The team developed the model to help security teams understand the breakdown of an externally originated attack into seven different steps. It helps teams to learn how cyber attacks work and help prepare the defensive controls of an organisation. Penetration testing exercises or red team operations follow this attack chain path to demonstrate their movements during simulation exercises. A few underlying concepts or techniques may change based on situational awareness and plan, however, the high-level methodology for an offensive security assessment follows this methodology.
In this article, we cover the original concept of cyber kill chain from Lockheed martin, cloud-enabled kill chain, Mitre Att&ck kill chain and the relevant aspects.
What is the Lockheed martin cyber kill chain?
The Cyber kill chain, also called CKC, is a phase-based cybersecurity model developed by Lockheed Martin. It is co-opted from the military term ‘kill-chain’ used to break down the structure of an attack.
Feel free to watch this video containing a condensed version of the article.
What is an example of the Cyber Kill Chain?
An excellent example is the Lockheed Martin Cyber Kill Chain framework. It was developed as part of the intelligence-driven defence models for identifying and preventing cyber-attacks and the data exfiltration that comes with it.
From the perspective of a cyber kill chain case study, a number of legitimate programs are weaponized to help threat actors or attackers when you search online about data security breaches studies. For example, excel weaponization to exfiltrate data, privilege escalation, initial shell excess are some of the threat scenarios exploited to gain or escalate privileges. Use of PowerShell programs to run programs to bypass traditional endpoint detection mechanisms is another mechanism.
What are the 7 steps of the cyber kill chain?
The term kill chain was first used in the military to describe a series of actions with few words. The kill chain, in simple terms, identifies targets, analyses the target and develops a decision on whether to attack the target. Most importantly, the kill chain dissects the different stages of an APT attack and helps defensive teams against threats. Red teaming operations often include references and different stages in line with the cyber kill chain model well before MITRE release.
As it became a term in computer science and cybersecurity, Lockheed Martin made some adjustments to the term in 2011 to give a more precise representation of the process.
Like the military’s kill chain, the cyber kill chain has seven crucial steps to manage, protect, and improve network systems. The steps are as follows:
At this stage of the attack, the criminals gather as much info they can access about their targets. This is where the cyber attack starts. To do this, the criminals might employ a range of spying tools. In most cases, they take advantage of the public information available about their targets and continue from there.
Examples of this stage of attack include:
- Attackers can use automated scanners to find weak points and vulnerabilities that allow penetration.
- Attackers also investigate the victim’s security systems, like intrusion detection systems, authentication mechanisms, and firewalls.
At this stage of the attack, the attackers act on the information they have collected about their target and find weaknesses they can exploit. Using the exploit, the attackers will create a malicious payload (using encrypted channels such as HTTPS port 443 over SSL that they will send to their victim. Everything is still on the attacker’s side, and the target has not been exploited or actively attacked yet.
At the intrusion stage, the attacker is trying to gain entry into the victim’s security perimeter. To do this, attackers usually inject various forms of malware into the systems of the victim to gain control. The malicious content can be delivered to the target either by social engineering email, social media or compromised systems or accounts or a security breach like an open port or an insider accomplice.
Example attacks in the intrusion stage include:
- Supply chain compromise
- Spear phishing attachments
- External/remote services
At the exploitation stage, attackers will seek other victim vulnerabilities that they did not know before entering. For instance, an attacker might not have privileged access to an organisation’s database from outside; however, they might spot vulnerabilities in the database that allows them to gain entry after an intrusion.
Example attacks in the exploitation stage include
- PowerShell, .Net, C# scripts
- Local job scheduling
- Dynamic data exchange
At the privilege escalation stage, the attacker attempts to gain the additional privilege to more accounts and systems. The attacker might decide to use brute force, or on the alternative, he might seek out unprotected repositories containing security credentials or monitor networks without encryption to track the credentials. He might as well consider changing permissions on previously existing compromised accounts.
