Attacks/Breaches

11/18/2014
11:00 AM
Giora Engel
Giora Engel
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Deconstructing The Cyber Kill Chain

As sexy as it is, the Cyber Kill Chain model can actually be detrimental to network security because it reinforces old-school, perimeter-focused, malware-prevention thinking.

Created by defense giant Lockheed Martin, the term “Cyber Kill Chain” has been widely used by the security community to describe the different stages of cyber attacks. It’s a compelling model, easy to understand... and, let’s face it, the name sounds really cool.

However, whenever we look under the hood of the Cyber Kill Chain diagram that graces the Lockheed Martin website, we can’t help but try to scroll down farther than the diagram reaches. Because -- in a year that’s seen successful targeted attacks on consumer-facing giants like Target, JPMorgan, and Home Depot -- it has become clear that the actual scope of today’s cyberthreats extends far beyond that of the Cyber Kill Chain.

Beyond intrusion
Lockheed Martin’s model is intrusion-centric, which was the focus of cyber security when it was created, and is indeed still the focus of (too) much cyber security effort today.

The following is a brief description of its seven steps.

  • Step 1: Reconnaissance. The attacker gathers information on the target before the actual attack starts. He can do it by looking for publicly available information on the Internet.
  • Step 2: Weaponization. The attacker uses an exploit and creates a malicious payload to send to the victim. This step happens at the attacker side, without contact with the victim.
  • Step 3: Delivery. The attacker sends the malicious payload to the victim by email or other means, which represents one of many intrusion methods the attacker can use.
  • Step 4: Exploitation. The actual execution of the exploit, which is, again, relevant only when the attacker uses an exploit.
  • Step 5: Installation. Installing malware on the infected computer is relevant only if the attacker used malware as part of the attack, and even when there is malware involved, the installation is a point in time within a much more elaborate attack process that takes months to operate.
  • Step 6: Command and control. The attacker creates a command and control channel in order to continue to operate his internal assets remotely. This step is relatively generic and relevant throughout the attack, not only when malware is installed.
  • Step 7: Action on objectives. The attacker performs the steps to achieve his actual goals inside the victim’s network. This is the elaborate active attack process that takes months, and thousands of small steps, in order to achieve.

In fact, steps 1 through 6 of the Chain relate solely to intrusion, which is, as we know from recent attacks, only a very small part of a targeted attack. Along these same lines, the Chain is disproportionate on an attack time scale: Steps 1 through 6 take relatively little time, whereas step 7 can take months.

Further, it’s worth considering that steps 1, 2, and 3 are not relevant from an operational point of view. These are just the documentation of steps an attacker may take behind the scenes, not something that security professionals can directly address or influence.

Then we have the fact that the Chain is completely malware-focused. But malware is only one threat vector facing today’s networks. What about the insider threat? Social engineering? Intrusion based on remote access, in which no malware or payload is involved? The list of threat vectors facing today’s networks is far, far longer than those covered by the Chain.

What we’re left with, after we eliminate non-practicable steps and steps that are too narrow in their focus to maintain broad relevance, is infinite space between steps 6 and 7 (“Command and control” and “Actions on objectives”). And it is in this vast place that today’s targeted attackers are thriving -- many of them invisible to the Cyber Kill Chain paradigm.

The takeaway
We’re not afraid to say it: Over-focus on the Cyber Kill Chain can actually be detrimental to network security.

Why? Because the Cyber Kill Chain model, as sexy as it is, reinforces old-school, perimeter-focused, malware-prevention thinking. And the fact is that intrusion prevention solutions cannot provide 100% protection. A persistent, highly determined, and highly skilled attacker will always find a way in. And once the attacker is past your perimeter, traditional Cyber Kill Chain-style prevention solutions like firewalls, sandboxes, and antivirus can’t help. Once they’ve bypassed these solutions, attackers are free to operate in your network unobstructed.

The answer? If you must use the Chain model, zero in on No. 7. Focus on detecting ongoing attacks -- attackers that have already breached your perimeter -- before the damage is done. Instead of analyzing old malware, deploy a breach detection system that automatically detects and analyzes the changes in user and computer behavior that indicate a breach. These subtle changes are usually low-key and slow, and affect only a small number of computers, but the right analysis and context can flag them as malicious.

