Hi guys, we have new article which called Cyber kill chain, let’s go to see what it talking about.
Sometimes referred to as CKC or the cyberattack lifecycle, the cyber kill chain is a security defense model developed to identify and stop sophisticated cyberattacks before they impact an organization. Typically comprised of seven steps, a cyber kill chain model breaks down the multiple stages of a cyberattack, allowing security teams to recognize, intercept or prevent them.
Using a cyber kill chain framework can help organizations to better understand relevant threats and improve incident management and response. When done right, cyber kill chains can have significant security benefits — but if done incorrectly, they can put organizations at risk. In fact, certain shortcomings in the kill chain lead to questions about its future. Still, businesses can use cyber kill chain methodology to inform their cybersecurity strategies.
Let's find out why cybersecurity kill chain is a controversial topic in cyber threat management, as we dive into the origins of the kill chain, use cases, and warnings.
What is a kill chain in cyber security?
You may have heard of the phrase ‘kill chain’ being used in reference to military operations: when an enemy attack is identified, broken down into stages, and preventative measures are put in place. This is the exact concept that inspired the original cyber security kill chain, which was initially created by Lockheed Martin in 2011.
A cyber kill chain’s purpose is to bolster an organization's defenses against advanced persistent threats (APTs), aka sophisticated cyberattacks. The most common threats include the deployment of:
Malware Ransomware Trojan horses Phishing Other social engineering techniques
Cyber kill chains allow enterprises to be prepared and stay one step ahead of hackers at every stage of an attack, from conceptualization to execution.
Cyber kill chain vs MITRE ATT&CK
The cyber kill chain is often compared to the MITRE ATT&CK framework. MITRE ATT&CK also illustrates the phases of a cyberattack, many of which are similar to the cyber kill chain model. The key difference between the cyber kill chain and MITRE ATT&CK is the fact that MITRE tactics are listed in no particular order — unlike the specific grouping of stages and linear structure of the kill chain.
Another difference is that the cyber kill chain framework addresses the cyberattack process in seven phases at a high level, while MITRE ATT&CK explores various techniques and procedures that relate to the granular details of a cyberattack. Elements of both the kill chain and ATT&CK can be incorporated into cybersecurity strategy.
(See how to use MITRE ATT&CK in your defense.)
The 7 stages of a cyber kill chain
The original Lockheed Martin cyber kill chain model describes seven steps. This is the most commonly referenced framework in the industry. Lockheed’s 7-stage cyber kill chain explores the methodology and motivation of a cybercriminal across the entire attack timeline, helping organizations to understand and combat threats. These seven phases are:
1. Reconnaissance 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command and control 7. Action
Let’s take a look at each phase.
1. Reconnaissance The first stage of the kill chain is reconnaissance. In this stage, the attacker gathers information about the target organization and its systems. He can obtain this information through open-source intelligence (OSINT) techniques, such as searching the internet or social media. He can also use more direct methods, such as social engineering or physical surveillance. The goal of reconnaissance is to gather enough information to plan and execute a successful attack. This information can include the names and titles of employees, the organization’s structure, and the types of systems and software in use. One of the most important tools during this phase is Google itself, in fact, hackers use a technique called Google Dorking which can give as result some useful information.
This phase is extremely important and may decide the life or death of the entire chain. There are many tools that hackers use but here I just list the more famous just to have an idea.
Passive:
Google: as we’ve seen previously Google’s queries can be manipulated through Dorking in order to get all information a hacker needs. Wireshark: Probably the best traffic analyzer. Shodan: Search engine for IoT
Active:
Nmap: A powerful network scanner that is able to retrieve an enormous quantity of information from the target network/host Nikto: A web server vulnerability scanner. Subfinder: it’s a subdomain finder, very popular among hackers and pen-testers. Maltego: Information gathering tool with a very intuitive Graphical interface.
We also built in this blog two basic tools for Reconnaissance:
Subdomain scanner made easy – with Python!
How to create network scanner tool in few lines of code!
