Breaking The Cyber Kill Chain
The Cyber Kill Chain (CKC) developed by Lockheed Martin is a sequence of stages required for an attacker to infiltrate and exfiltrate data from a network successfully. It assists cyber defenders in understanding how adversaries conduct cyber offensive operations in 7 stages. The cyber-attack chain model helps the IT security team build proactive defence strategies and risk management processes to enhance cyber protection and minimise the business impact of an incident.
The cyber kill chain is adopted from the military concept of a kill chain. It consists of the reconnaissance phase, weaponisation phase, delivery phase, exploitation phase, installation phase, command and control phase and actions on objective phase. The following below describes the seven stages of the cyber kill chain.
The first phase of the cyber kill chain is the reconnaissance phase. The objective of the reconnaissance phase is to identify the target’s weak points through intensive research and planning. The passive and active methods are adopted when reconnaissance is performed.
Gathering information without alerting the subject of surveillance is passive reconnaissance. It is common to start with this because if the targets are alerted, it is very likely that they will buff up their security due to anticipated incoming attacks. Passive reconnaissance is achieved by gathering information via public resources. This technique is also called OSINT (Open-Source Intelligence), where information such as IP addresses, domain names, DNS records, email addresses, names, web application frameworks and even associated CVEs can be obtained.
Active reconnaissance, in contrast, requires some level of interaction with the targets. This type of information gathering relies on tools and scripts that will send different types of requests to computer systems, collecting specific information about the device or other devices that are connected to the same network. The information collected via active reconnaissance generally consists of port statuses, the operating system of the targets, services that are running, and banner information which may also lead to discovering vulnerable applications that are hosted in the device. In addition, the risk of active reconnaissance is that the target’s IDS/IPS may trigger alarms alerting relevant parties of the intruder’s activities.
With the reconnaissance information gathered in the first phase, the attacker will move to the second phase, which is weaponisation. In this phase, the goal is to engineer malware based on the adversary’s motives. The malware is specially crafted and catered to exploit the weaknesses discovered in the network and its devices from the recon phase. An example would be injecting an MS Excel document with malicious code and delivering it via phishing emails.
The third phase is the delivery phase which is a crucial component of the cyber kill chain. In this phase, the adversaries transport the malware to the selected targets. For example, common delivery method may involve sending malware-attached phishing emails to targets, Drive-by downloads, USB drives or DNS Poisoning.
Exploitation is the fourth phase of the cyber kill chain. The transported payload is triggered either by an adversary or unsuspecting end-user which proceeds to exploit the vulnerability on the system. The objective of the payload is to obtain an initial foothold in the network.
Once the foothold has been established, the installation phase, which is also the fifth phase, begins. In this phase, the adversary attempts to install malware onto the target network to take control of its systems to perform various operations, such as maintaining access, persistence, and privilege escalations. The installation of malware is commonly done via trojan horses, backdoors or command-line interfaces.
The sixth phase of the cyber kill chain is the Command-and-Control phase, also known as C2 or C&C. In this phase, a communication channel is established for the adversary to communicate with the malware that is already in the target’s network. C2 servers are commonly used for sending remote hidden instructions to compromised systems to execute cyberattacks. The C2 server can also issue commands to exfiltrate sensitive data, reboot or shut down critical systems and perform DDOS (distributed denial of service) if botnets are established.
Actions on objective are the final phase of the cyber kill chain. This phase depends on the adversary’s end goals. Service disruption via DDOS attacks, distributing malware to steal sensitive information from other victims, deploying ransomware to extort organisations or even completely destroying systems are a few common end goals for cybercriminals.
Breaking the Cyber Kill Chain
To secure the network and data from cyber attacks and data exfiltration, it is vital to break the cyber kill chain, particularly at the earliest phase, as it limits the adversary’s ability to plan and execute a successful cyber attack. Many defence measures can be implemented at different stages of the cyber kill chain, below are some pointers at each stage to consider when fortifying your defences.
Breaking the Reconnaissance Chain
- Firewalls, IDS and IPS should be implemented to detect and stop suspicious traffic.
- Network traffic should be monitored continuously for unauthorised network scans.
- Limiting access to sensitive information online.
- Frequent training and phishing drills should be conducted internally by the IT team to educate users on all forms of social engineering attacks such as phishing, smishing or even vishing.
Breaking the Weaponisation Chain
- It is difficult to disrupt the weaponising phase, but if the reconnaissance chain has been broken, the adversary will have a much lesser chance to engineer malware that will be stealthy to the defence and potentially be detected in the delivery phase.
Breaking the Delivery Chain
- Configuring firewalls and ACL to block high-risk applications
- Implement IPS, anti-malware, anti-C2, DNS Monitoring and sinkhole to block known exploits, malwares, and inbound C2 communications.
- Deploy EPP (Endpoint protection) and EDR (Endpoint Detection and Response) on devices and networks.
- Deny system modifications and installation rights for end-users
- Create awareness of cyber hygiene for end-users, such as scanning USB drives before inserting them into corporate devices and downloading only from reliable websites
Breaking the Exploitation Chain
- Ensure devices and systems are patched and updated
- Regular vulnerability scans and penetration testing
- Implement patch management systems to deploy security patches constantly.
Breaking the Installation Chain
- Limiting privileges for user’s accounts
- Strong and frequent change of passwords policies should be implemented
- Implement Two-Factor Authentication (2FA)
- Implement Privilege Access Management solutions
Breaking the Command and Control (C2/C&C) Chain
- Block outbound C2 communications.
- Block outbound communications to malicious URLs through URL Filtering
- Create honeypots and honeynets and redirect attacks to them.
Breaking the Action on Objective Chain
- Deploy the use of threat intelligence tools to proactively hunt for indicators of compromise (IOC)
- Implement incidence response and threat-hunting capabilities by bridging security operations centre (SOC) and network operation centre (NOC)
- Monitor and inspect all traffic between zones
Although the Cyber Kill Chain was developed more than a decade ago is still not completly outdated. There are several security gaps identified in this model. The CKC model was primarily focused on perimeter and malware defence; however, these are not the only risk we face in the cyberspace today.
A more effective model that should be considered is the Unified Kill Chain model. The Unified Kill Chain is a combination of Cyber Kill Chain model with MITRE’s ATT&CK’s model. It has significant improvements over these scope limitations of the Cyber Kill Chain and the time-agnostic nature of the tactics in MITRE’s ATT&CK model.