Want another point of view on Kill Chain effectiveness? Check out Leveraging The Kill Chain For Awesome.

 

Giora Engel, vice president, product & strategy at LightCyber is a serial entrepreneur with many years of technological and managerial experience. For nearly a decade, he served as an officer in an elite technological unit in the Israel Defense Forces, where he initiated and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Apprentice
10/12/2016 | 4:53:43 PM
Cognitive Cybersecurity Approach
I think the writer has brought up some valid points. I do agree that Cybersecurity in comparison is still stuck in the stone ages. Cyber Kill Chain sounds like something from military (i.e. Lockheed Martin was developed by ex. military consulting companies, thus the term). My whole point is if we continue to go down this path, without making radical disruptive changes, then we will continue to be violated at every level.

This is what I propose (since the gentleman stated earlier in the posts that we should provide solutions.

→ Continue to use hardening tools on various compute, network, and disk systems and subsystems (hold the vendor to the fire if their systems do not meet a set of hardened policy rules or give the user the ability to do it themselves using internal tools)

→ Change the IPv4 to a pure IPv6 addressing scheme with the ability to convert IPv4 packets (IPv6 uses ESP/AH - Encapsulated Security Payloads/Authenticated Headers, found in the protocol using TRILL/SPB and IPv6 IPSec AES256 ESP/AH VPN connections (IPv6 address range - trillion addresses /64). Companies have not totally moved to IPv6, they don't realize the security implications this protocol provides (go to the SAN's institute and lookup "IPv6 Security Capabilities")

→ Replace the existing firewall with a next generation firewall that has the ability to take command responses from your SIEM device and other devices on the network like switches/routers (i.e. Intelligence gained from triggers captured on the network).

→ Introduce cognitive tools from various companies like IBM (Watson Cybersecurity) and Extreme Networks (Netsight Atlas). These tools give you the ability process data at lightning speeds without human intervention (IPS - Intrusion prevention system helps admins to thwart/remediate attacks but it is limited in its ability to determine if the attempt is valid or nefarious). The firewalls should also be able to block countries as well, limit the amount of traffic, if you don't do business with a certain part of the world and you constantly being pinged, then enable that feature (e.g. PaloAlto, Sophos, even Snort provides that capability)

→ Introduce cognitive cyber-security tools from various companies like IBM (Watson Cybersecurity) and Extreme Networks (Netsight Atlas). These tools give you the ability process data at lightning speeds without human intervention. There needs to be a way where the systems are able to learn and make decisions even if we are not present, I think that is lacking in our overall cyber defense scheme.

→ Design applications using a CMMI and ESDLC (Enterprise Software Development Lifecycle) development model. Take the application through a battery of tests before introducing it on the network. Look at the model Google is using, they have identified numerous holes in applications by following techniques to hack into the system after it has been setup and deployed (they will provide a workflow mechanism to test the application to see if there are any inherent flaws (please visit youtube and lookup - "Google's Project Zero" or review their their bug list - "Project Zero Buglist")

→ Separate job duties from a network, security, and server perspective (we have not abided by that notion in a long time, we have started mixing job roles to save money)

→ Windows - when applications are installed, it opens a port, why not limit the amount of ports that are open from an application perspective, the vendor should give us that ability, limit the attack vector/surface (going back to the vendor sentiment above) by reducing the number of ports (the smaller the attack surface thus harder to determine method of attack should be used - deep relationships with vendors is needed)

→ Linux - SELinux (heightened security levels), Fail2ban (dynamic ACL list), chkrootkit (rootkit) are some tools that can be used to really harden down an OS. The Chinese are working with their own government to create a hardened OS where that OS is being used by all vendors (i.e. cars, refrigerators, printers, etc). That gives the manufacturer the information they need to make changes and apply updates when they see a problem

→ Remove total dependence on the end-user, make suggestions and provide insight on the screen (help them to make the right decision) if they choose a lower security option (make them accountable for their actions) and if they are hacked, there is an immutable file that provides information about their selection, good or not

→ Storage Perspective - yes we can encrypt the disks, encrypt the path to the disks (IPv6 IPSec tunnels) and encrypt the data on the other side. But once the data gets to the receiver, how do you determine if that person (not impersonating someone) is the right person who should receive that information. There is a thing in IPv6 called Authenticating Headers (AH), this provides the authentication and integrity that the user is looking for. I do recommend using AES 256 Encryption on the storage device with rotating keys but the source and endpoint, have to be verified and identified through this "chain" of communication

