize the stages of the cyber kill chain in order to launch your targeted attack.
Step 1: Reconnaissance
In the phase, you’ll want to identify a target organization or specific users. Either way, doing initial and in-depth research on the target is pertinent for a successful attack.
Here you’ll dig into who is working at this retail conglomerate, what their jobs are, level of security access, etc. You’ll also identify potential vulnerabilities that can be exploited. Once you have a list of people you want to target, you’re ready for the next step.
Step 2: Weaponization
Now, you’ll create your malware. Think virus, worm, etc. depending on the vulnerability you’re trying to exploit. Once the malware/ransomware is created, step 3 can begin.
Step 3: Delivery
Remember all the work you did in step 1 and step 2? Now it’s time to deliver your malware/ransomware. This can be done a number of different ways, but in this example, let’s go with a phishing scam.
You’ll craft your phishing email, making it look as legitimate as possible, with links and attachments that will deliver the payload if the email’s links/attachments are clicked.
Step 4: Exploitation
This step will only start if your phishing scam is successful. Once a link/attachment is clicked in your phishing email and your malware is triggered, the program code will exploit your target’s vulnerability/vulnerabilities.
Step 5: Installation
The malware then will install an access point (back door), which will give you uninterrupted access into the target’s system(s) and network. This is key to continued exploitation of the target.
Step 6: Command and Control
Once all 5 steps successfully complete, you (the threat actor) has complete control and access to the target’s system(s) and network. This gives you the ability to access data, information, controls etc. which you can then encrypt, sell, or use to your benefit.
Step 7: Actions on Objective
With persistent access, you can fulfill your purpose. As stated in step 6, you can begin encrypting files for ransom, exfiltrating data, and/or even destroying data depending on your objectives.
This is the grand finale in the cyber kill chain and the end goal for all threat actors.
The SentinelOne Singularity Platform
It is imperative for organizations of all sizes to implement not only a good cybersecurity strategy, but also make sure that they have a strong endpoint protection and XDR solution. With the SentinelOne Singularity Platform, organizations can prevent, detect, and undo known and unknown threats. See for yourself – Book a demo now.