2. Weaponization Once the perpetrator has gathered their information on the target, they can strategize to take advantage of their weaknesses. This is the weaponization stage of the cyber kill chain, in which the attacker creates malware or malicious payloads to use against the target. The process can include:
Designing new forms of malware
Modifying existing programs to better match the vulnerabilities they’re trying to exploit
As you can imagine that is a very sensitive phase and would be impossible to accomplish with bad Reconnaissance. Useful resources in this phase are these:
Metasploit: It’s a very popular penetration testing framework, and contains a lot of exploits. The framework includes a tool called MSFVenom that can generate very specialized payloads. Exploit-DB: It’s a database that contains a plethora of exploits for known vulnerabilities, a real gold mine for hackers. AFL++: An open-source Fuzzer that can be used, when there are no known exploits, as a last resort to find zero-day on the target application. The final goal of the hacker is usually the installation of malware in the target machine, so in addition to writing the exploit, malware development also belongs to the weaponization phase. The hardest part is to make it invisible to the target’s security system. Hackers can rely on tools like Veil3.0 or write their own code by hand. We have seen some very basic techniques to hide shellcodes and some very basic evasion techniques that can make analysis harder.
3. Delivery Following weaponization is the delivery stage — when cybercriminals try to infiltrate their target’s network or security system.
Typically, these actors deploy malware into the system via phishing emails and other social engineering tools. It can also involve hacking into a network and exploiting vulnerabilities in an organization’s hardware or software.
4. Exploitation After the successful delivery of malware or other forms of hacking, the next step is exploiting the weaknesses they uncovered in the previous cyber kill chain phases. Attackers can now further infiltrate a target’s network and learn of additional vulnerabilities that they were unaware of prior to entering.
At this stage, they often move laterally across a network from one system to another, spotting more potential entry points on the way. Vulnerabilities are much easier to identify now if there are no deception measures in place on the network.
5. Installation Next is the installation stage (also known as the privilege escalation phase). The attacker tries to install malware and deploy other cyberweapons within the target network in order to gain additional control of more systems, accounts, and data. Strategies include installing malware via:
Tactics begin to intensify, as attackers forcefully infiltrate the target network, seeking out unprotected security credentials and changing permissions on compromised accounts.
6. Command and Control
One of the crucial steps of the cyber security kill chain is the development of a command and control channel (also known as the C2 phase). After gaining control of part of their target’s system or accounts, the attacker can now track,monitor and guide their deployed cyberweapons and tool stacks remotely. This stage can be broken down into two methods: Obfuscation is the process by which an attacker makes it look like no threat is present, essentially covering their tracks. This includes methods such as file deletion, binary padding and code signing. Denial of service (DoS) is when cybercriminals cause problems in other systems/areas to distract security teams from uncovering the core objectives of the attack. This often involves network denial of service or endpoint denial of service, as well as techniques like resource hijacking and system shutdowns.
7. Action The 7 stages of the cyber kill chain culminate with action: the final phase in which cybercriminals execute the underlying objective of the attack. This phase of the cyber kill chain process can take several weeks or months depending on the success of previous steps. Common end goals of a strategic cyberattack include:
Supply chain attacks
Data exfilration Data encryption Data compression
Is there an 8th step in the cyber kill chain?
Some security experts advocate for the inclusion of an eighth stage in cyber kill chains: monetization. This can also be considered as the final objective of an attack, but it specifically focuses on the cybercriminal’s financial gain from an attack. The attacker can initiate a ransom request – demanding funds by threatening to release or sell sensitive data (personal information or industry secrets).
Profiteering from cyberattacks has become more of an issue in recent times due to the growing use of cryptocurrency. Crypto makes it easier and safer for attackers to request and receive money, facilitating the dramatic increase of monetizing cyberattacks.
Preventing cyberattacks As with most things in life, prevention is the best cure. The earlier an enterprise can intercept and stop an attack, the easier the remediation will be.
For example, stopping an attack in the command and control phase (Phase 6) usually requires more advanced, costly and time-consuming efforts. This can include anything from machine repairs to forensic measures like in-depth network sweeps and endpoint analysis to determine what data has been lost and piece together the overall scale of the attack.
Therefore, organizations should aim to identify and resolve threats at the early stages of the cyber kill chain to reduce the risk to their enterprise and minimize resources.
(See how Splunk helps with advanced threat detection.)
Weaknesses of the cyber kill chain The Lockheed Martin cyber kill chain model may have its strengths, but some consider the 2011 framework to be outdated or lacking in innovation. A key weakness of the traditional model is that it’s designed to detect and prevent malware and protect perimeter security. Yet, we now face many more security threats, and cybercrime is becoming more and more sophisticated.
Here are the major drawbacks of the traditional seven-step cyber kill chain.
Limited attack detection profile
As we’ve recognized, the kill chain is limited in terms of the types of attacks that can be detected. The original cyber kill chain framework centers around malware and payloads, and therefore does not consider other types of attacks. An example would be web-based attacks including SQL Injective, DoS, Cross Site Scripting (XSS) and certain Zero Day exploits.