→ Employ the services of external third party companies like "Akamai" to help thwart the attack before it turns into a DDoS attack. 1st monitoring your communication from a global perspective similar to this, 2nd identify connections that are not part of your normal traffic especially to known ports like 22, 23, 69, 3389 and remote ports, especially from the outside the US (identify the attack and threat), validate if the communication is indeed valid, 3rd capture information from a historical perspective to help identify events that are perceived to be an anomaly (there should be Blacklist for the lack of a better word, where the DNS/IP addresses are captured and provided to companies who they identify as known hackers)

 → Optional - we need to start looking at using Quantum computing in the cyber landscape, this is happening in the not so distant future, please go online and review "China's Net Quantum Satellite"

Where there are interesting points about the "Cyber Kill Chain", I do agree that it is not comprehensive enough to address the areas needed such as identity management, application validation, IP obfuscation, multipath routing using r-bridges as a way to re-route traffic using internal routing policies, storage integration with authorized servers and encrypted storage systems, social attacks, etc. 

I think he brought up some good points, because if we don't take heed to what he is saying, then we could be on the next page of a cyber attack (thank you for presenting this blog).
tdsan
50%
50%
tdsan,
User Rank: Apprentice
10/12/2016 | 4:51:38 PM
Cognitive Cybersecurity Approach
I think the writer has brought up some valid points. I do agree that Cybersecurity in comparison is still stuck in the stone ages. Cyber Kill Chain sounds like something from military (i.e. Lockheed Martin was developed by ex. military consulting companies, thus the term). My whole point is if we continue to go down this path, without making radical disruptive changes, then we will continue to be violated at every level.

This is what I propose (since the gentleman stated earlier in the posts that we should provide solutions.

→ Continue to use hardening tools on various compute, network, and disk systems and subsystems (hold the vendor to the fire if their systems do not meet a set of hardened policy rules or give the user the ability to do it themselves using internal tools)

→ Change the IPv4 to a pure IPv6 addressing scheme with the ability to convert IPv4 packets (IPv6 uses ESP/AH - Encapsulated Security Payloads/Authenticated Headers, found in the protocol using TRILL/SPB and IPv6 IPSec AES256 ESP/AH VPN connections (IPv6 address range - 2001:4602:151:2:b:085:743:7356/64). Companies have not totally moved to IPv6, they don't realize the security implications this protocol provides - https://www.sans.org/reading-room/whitepapers/protocols/security-features-ipv6-380 

→ Replace the existing firewall with a next generation firewall that has the ability to take command responses from your SIEM device and other devices on the network like switches/routers (i.e. Intelligence gained from triggers captured on the network).

→ Introduce cognitive tools from various companies like IBM (Watson Cybersecurity) and Extreme Networks (Netsight Atlas). These tools give you the ability process data at lightning speeds without human intervention (IPS - Intrusion prevention system helps admins to thwart/remediate attacks but it is limited in its ability to determine if the attempt is valid or nefarious). The firewalls should also be able to block countries as well, limit the amount of traffic, if you don't do business with a certain part of the world and you constantly being pinged, then enable that feature (e.g. PaloAlto, Sophos, even Snort provides that capability)

→ Introduce cognitive cyber-security tools from various companies like IBM (Watson Cybersecurity) and Extreme Networks (Netsight Atlas). These tools give you the ability process data at lightning speeds without human intervention. There needs to be a way where the systems are able to learn and make decisions even if we are not present, I think that is lacking in our overall cyber defense scheme.

