What do militaries and hackers have in common? They both use structured techniques to achieve their goals. Just as generals draw up battle plans, cyberattackers follow steps to home in on their targets. In the industry, this is known as the cyber kill chain (CKC), and it has become a blueprint both for digital intruders and those trying to stop them.
Military contractor Lockheed Martin developed the CKC in 2011, basing it on a long-standing concept that the military applies to kinetic warfare.
The CKC applies this model to cyberattacks across several steps:
- Reconnaissance: Attackers look for information that could help them launch an attack. This includes the technology a company uses, its employees' email address scheme and addresses, its leadership, and its suppliers. Mitigating measures include locking down unneeded network ports and webpages, warning employees about posting sensitive company information online, and protecting the personal information of employees and leadership.
- Weaponization: An attacker uses a digital weapon to exploit weak spots. This typically includes an exploit targeting a vulnerability along with a digital payload.
- Delivery: The attacker deploys the weapon. Delivery channels can include email, removable storage, an open RDP port, or a Web application vulnerability. Phishing is popular in this phase.
- Exploitation: The digital weapon detonates. This usually involves the user clicking on an attachment. In some cases, malware may detonate without user interaction once it finds a "landing spot" during the delivery phase.
- Installation: Initial exploits usually involve a dropper that gains access through techniques such as privilege escalation to install malware. This can include ransomware and/or software that lets an attacker control the victim's machine remotely, such as a remote access Trojan (RAT) or a weaponized legitimate tool like Cobalt Strike.
- Command and control (C2): This is where the C2 phase comes in. The tool "phones home" to an attacker's server, sending back network information and executing instructions. The attacker uses the tool to move laterally through the network, gaining access to more assets until they find what they're looking for. The attacker might stay silent for months during this phase.
- Action taken: At some point, the criminal executes their payload. The headlines are littered with the aftermath: encrypted data, stolen customer records and stalled control systems. After the kill chain is complete, the effects on the victim are often dire, including reputation damage, regulatory scrutiny, legal challenges, business disruption, and financial loss. Sometimes the victim doesn't survive.
Complexity and Costs Increase Along the Kill Chain
The difficulty and cost of disrupting the kill chain increases as the attack evolves through these steps. It's easier to stop a cyber weapon as it enters your infrastructure than it is to contain and remove it after it detonates.
Defenders face a perfect storm as they struggle to quash attacks in the early stages. Inadequate tools combined with a skills shortage have left many unprepared to stop these attacks.
Plenty of companies employ security information and event management (SIEM) as their main defense during the early and middle phases of the kill chain. This tool captures and correlates network events and might flag emerging incidents as potential attacks. However, these tools still require security analysts to stop attacks manually.
A worsening cybersecurity skills shortage makes that manual work difficult, with 57% of organizations reporting a direct impact on their cybersecurity operations. An increasing workload was the biggest ramification, affecting 62% of those who reported an impact, followed by unfilled open job requisitions and burnout. With risks like these, security operation centers (SOCs) need to stretch their people as far as possible.
As defenders struggle to cope, adversaries are becoming more sophisticated. Attack volume and velocity are increasing as intruders automate various kill chain steps. Focusing purely on monitoring leaves security professionals one step behind. It's time to meet this challenge in kind by automating incident response.
Appropriate tools and services, including managed detection and response (MDR), can automatically spot and neutralize well-known attacks early in the kill chain. Similarly, email defense today is largely an exercise in machine learning-based techniques that have increased detection accuracy.
This automation saves time and money by neutralizing attacks early. It also frees analysts to handle the more complex attacks, making maximum use of your team.
MDR and 24/7 expert services help with these attacks too. They use a mixture of automated detection and response with manual brain power to spot and mitigate both early and advanced attacks. [Editor's note: The author's company is one of many that offers such services.]
It's crucial to operate these defenses at all times, because cyberattackers don't stop working when you do. Full defense involves a combination of attack awareness, automation, and always-on response. It also requires cyber hygiene to close as many attack vectors as possible along the kill chain. Every measure, from employee security awareness through to software patching and strict identity and access control, will help you to get ahead and block intrusions early. In the evolving world of cyberattacks, preparedness is key.