Cyber Kill Chain is a concept branded by Lockheed Martin, that describes how the attacker proceeds with his steps during the attack. It is important for a security expert to be familiar with this concept and to be able to map it to a real attack. The most useful trait of Cyber Kill Chain is, that it gives you the idea about how far in his attack has the adversary progressed. This knowledge determines the amount of possible damage, investigation steps that need to be taken, and means of monitoring that need to be set up.
LIFARS employs Cyber Kill Chain methodology during offensive security engagements, like penetration testing and red teaming exercises.
From the defensive perspective, it is important to understand that stopping the adversary at any stage will result in breaking the attack chain. The attack is successful only when the adversary proceeds through all stages to reach stage 7.
Cyber Kill Chain consists of the following phases:
Passive recon includes leveraging OSINT (searching in Open Source Information) and learning about the target ‘s infrastructure and employees. It is nearly impossible to detect passive recon, as it is usually indistinguishable from normal behavior, unless detections for browsing behavior unique to recon are in place. On the other hand, active recon includes port scanning, system enumeration, and others, and can be detected more easily.
Weaponization is the phase of attack preparation. It means identifying the backdoors of the target, obfuscating shellcode, preparing malicious documents, etc. From the defense perspective, this stage cannot be detected in real time, although full malware analysis, finding new campaigns and new payloads, collecting files and metadata for future analysis and finding commonalities of the malware with other attacks can help significantly.
Delivery is the phase of distributing the weaponized content to the target infrastructure. There are several ways how this objective can be achieved – phishing campaigns, drive-by download, SQL injection, logging into the system with leaked or brute-forced credentials, etc. For the defenders, this is the most important stage, where detection can and should happen.
Exploitation means, that the attacker has gained initial access to the system. To achieve that, a vulnerability must be exploited to establish some persistence, download and use more tools, exfiltrate credentials, elevate privileges, etc. The vulnerability can be a 0-day, known but unpatched vulnerability or a user clicking on malicious links. Here, the traditional security controls help the most. Namely, secure configuration, patching, hardening, user awareness training and vulnerability scanning to name a few.
Installation means achieving firm persistence within the victim’s environment. The adversary can install backdoors, add services, and mask his presence. The goal here is to extend its persistence for longer periods of time. In this phase, detective controls can uncover that an intruder resides in the infrastructure. Mechanisms like host intrusion detection, endpoint process auditing and extracting certificates of signed executables can help with this.
6. Command and Control
After the malware has been installed, it connects back to the Command and Control servers and listens for orders. This way, the attacker can interact with the environment, pivot, and move laterally through the network. Usually, this is the last chance for the defenders to prevent the impact of the attack. This can be done by discovering the Command and Control infrastructure by malware analysis, hardening networks, or DNS sink holing.
7. Actions on Objectives
This is the final stage of an attack, where the end goals of the adversary are achieved. Objectives of the attackers can vary – they can range from data exfiltration, through collecting ransom to destroying the network or its parts. The longer the attack lasts, the more damage is usually done. In this phase, thorough and well-exercised incident response plans and playbooks are crucial to mitigate the attack and recover the infrastructure.
To conclude, it is useful to be familiar with all stages of an attack, especially when performing incident response, security monitoring, or threat intelligence. When one is familiar with this concept, he can easily categorize IoCs (Indicators of Compromise) and TTPs (Tactics, Techniques and Procedures) of an attacker or APT into these seven phases and effectively track down the adversary.