Cyber kill chain

Last updated
Intrusion kill chain for information security Intrusion Kill Chain - v2.png
Intrusion kill chain for information security

The cyber kill chain is the process by which perpetrators carry out cyberattacks. [2] Lockheed Martin adapted the concept of the kill chain from a military setting to information security, using it as a method for modeling intrusions on a computer network. [3] The cyber kill chain model has seen some adoption in the information security community. [4] However, acceptance is not universal, with critics pointing to what they believe are fundamental flaws in the model. [5]

Contents

Attack phases and countermeasures

Computer scientists at Lockheed-Martin corporation described a new "intrusion kill chain" framework or model to defend computer networks in 2011. [6] They wrote that attacks may occur in phases and can be disrupted through controls established at each phase. Since then, the "cyber kill chain" has been adopted by data security organizations to define phases of cyberattacks. [7]

A cyber kill chain reveals the phases of a cyberattack: from early reconnaissance to the goal of data exfiltration. [8] The kill chain can also be used as a management tool to help continuously improve network defense. According to Lockheed Martin, threats must progress through several phases in the model, including:

  1. Reconnaissance: Intruder selects target, researches it, and attempts to identify vulnerabilities in the target network.
  2. Weaponization: Intruder creates remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities.
  3. Delivery: Intruder transmits weapon to target (e.g., via e-mail attachments, websites or USB drives)
  4. Exploitation: Malware weapon's program code triggers, which takes action on target network to exploit vulnerability.
  5. Installation: Malware weapon installs an access point (e.g., "backdoor") usable by the intruder.
  6. Command and Control: Malware enables intruder to have "hands on the keyboard" persistent access to the target network.
  7. Actions on Objective: Intruder takes action to achieve their goals, such as data exfiltration, data destruction, or encryption for ransom.

Defensive courses of action can be taken against these phases: [9]

  1. Detect: Determine whether an intruder is present.
  2. Deny: Prevent information disclosure and unauthorized access.
  3. Disrupt: Stop or change outbound traffic (to attacker).
  4. Degrade: Counter-attack command and control.
  5. Deceive: Interfere with command and control.
  6. Contain: Network segmentation changes

A U.S. Senate investigation of the 2013 Target Corporation data breach included analysis based on the Lockheed-Martin kill chain framework. It identified several stages where controls did not prevent or detect progression of the attack. [1]

Alternatives

Different organizations have constructed their own kill chains to try to model different threats. FireEye proposes a linear model similar to Lockheed-Martin's. In FireEye's kill chain the persistence of threats is emphasized. This model stresses that a threat does not end after one cycle. [10]

  1. Reconnaissance: This is the initial phase where the attacker gathers information about the target system or network. This could involve scanning for vulnerabilities, researching potential entry points, and identifying potential targets within the organization.
  2. Initial Intrusion: Once the attacker has gathered enough information, they attempt to breach the target system or network. This could involve exploiting vulnerabilities in software or systems, utilizing social engineering techniques to trick users, or using other methods to gain initial access.
  3. Establish a Backdoor: After gaining initial access, the attacker often creates a backdoor or a persistent entry point into the compromised system. This ensures that even if the initial breach is discovered and mitigated, the attacker can still regain access.
  4. Obtain User Credentials: With a foothold in the system, the attacker may attempt to steal user credentials. This can involve techniques like keylogging, phishing, or exploiting weak authentication mechanisms.
  5. Install Various Utilities: Attackers may install various tools, utilities, or malware on the compromised system to facilitate further movement, data collection, or control. These tools could include remote access Trojans (RATs), keyloggers, and other types of malicious software.
  6. Privilege Escalation / Lateral Movement / Data Exfiltration: Once inside the system, the attacker seeks to elevate their privileges to gain more control over the network. They might move laterally within the network, trying to access more valuable systems or sensitive data. Data exfiltration involves stealing and transmitting valuable information out of the network.
  7. Maintain Persistence: This stage emphasizes the attacker's goal to maintain a long-term presence within the compromised environment. They do this by continuously evading detection, updating their tools, and adapting to any security measures put in place.

Critiques

Among the critiques of Lockheed Martin's cyber kill chain model as threat assessment and prevention tool is that the first phases happen outside the defended network, making it difficult to identify or defend against actions in these phases. [11] Similarly, this methodology is said to reinforce traditional perimeter-based and malware-prevention based defensive strategies. [12] Others have noted that the traditional cyber kill chain isn't suitable to model the insider threat. [13] This is particularly troublesome given the likelihood of successful attacks that breach the internal network perimeter, which is why organizations "need to develop a strategy for dealing with attackers inside the firewall. They need to think of every attacker as [a] potential insider". [14]

Unified kill chain

The unified kill chain consists of 18 unique attack phases that can occur in advanced cyber attacks. The Unified Kill Chain.png
The unified kill chain consists of 18 unique attack phases that can occur in advanced cyber attacks.

The Unified Kill Chain was developed in 2017 by Paul Pols in collaboration with Fox-IT and Leiden University to overcome common critiques against the traditional cyber kill chain, by uniting and extending Lockheed Martin's kill chain and MITRE's ATT&CK framework (both of which are based on the "Get In, Stay In, and Act" model constructed by James Tubberville and Joe Vest). The unified version of the kill chain is an ordered arrangement of 18 unique attack phases that may occur in end-to-end cyberattack, which covers activities that occur outside and within the defended network. As such, the unified kill chain improves over the scope limitations of the traditional kill chain and the time-agnostic nature of tactics in MITRE's ATT&CK. The unified model can be used to analyze, compare, and defend against end-to-end cyber attacks by advanced persistent threats (APTs). [15] A subsequent whitepaper on the unified kill chain was published in 2021. [16]

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs: conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: it secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Cyber spying, cyber espionage, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).

Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, Internet-of-things devices, and other wireless devices to corporate networks creates attack paths for security threats. Endpoint security attempts to ensure that such devices follow a definite level of compliance to standards.

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR), a view shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

FastPOS is a variant of POS malware discovered by Trend Micro researchers. The new POS malware foregrounds on how speed the credit card data is stolen and sent back to the hackers.

Cyber threat hunting is a proactive cyber defence activity. It is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions." This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat.

A medical device hijack is a type of cyber attack. The weakness they target are the medical devices of a hospital. This was covered extensively in the press in 2015 and in 2016.

In cybersecurity, cyber self-defense refers to self-defense against cyberattack. While it generally emphasizes active cybersecurity measures by computer users themselves, cyber self-defense is sometimes used to refer to the self-defense of organizations as a whole, such as corporate entities or entire nations. Surveillance self-defense is a variant of cyber self-defense and largely overlaps with it. Active and passive cybersecurity measures provide defenders with higher levels of cybersecurity, intrusion detection, incident handling and remediation capabilities. Various sectors and organizations are legally obligated to adhere to cyber security standards.

Red Apollo is a Chinese state-sponsored cyberespionage group which has operated since 2006. In a 2018 indictment, the United States Department of Justice attributed the group to the Tianjin State Security Bureau of the Ministry of State Security.

The 2018 SingHealth data breach was a data breach incident initiated by unidentified state actors, which happened between 27 June and 4 July 2018. During that period, personal particulars of 1.5 million SingHealth patients and records of outpatient dispensed medicines belonging to 160,000 patients were stolen. Names, National Registration Identity Card (NRIC) numbers, addresses, dates of birth, race, and gender of patients who visited specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018 were maliciously accessed and copied. Information relating to patient diagnosis, test results and doctors' notes were unaffected. Information on Prime Minister Lee Hsien Loong was specifically targeted.

Cisco Talos, or Cisco Talos Intelligence Group, is a cybersecurity technology and information security company based in Fulton, Maryland. It is a part of Cisco Systems Inc. Talos' threat intelligence powers Cisco Secure products and services, including malware detection and prevention systems. Talos provides Cisco customers and internet users with customizable defensive technologies and techniques through several of their own open-source products, including the Snort intrusion prevention system and ClamAV anti-virus engine.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

BlackCat, also known as ALPHV and Noberus, is a ransomware family written in Rust. It made its first appearance in November 2021. By extension, it is also the name of the threat actor(s) who exploit it.

References

  1. 1 2 "U.S. Senate-Committee on Commerce, Science, and Transportation-A "Kill Chain" Analysis of the 2013 Target Data Breach-March 26, 2014" (PDF). Archived from the original (PDF) on October 6, 2016.
  2. Skopik & Pahi 2020, p. 4.
  3. Higgins, Kelly Jackson (January 12, 2013). "How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack". DARKReading. Archived from the original on 2024-01-19. Retrieved June 30, 2016.
  4. Mason, Sean (December 2, 2014). "Leveraging The Kill Chain For Awesome". DARKReading. Archived from the original on 2024-01-19. Retrieved June 30, 2016.
  5. Myers, Lysa (October 4, 2013). "The practicality of the Cyber Kill Chain approach to security". CSO Online. Archived from the original on March 19, 2022. Retrieved June 30, 2016.
  6. "Lockheed-Martin Corporation-Hutchins, Cloppert, and Amin-Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains-2011" (PDF). Archived (PDF) from the original on 2021-07-27. Retrieved 2021-08-26.
  7. Greene, Tim (5 August 2016). "Why the 'cyber kill chain' needs an upgrade". Archived from the original on 2023-01-20. Retrieved 2016-08-19.
  8. "The Cyber Kill Chain or: how I learned to stop worrying and love data breaches". 2016-06-20. Archived from the original on 2016-09-18. Retrieved 2016-08-19.
  9. John Franco. "Cyber Defense Overview: Attack Patterns" (PDF). Archived (PDF) from the original on 2018-09-10. Retrieved 2017-05-15.
  10. Kim, Hyeob; Kwon, HyukJun; Kim, Kyung Kyu (February 2019). "Modified cyber kill chain model for multimedia service environments". Multimedia Tools and Applications. 78 (3): 3153–3170. doi: 10.1007/s11042-018-5897-5 . ISSN   1380-7501.
  11. Laliberte, Marc (September 21, 2016). "A Twist On The Cyber Kill Chain: Defending Against A JavaScript Malware Attack". DARKReading. Archived from the original on 2023-12-13.
  12. Engel, Giora (November 18, 2014). "Deconstructing The Cyber Kill Chain". DARKReading. Archived from the original on 2023-12-15. Retrieved June 30, 2016.
  13. Reidy, Patrick. "Combating the Insider Threat at the FBI" (PDF). BlackHat USA 2013. Archived (PDF) from the original on 2019-08-15. Retrieved 2018-10-15.
  14. Devost, Matt (February 19, 2015). "Every Cyber Attacker is an Insider". OODA Loop. Archived from the original on August 26, 2021. Retrieved August 26, 2021.
  15. Pols, Paul (December 7, 2017). "The Unified Kill Chain" (PDF). Cyber Security Academy. Archived (PDF) from the original on May 17, 2021. Retrieved May 17, 2021.
  16. Pols, Paul (May 17, 2021). "The Unified Kill Chain". UnifiedKillChain.com. Archived from the original on May 17, 2021. Retrieved May 17, 2021.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.