→ Design applications using a CMMI and ESDLC (Enterprise Software Development Lifecycle) development model. Take the application through a battery of tests before introducing it on the network. Look at the model Google is using, they have identified numerous holes in applications by following techniques to hack into the system after it has been setup and deployed (they will provide a workflow mechanism to test the application to see if there are any inherent flaws (please visit youtube and lookup - "Google's Project Zero" or review their their bug list - "Project Zero Buglist")

→ Separate job duties from a network, security, and server perspective (we have not abided by that notion in a long time, we have started mixing job roles to save money)

→ Windows - when applications are installed, it opens a port, why not limit the amount of ports that are open from an application perspective, the vendor should give us that ability, limit the attack vector/surface (going back to the vendor sentiment above) by reducing the number of ports (the smaller the attack surface thus harder to determine method of attack should be used - deep relationships with vendors is needed)

→ Linux - SELinux (heightened security levels), Fail2ban (dynamic ACL list), chkrootkit (rootkit) are some tools that can be used to really harden down an OS. The Chinese are working with their own government to create a hardened OS where that OS is being used by all vendors (i.e. cars, refrigerators, printers, etc). That gives the manufacturer the information they need to make changes and apply updates when they see a problem

→ Remove total dependence on the end-user, make suggestions and provide insight on the screen (help them to make the right decision) if they choose a lower security option (make them accountable for their actions) and if they are hacked, there is an immutable file that provides information about their selection, good or not

→ Storage Perspective - yes we can encrypt the disks, encrypt the path to the disks (IPv6 IPSec tunnels) and encrypt the data on the other side. But once the data gets to the receiver, how do you determine if that person (not impersonating someone) is the right person who should receive that information. There is a thing in IPv6 called Authenticating Headers (AH), this provides the authentication and integrity that the user is looking for. I do recommend using AES 256 Encryption on the storage device with rotating keys but the source and endpoint, have to be verified and identified through this "chain" of communication

→ Employ the services of external third party companies like "Akamai" to help thwart the attack before it turns into a DDoS attack. 1st monitoring your communication from a global perspective similar to this, 2nd identify connections that are not part of your normal traffic especially to known ports like 22, 23, 69, 3389 and remote ports, especially from the outside the US (identify the attack and threat), validate if the communication is indeed valid, 3rd capture information from a historical perspective to help identify events that are perceived to be an anomaly (there should be Blacklist for the lack of a better word, where the DNS/IP addresses are captured and provided to companies who they identify as known hackers)

 → Optional - we need to start looking at using Quantum computing in the cyber landscape, this is happening in the not so distant future, please go online and review "China's Net Quantum Satellite"

Where there are interesting points about the "Cyber Kill Chain", I do agree that it is not comprehensive enough to address the areas needed such as identity management, application validation, IP obfuscation, multipath routing using r-bridges as a way to re-route traffic using internal routing policies, storage integration with authorized servers and encrypted storage systems, social attacks, etc. 

I think he brought-up some good points, because if we don't take heed to what he is saying, then we could be on the next page of a cyber attack.
packetdude2
100%
0%
packetdude2,
User Rank: Strategist
3/14/2015 | 10:25:48 PM
Second layer needed
The misunderstanding is to think of the kill chain as a one-time thing. It's actually an iterative process that occurs internally post-exploitation; recon, etc. happens all over again repeatedly as an intruder establishes persistence and digs their claws deeper and deeper into your systems.
Paladium
50%
50%
Paladium,
User Rank: Moderator
3/8/2015 | 3:41:34 PM
Re: Good breakdown of the Kill Chain - how prevalent is it?
What I would like to see from the author is a comprehensive alternative model that's practicle and useable in real world SecOps.  Something just as useable as the Kill Chain model is.  I dislike seeing darts being thrown without cause.  Its too easy and seems quite shallow to do so.  That is what this article feels like.  As my CSM was fond of saying, "Don't bitch without a solution".  :)
Paladium
50%
50%
Paladium,
User Rank: Moderator
3/8/2015 | 3:28:34 PM
Re: Flaws in security kill chain
Is this the same RobertH from CI, and formerly from LM?
dgswift
50%
50%
dgswift,
User Rank: Apprentice
2/17/2015 | 2:58:48 PM
Overuse of Kill Chain - Agreement with the Author
Like the Author, I belive the "kill chian" has become an over used buzzword that focuses on the initial vectors of attack, failing to detail or define what happens once the intrusion occurs and how to detect and defend properly.


Lockheed (and others), we're wrong in so far as they went, but like many things, a catchy phrase has been overused, and over extraploated as the solution and map for all things security.

 

Regards,

David Swift
gebsmith
100%
0%
gebsmith,
User Rank: Apprentice
11/19/2014 | 9:03:03 AM
Truly Understanding the Cyber Kill Chain
This article follows all the misconceptions that people have over the CKC.