Additionally, it does not account for attacks conducted by unauthorized parties who are attempting to leverage compromised credentials.
Does not recognize insider threats
Insider threats pose a significant risk to organizations, yet they are not accounted for in the traditional cyber kill chain process. To identify insider threats, you need to closely monitor both:
Suspicious changes in user behavior
Unusual activity in subnets, applications and computers
You can run a behavioral profile on users, whether automated or manual. An automated approach is best as you can set alerts for instances of strange behavior. Over time, you will be able to easily detect both real threats and false-positive instances at a faster rate.
(Solve common challenges with anomaly detection.)
The kill chain is not flexible
Not all attackers follow the cyber kill chain playbook linearly or step by step. They can skip, add and backtrack stages.
For example, attackers sometimes miss out the Reconnaissance step of the kill chain in which they conduct extensive research on their target. The adoption of a “spray and pray” technique is an example of where Reconnaissance is not needed – that’s because it can outsmart an your detection snares by chance.
Attackers may also choose to merge steps of the kill chain. A 2018 report from Alert Logic revealed that nearly 90% of attacks combine the first five stages of the cyber kill chain into a single action. If the traditional framework is followed to the letter, then enterprises could miss or fail to stop threats before they infiltrate the network. Transformative technologies accelerate the evolution of cyber attacks The development of recent technologies has paved the way for new attacks that lie outside the original cyber kill chain framework. Innovations such as cloud computing, DevOps, IoT, machine learning and automation, have all broadened the scope of cyberattacks by increasing the number of data sources and entry points.
Other cultural and social factors such as the rise in remote working and cryptocurrency mean there are more points of access for hackers to exploit, and it can be challenging for organizations to cover all bases and secure vulnerable endpoints.
How can the cyber kill chain improve security?
Although the original seven stages of the cyber kill chain have been subject to scrutiny, organizations can still use these principles to help better prepare for existing and future cyberattacks. A cyber kill chain framework can guide a business’s cyber security strategy, whether that’s by identifying flaws with the current strategy or confirming what’s already working well. For example, it could incentivize the adoption of services and solutions such as:
Endpoint protection software
VPNs Employee training
As the cyberattack landscape continues to evolve, organizations must consider a strategy that incorporates a layered approach of administrative, technical and physical security measures. The cyber kill chain methodology can help to achieve this, but the initial model only stretches so far.
Alternatives to the original cyber kill chain
While every business requires their own tailored cyber kill chain framework, here are some other ways to adapt the original kill chain process:
Unified kill chain
The concept of a unified kill chain combines techniques from MITRE ATT&CK and the original cyber kill chain model. The result is a detailed, integrated framework comprised of 18 individual stages, which can be grouped into three core phases:
1. Initial foothold 2. Network propagation 3. Action on objectives
This approach allows security teams to simultaneously compare indicators of compromise (IOCs) against multiple feeds of threat intelligence in order to effectively respond to threats. A unified kill chain ATT&CK model can be used by defensive and offensive teams to develop security controls.
Simulation of cyber kill chains
Kill chain models can also be used for cyberattack simulation, and there are numerous specialized platforms that can simulate the cyber kill chain process. This enables you to locate and amend any entry points or system vulnerabilities in a very short amount of time.
As well as simulating cyber threats through email, web, and firewall gateways, these platforms can provide you with a risk score/report of system entities to help teams identify key areas of risk. The organization can then take action and prevent future threats with methods such as changing configurations and installing patches.
Don’t kill the cyber chain just yet
The continuous evolution of cyberattacks has led many to question the future of the cyber kill chain. An agile kill chain that incorporates elements of MITRE ATT&CK and extended detection and response (XDR) strategies could identify a broader range of threats, and be able to prevent and neutralize them more effectively.
No matter what your stance on the cyber kill chain framework, addressing existing vulnerabilities and having a comprehensive cyber security strategy in place is crucial for the safeguarding of any business.
Conclusion The cyber kill chain is a helpful model for understanding how hackers carry out cyber attacks. By understanding the various stages of the kill chain, organisations can develop more effective defences against these threats.
Even if you can find many versions of Cyber Kill Chain online, they are all quite similar and probably they are all right. What is important to understand is the basic idea and the hacker’s working flow. Said that it can also be useful for a pen-tester to plan his work as best as possible (reasoning as a black hat is the only way to make a good job).
I hope you enjoyed the article, If yes keep following me