When he has the credentials he needs, the attacker then proceeds to other systems to find the most valuable assets of his target. Attackers typically move from one system to the other, seeking access to privileged accounts, sensitive data. This is usually a coordinated attack and usually affects several user accounts and IT systems.
Example attacks in the privilege escalation and lateral movement stage:
- Windows remote management
- Pseudo attack
- SSH hijacking
- Shared webroot
- Process injection
- Path interception
- Internal spear phishing
- Access token manipulation
6. Command and Control
Now that the attacker has gained control of a significant part of the victim’s systems and user accounts and privileged, he will now develop a command control channel to operate and monitor his attack remotely. This stage will involve obfuscation and denial of service. Obfuscation is when the attacker tries to cover his tracks, making it look like nothing has happened. Examples of activities in the obfuscation stage include
- Binary padding
- Code signing
- File deletion
- Hidden users
- Process hollowing
After obfuscation, denial of service will then take place, which is the opposite of obfuscation. The attacker who has been keeping a low profile will not decide to cause issues in the systems to announce their presence. This is usually to distract the attention of the security teams so he can perpetuate his fundamental objectives. The following are examples of attacks at the Denial-of-Service stage:
- System shutdown
- Service stop
- Resource hijacking
- Network denial of service
- Endpoint denial of service
7. Action on Objectives
Every form of cyber attack has an underlying objective. The attacker usually has some objective in the victim’s network, data exfiltration, data deletion or supply chain attacks. At this stage, he brings together all the activities that will help achieve these goals. This step might involve weeks to months.
What is the last stage of the cyber kill chain framework?
Action on objectives.
Examples of attacks at this last stage of CKC include:
- Data Exfiltration over alternative protocol
- Data Exfiltration over a physical medium
- Data encrypted
- Data compressed
Is the Cyber Kill Chain outdated?
No, the cyber kill chain is not outdated. Instead, it has several security gaps. These security gaps exist because the model has not been modified since its creation about a decade ago. The model’s design works well to protect against malware prevention and detection, which it was designed for. The problem, however, is that malware is not the only security risk in today’s world.
When you use the model for threat assessment and prevention, it fails to identify or defend the threats. That’s because the early stages of the attack happened outside of the protected network.
In fact, in just two years of the model’s establishment, the Cyber Chain’s weaknesses were exposed in 2013. An analysis was conducted in 2013 on Lockheed-Martin’s cyber chain framework, and the US senate discovered a security breach of a retail company, target. According to the US senate, the different stages of the protocol controls did nothing to detect or detect attacks’ progression. If, in 2013, the cyber chain model could not handle the threats of the day, it needs something extra to handle the developed cyber threats of today. The model’s problem stems from the fact that it uses an ancient approach to network security, focusing only on malware prevention and perimeter security.
Cloud-enabled Kill Chain
Another term doing rounds about kill chain is cloud-enabled kill chain. It does not change much dynamic of this concept, the only difference being Internet properties in the cloud is used for most of the setup and the focus of the cloud kill chain includes delivery, exploitation and action stages. For instance, attack infrastructure includes the use of CDNs (domain fronting), C2 (command and control) hosted in the cloud and ultimately cloud data exfiltration. If you are reading about this in 2021, cloud-enabled kill-chain concepts and red teaming tactics like these are already in use for a good few years.
Cyber Kill Chain does not identify Insider Threats
You should also note that the model cannot identify insider threats or intrusions with remote access. That’s because these threats do not involve malware or payloads. Since the kill chain model design only spots and prevents malware, it becomes useless in such situations. The list of threats that affect networks that fall outside the cyber kill chain’s effectiveness is long and expansive.
To correctly identify these threats that fall outside the cyber kill chain’s scope, one must first detect strange occurrences in user behaviours, subnets, computers, and applications. To do this, you have to run a behavioural profile on users and their tasks.
