In several articles we have mentioned the so-called "cyber kill chain"but on closer inspection we have never really explained what it is.
Today in this short article we retrace the birth of the model and try to understand something more together.
The concept of Cyber Kill Chain was first published by Lockheed Martin, the main American defense industry, in the white paper: "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains", by Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin.
I recommend everyone to read the document in its entirety as it is very interesting (link at the bottom). In our case we limit ourselves to taking what seems most useful to us, in particular in the introduction we find a first definition of cyber kill chain:
"The phrase" kill chain "describes the structure of the intrusion, and the corresponding model guides analysis to inform actionable security intelligence".
The authors were therefore concerned with the development of a cyber attack model that would help defenders to develop risk mitigation techniques, this to effectively hinder a hypothetical intruder in his work. The model was also intended to facilitate the "prioritization" of investments in new technologies.
It is no coincidence that a defense industry has introduced the concept of Cyber Kill Chain, it is simply an adaptation to the cyber environment of a military concept, in fact originally it was a phased model useful for identifying the various steps necessary for the execution of an attack.
The analysis of the kill chain allows you to understand how an opponent to achieve his goal must be able to progress through the whole chain, highlighting which mitigation actions are effective to interrupt the kill chain itself.
The paper is aimed in particular at the analysis of those adversaries with sufficient capacity and resources to conduct APT (Advanced Persistent Threath) campaigns.
But let's see what this consists of cyber kill chain. It is a process consisting of seven stages:
The first stage is called Recognition (patrol) and, as the name clearly shows, it consists in carrying out searches to identify and select the target, internet searches for information relating to the target, the technologies it uses, email addresses and staff as well as social relationships . This phase is fundamental for the definition of the initial target useful to get to the final one perhaps with a lateral movement, for example the employee at the bottom right will be hit in order to finally reach the company's CEO.
The second phase is called Weaponisation (armament) and consists of creating or identifying a malware that can be used for the attack, usually a pairing of remote access software (trojan horse) and a exploit (software exploiting a system vulnerability). Often to gain access to a system, the zero day from which there is still no defense since they are brand new vulnerabilities that have yet to be "patched" precisely because they have just been discovered.
The third stage is called Delivery (delivery) and consists in the transmission of the cyber weapon (weapon) to the target. Usually emails with links to bogus websites or attached documents containing malware are used for distribution to the victim. But also USB sticks, infrared, bluetooth, optical media, keyboards or mice with a “nested” malware in the firmware or other methods are possible.
The fourth stage is known as Exploitation (exploitation) and generally consists in the exploitation of one or more vulnerabilities by malicious software introduced into the system under attack. It should be noted that the most advanced techniques of obfuscation (often even new techniques) to make these actions totally invisible to our "radars" whether they are firewalls, IDS, IPS, mail filters, antivirus and SIEM.
The fifth stage is called Installation (installation) and consists of installing within the target system in order to allow the attacker to remain within the system at will, the so-called persistence. Malware Trojans (RAT Remote Access Trojan), ports are opened in the network, or created backdoor cuts. In this phase the system is silently but heavily modified, registry keys, system files and even boot partitions can be modified). This is one of the reasons why the outcome of restoring "compromised systems" is never a foregone conclusion.
The sixth phase is called Command and control (C2 or C&C, Command and Control) and consists of establishing a solid chain of command and control that allows the attacker to give orders and receive feedback. This phase is particularly important in an APT.
The seventh stage is called Actions on Objectives (actions on the targets) and consists in the actual attack on the target system. Typically this involves exfiltrating data, which more generally means exploring the system, collecting data, encrypting and exfiltrating it. In other cases it is a matter of making the data unavailable, generally encrypting them to later ask for a ransom (the famous Ramsomware). In other cases it is a question of modifying the data (what would happen if the size of an airplane spare part were altered by a few fractions of a millimeter?). The attacker may also have an interest only in collecting data to attack another, more profitable system.
Each phase can in turn be divided into several more or less numerous steps.
Of course, the model developed by Lockheed Martin for defensive purposes can and is also used for offensive purposes, especially in relation to the early stages of reconnaissance and weaponization.
Of course, there are many variations of the cyber kill chain, developed by different companies, but the goal is always the same, that is to help understand the attacker's modus operandi in order to understand how to defeat him or, more generally, how to moderate the risks.
To learn more:
- LM-White-Paper-Intel-Driven-Defense.pdf (lockheedmartin.com)