 

1. The CKC is not a step by step process for responding to an incident. Instead, it's a methodology to organize an attack into distinct sections that help identify and predict tactics used by attackers. These TTPs can then be correlated between attacks to predict and prevent future attacks. The CKC should be used during an investigation to ensure that all CKC intel is extracted but its real strength is post-intrusion analysis of the data collected.

 

2. The CKC was created to stop IR teams from playing whack-a-mole. It emphasizes the intel pulled out of an incident. Using this intel an IR team can create behavioral blocks/detections and break free from the "here and now" incident response.

 

3. The CKC is not malware focused. Almost all attacks involve malware so it may seem that way but the CKC does apply to all incidents (non-malware included). For instance, insider threat has recon (how do they identify their target), Weaponization (gaining access to a computer or person in order to gain access to the end goal), etc.

 

4. The CKC doesn't claim to break down pieces of an attack into equal time slices. It makes sure that all relevant intel from an attack is identified, extracted, and hopefully documented. AoO usually does take the most time to accomplish. Saying that it is too big of a chunk because there are so many methods for AoO again shows lack of understanding in the CKC. There are 100 different delivery methods but we still clump them all into Delivery. AoO is the same. Stating that many attacks are "invisible to the Cyber Kill Chain" is completely wrong in that all CKC steps still have to be executed for a successful attack. Delivery may be a disgruntled worker using legitimate credentials to extract data from a server. Just because you don't understand to classify this activity as Delivery does not mean that Delivery doesn't happen.

 

In reality, states like "the CKC doesn't apply to all attacks" or "perimeter-focused" just shows that the true problem is lack of understanding of the CKC. Please don't take this as an insult because I was the same way for years. It wasn't until I saw the CKC in action that its benefits were clear. In that "aha" moment I instantly became a huge CKC advocate. Most clients that I deal with are in the same boat as you. They claim to understand the CKC but don't understand the methodology. The CKC goes way beyond the 7 basic stages. It's provides tips on how to fully exhaust an investigation and a framework for post-intrusion analysis.

 
RobertH131
0%
100%
RobertH131,
User Rank: Apprentice
11/18/2014 | 6:24:22 PM
Flaws in security kill chain
Great post here on the security kill chain and it's flaws. Indeed, the kill chain was designed to address APT, and more specifically targeted spear-phishing attacks. It doesn't fit every attack vector. I do agree with the author that most organizations should spend their time dealing with step 7, focusing on ongoing attacks. However, I disagree that "steps 1, 2, and 3 are not relevant from an operational point of view". There are many methods to address "malware delivery defeat" - ® Bob Huber ; ) You can also address step 1-Recon via attack surface reduction. Indeed, there are opportunities at every step to address them. That said, this model is not apprpriate for most attacks. If you want to keep with the "cool" military jargon, F2T2EA, D3A or some version of the military targeting methodology/process could be very useful as a model (someone can pick that up for a paper).
lightcyber
0%
100%
lightcyber,
User Rank: Strategist
11/18/2014 | 6:06:06 PM
Re: Good breakdown of the Kill Chain - how prevalent is it?
The term Cyber Kill Chain is suprisingly very prevalent in the industry. I think that almost every security vendor that I can think about used it at least once. I can say for sure that in some cases people don't use it correctly, as they are less familiar with the attackers' tactics and the comlexity of cyber attacks.

When Lockheed Martin was a victim of a targeted attack the whole concept of creating an exploit and using it to target a specific company was realatively new and therefore this was most of the focus in their terminology. Surprisingly people still use this same scheme.

A lot has happened since that breach and I personally know about some targeted attacks that used generic malware and exploits in order to enter a network. The focus today should be the atctive state of the breach, inside the network.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/18/2014 | 4:20:28 PM
Good breakdown of the Kill Chain - how prevalent is it?
Curious to know from our readers how many of you follow the Cyber Kill Chain model, or some version of it?

And for @Giora Engel -- how prevalent is it, industry wide?

 
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
A Call for Greater Regulation of Digital Currencies
Kelly Sheridan, Associate Editor, Dark Reading,  11/21/2017
New OWASP Top 10 List Includes Three New Web Vulns
Jai Vijayan, Freelance writer,  11/21/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.