For example, while it is normal for the accountant to check the payroll information constantly, it might be strange to come from an IT staff account. Also, a user account in the HR department running PowerShell raises a level of suspicion.
To make things easy, you can automate the behaviour profiling process to get alerts for strange behaviour. With proper tuning, you can get the system to report real threats and save time and cases of false-positive activities.
Indicator of Compromise (IOCs)
The technological world today is changing at a swift pace. Cyber attacks are becoming very complex as attackers continue to combine several tactics, techniques and procedures (TTP) to achieve their malicious aims.
Some years ago, all you needed to be protected was to search intel feeds and flag IPs or websites with a bad reputation. Unfortunately, even those who are not tech-savvy can change their IP address with just a few clicks in today’s world. As a result, intelligence feeds now create false positive alerts, which distract cybersecurity teams, making them lose sight of the real threats.
For instance, imagine someone uses their IP address on Facebook messenger for a phishing campaign. While such an address is legitimate from Facebook, it would be flagged as malicious whenever the host tries to connect because it has a bad reputation, whereas it is not. It is, in fact, an IOC.
Considering all of these, there is a need to develop new methods to protect ourselves from cyberattacks. This is why cybersecurity experts continue to develop technologies and techniques to detect threats through AI, machine learning, statistical models and complex algorithms to analyse patterns and create trends to solve cybersecurity issues. Only then can we reduce false positives occurrences.
Cyber Kill Chain vs Mitre Att&ck
Mitre cyber kill chain differs from CKC in the way it lists the tactics in no particular order. Cyber kill chain groups them in stages in a particular way. Objectives in both cases are clear – get in, escalate privileges, stay under the radar and achieve objectives.
Mitre att&ck kill chain
Att&ck is an acronym that stands for Adversarial Tactics, Techniques, and Common Knowledge. This framework is a combination of intrusion techniques grouped into 12 different tactics. The mitre att&ck kill chain tactics include the following:
- Initial access: these are techniques used by various entry vectors to gain an initial foothold within a network, for instance, the T1192 Spear Phishing Link.
- Execution: these are techniques that allow the running of attacker-controlled code on a local system or a remote one. An example is the T1086 PowerShell
- Persistence: these are techniques attackers use to maintain persistence when accessing a system. An example is the T1037 Logon Script.
- Privilege escalation: these are techniques that allow attackers to gain high-level privileges on a system or network. An example is the T1055 Process Injection.
- Defence evasion: these are techniques attackers use in avoiding detection. An example is the T1073 DLL Side-Loading.
- Credential access: these are techniques attackers use for stealing credentials like account names, passwords. An example is the T1208 Kerberoasting
- Discovery: these are the techniques attackers use to gain knowledge about their clients’ systems and networks. An example is the T1040 Network Sniffing
- Lateral movement: these are techniques that attackers use in gaining remote access to the systems and networks of their already compromised host. Usually, attackers move through multiple computers, starting with the weakest link till they reach their aim. An example is a T1097 Pass the Ticket
- Collection: these are the techniques that aid in gathering information relevant to the attacker’s aim. An example is the T1506 input capture. These are techniques attackers employ to communicate with the systems they have under their control, often making things look like regular HTTP traffic. An example is the T1172 Domain Fronting.
- Exfiltration: these are techniques that attackers use to steal data from the network of their victims. An example is the T1002 Data Compressed.
- Impact: these are techniques used by attackers to disturb or compromise networks’ integrity by manipulating operational and business processes. The impact is the last phase, and it is what happens when the attacker has reached their goal.
Unified Kill Chain
A more comprehensive approach combines elements from both the Cyber Kill Chain and Att&ck, dividing an attack into 18 stages. By using these two frameworks and comparing IOCs simultaneously against several feeds of reliable threat intel, it helps to know whether a threat needs attention or not. Both defenders and red teams can use a unified kill chain attack model to help develop and improve defensive controls.
Get in touch with our experts to discuss your security concerns.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.