Cyber Kill Chain on:
[Wikipedia]
[Google]
[Amazon]
The cyber kill chain is the process by which perpetrators carry out cyberattacks.
The Unified Kill Chain was developed in 2017 by Paul Pols in collaboration with Fox-IT and
The cyber kill chain is the process by which perpetrators carry out cyberattacks. Lockheed Martin
The Lockheed Martin Corporation is an American Arms industry, defense and aerospace manufacturer with worldwide interests. It was formed by the merger of Lockheed Corporation with Martin Marietta on March 15, 1995. It is headquartered in North ...
adapted the concept of the '' kill chain'' from a military setting to information security
Information security is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data ...
, using it as a method for modeling intrusions on a computer network
A computer network is a collection of communicating computers and other devices, such as printers and smart phones. In order to communicate, the computers and devices must be connected by wired media like copper cables, optical fibers, or b ...
. The cyber kill chain model has seen some adoption in the information security community. However, acceptance is not universal, with critics pointing to what they believe are fundamental flaws in the model.
Attack phases and countermeasures
Computer scientists at Lockheed-Martin corporation described a new "intrusion kill chain" framework or model to defend computer networks in 2011. They wrote that attacks may occur in phases and can be disrupted through controls established at each phase. Since then, the "cyber kill chain" has been adopted by data security organizations to define phases ofcyberattack
A cyberattack (or cyber attack) occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content.
The rising dependence on increasingly complex and inte ...
s.
A cyber kill chain reveals the phases of a cyberattack
A cyberattack (or cyber attack) occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content.
The rising dependence on increasingly complex and inte ...
: from early reconnaissance to the goal of data exfiltration. The kill chain can also be used as a management tool to help continuously improve network defense. According to Lockheed Martin, threats must progress through several phases in the model, including:
#Reconnaissance: Intruder selects target, researches it, and attempts to identify vulnerabilities in the target network.
# Weaponization: Intruder creates remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities.
# Delivery: Intruder transmits weapon to target (e.g., via e-mail attachments, websites or USB drives)
# Exploitation: Malware weapon's program code triggers, which takes action on target network to exploit vulnerability.
# Installation: Malware weapon installs an access point (e.g., "backdoor") usable by the intruder.
# Command and Control: Malware enables intruder to have "hands on the keyboard" persistent access to the target network.
# Actions on Objective: Intruder takes action to achieve their goals, such as data exfiltration, data destruction, or encryption for ransom
Ransom refers to the practice of holding a prisoner or item to extort money or property to secure their release. It also refers to the sum of money paid by the other party to secure a captive's freedom.
When ransom means "payment", the word ...
.
Defensive courses of action can be taken against these phases:
# Detect: Determine whether an intruder is present.
# Deny: Prevent information disclosure and unauthorized access.
# Disrupt: Stop or change outbound traffic (to attacker).
# Degrade: Counter-attack command and control.
# Deceive: Interfere with command and control.
# Contain: Network segmentation changes
A U.S. Senate investigation of the 2013 Target Corporation data breach included analysis based on the Lockheed-Martin kill chain framework. It identified several stages where controls did not prevent or detect progression of the attack.
Alternatives
Different organizations have constructed their own kill chains to try to model different threats. FireEye proposes a linear model similar to Lockheed-Martin's. In FireEye's kill chain the persistence of threats is emphasized. This model stresses that a threat does not end after one cycle. # Reconnaissance: This is the initial phase where the attacker gathers information about the target system or network. This could involve scanning for vulnerabilities, researching potential entry points, and identifying potential targets within the organization. # Initial Intrusion: Once the attacker has gathered enough information, they attempt to breach the target system or network. This could involve exploiting vulnerabilities in software or systems, utilizing social engineering techniques to trick users, or using other methods to gain initial access. # Establish a Backdoor: After gaining initial access, the attacker often creates a backdoor or a persistent entry point into the compromised system. This ensures that even if the initial breach is discovered and mitigated, the attacker can still regain access. # Obtain User Credentials: With a foothold in the system, the attacker may attempt to steal user credentials. This can involve techniques like keylogging, phishing, or exploiting weak authentication mechanisms. # Install Various Utilities: Attackers may install various tools, utilities, or malware on the compromised system to facilitate further movement, data collection, or control. These tools could include remote access Trojans (RATs), keyloggers, and other types of malicious software. # Privilege Escalation / Lateral Movement / Data Exfiltration: Once inside the system, the attacker seeks to elevate their privileges to gain more control over the network. They might move laterally within the network, trying to access more valuable systems or sensitive data. Data exfiltration involves stealing and transmitting valuable information out of the network. # Maintain Persistence: This stage emphasizes the attacker's goal to maintain a long-term presence within the compromised environment. They do this by continuously evading detection, updating their tools, and adapting to any security measures put in place.Critiques
Among the critiques of Lockheed Martin's cyber kill chain model as threat assessment and prevention tool is that the first phases happen outside the defended network, making it difficult to identify or defend against actions in these phases. Similarly, this methodology is said to reinforce traditional perimeter-based and malware prevention-based defensive strategies. Others have noted that the traditional cyber kill chain isn't suitable to model the insider threat. This is particularly troublesome given the likelihood of successful attacks that breach the internal network perimeter, which is why organizations "need to develop a strategy for dealing with attackers inside the firewall. They need to think of every attacker as potential insider".Unified kill chain
The Unified Kill Chain was developed in 2017 by Paul Pols in collaboration with Fox-IT and Leiden University
Leiden University (abbreviated as ''LEI''; ) is a Public university, public research university in Leiden, Netherlands. Established in 1575 by William the Silent, William, Prince of Orange as a Protestantism, Protestant institution, it holds the d ...
to overcome common critiques against the traditional cyber kill chain, by uniting and extending Lockheed Martin
The Lockheed Martin Corporation is an American Arms industry, defense and aerospace manufacturer with worldwide interests. It was formed by the merger of Lockheed Corporation with Martin Marietta on March 15, 1995. It is headquartered in North ...
's kill chain and MITRE
The mitre (Commonwealth English) or miter (American English; American and British English spelling differences#-re, -er, see spelling differences; both pronounced ; ) is a type of headgear now known as the traditional, ceremonial headdress of ...
's ATT&CK framework (both of which are based on the "Get In, Stay In, and Act" model constructed by James Tubberville and Joe Vest). The unified version of the kill chain is an ordered arrangement of 18 unique attack phases that may occur in an end-to-end cyberattack
A cyberattack (or cyber attack) occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content.
The rising dependence on increasingly complex and inte ...
, which covers activities that occur outside and within the defended network. As such, the unified kill chain improves over the scope limitations of the traditional kill chain and the time-agnostic nature of tactics in MITRE's ATT&CK. The unified model can be used to analyze, compare, and defend against end-to-end cyberattacks by advanced persistent threat
An advanced persistent threat (APT) is a stealthy threat actor, typically a State (polity), state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the ...
s (APTs). A subsequent whitepaper on the unified kill chain was published in 2021.
References
Further reading
*{{cite journal , last1=Skopik , first1=Florian , last2=Pahi , first2=Timea , title=Under false flag: using technical artifacts for cyber attack attribution , journal=Cybersecurity , date=2020 , volume=3 , issue=1 , pages=8 , doi=10.1186/s42400-020-00048-4 , doi-access=free , language=en , issn=2523-3246 Crime prevention Data security National security Security