Chapter 16
Kill Chain Analysis
Abstract
Reaction is a key strategic principle in an engaged defense. It is helpful to consider how intrusions and exfiltrations universally occur, breaking them down into phases where the adversary motivation is clearly defined and distinguishable. Breaking an attack into phases suggests that one is underway. An intrusion in progress is not necessarily one that is successful, and each phase of the intrusion provides a point at which a defense can be mounted. The kill chain is a time-tested military model that categorizes adversary incursion into a combination of fundamental phases, and these phases are described in this chapter.
Keywords
Adversary; Exfiltration; Intrusion; Kill chain; Weaponization
We espouse kill chain analysis a number of times earlier in this book. To a large extent, we want you to anticipate and adapt to adversary activity and attack. You therefore have to be able to reposition yourself to think and fight like your adversary. Reaction is a key strategic principle in an engaged defense. Your countermeasures and counteractions should be staged in such a manner that you cannot only adapt and recover ground, but also bring the battle on your own terms and engage your adversary at the most advantageous time and place possible. To identify these mount points and establish your own defender beachheads, it is helpful to consider how intrusions and exfiltrations universally occur, breaking them down into chunks where the adversary motivation is clearly defined and distinguishable and subsequently, where your operational goals change to deter, detect, deny, defeat, and defend.
Looking at an attack from this perspective is a different approach from the battle most of us have been conditioned to wage: defend. Nothing gets in. Perfect security is the mission; failure is not an option. If something untoward was granted entry, you have failed. But as we have discussed, this is not a feasible or effective way of building or running a security program. Your goals may be to prevent intrusion and your compliance objectives and metrics may well be a report card based on this measurement alone. However, your mission is ultimately to stop the adversary from achieving their goal. By and large, your adversary's success is not measured on a singular goal of intrusion, so it stands to reason that the mission of the attack is not so myopic either, and there are many opportunities for you to engage an active, adaptive mode of defense that pits your actions against what ultimately constitutes their success.
Breaking an attack into phases suggests that one is underway, but that is not the ball game; an intrusion in progress is not necessarily one that is successful, and each phase of the intrusion provides a point at which a defense can be mounted. In reality, staging your defenses in a similar fashion, as if they were a counterattack against the adversary activity, improves the odds that your mission of defense will ultimately be successful, and the adversary's mission of accomplishing the intended action on the intended objective will fail.
Why the Kill Chain Is in Detection
It is possible to put the kill chain discussion into any section, and many people would contend we should put it in the Protection section. We chose to put it in the Detection section as it seems more appropriate for kill chain application in practice.
We already assume that security programs will apply protection mechanisms as appropriate. When you examine the phases of the kill chain as follows, you see that you can examine where to apply detection mechanisms. For example, an attack begins by finding a target from the adversary‘s perspective. You need to try to determine if you have been “found,” which is detecting early reconnaissance efforts. As the adversary steps through their attack, you need to understand where they are in the attack, so you can observe and react to the attack in progress.
So, while the phrase, kill chain, implies you are killing an attack, it actually looks at an attack from the attacker's perspective. If you can understand that perspective, and apply that perspective, you can determine which phase of the attack they are in, and know where to look to best detect when you are under attack.
What Is a Kill Chain?
In military terminology, a kill chain is a phase-based model that classifies offensive activities based upon the stages of an attack and uses the deconstruction of the attack to prevent it. These stages are referred to as follows:
▪ find
▪ fix
▪ track
▪ target
▪ engage
▪ assess.
Ideally, the earlier in the kill chain that a defense can be engaged and an attack can be stopped, the better. When the attacker has less access, information, or ability, it is less likely that future attacks, following the same methods or patterns, will occur or take advantage of the same exploits or attempt the same actions on the objectives in the future.
Based on motives and objectives, the military kill chain model broke enemy activity into four primary phases:
▪ target identification
▪ decision and order attack on the target
▪ destruction of target.
The Cyber Kill Chain
Years later, Lockheed Martin expanded this concept to digital warfare and cybersecurity defenses as the Cyber Kill Chain. In this case, the phrase kill chain outlines the form, mechanics, and motives associated with an information security intrusion and is expressed as seven phases:
▪ reconnaissance
▪ weaponization
▪ delivery
▪ exploitation
▪ installation
▪ command and control
▪ actions on objectives.
The Cyber Kill Chain presents a means by which security events could be oriented and interpreted in contexts that focus on the attack and the attacker, as opposed to independent, isolated, or discrete data points and/or device-specific occurrences. This creates a common format and language for evaluating security events by association, motivation, and integration, where they could be aggregated and correlated according to objective and attack vector.
The kill chain's roots are military, its language is sexy, and it suggests an innate ability to counter an attack with surgical precision, which quickly made it a very popular and satisfying way to communicate about threats and countermeasures in the defender community. However, when confronted, practitioners in other lines of business, leadership positions, and program management capacities often confess a complete lack of understanding as to how the kill chain factors into the implementation of strong defenses, let alone into a defense strategy.
Reviewing each of the seven attack phases functionally, it becomes apparent how each event within an attack stream can be placed into a phase and assigned to one of the following discrete actions or objectives:
Reconnaissance—target research, identification, and selection.
These activities can range from looking for choreographed scans of Internet-facing network assets to trawling through Internet-present networking sites, including benign publications such as marketing slicks, corporate contact information, social media blasts, and industry conference registrant lists.
Weaponization—devise and delivery of an exploit as an executable payload. This is often done remotely via an automated tool or piece of malware, but increasingly involves more common applications, files, images, and documents that can be attractive for a user to acquire and run.
Delivery—transmission or infection of the weaponized payload or the weapon to the targeted environment. Most commonly, these transmissions occur through e-mail attachments, infected websites, and removable storage media.
Exploitation—activation of the exploit payload. Exploitation usually targets a system or application vulnerability or manipulates the user into taking further action to ensure its spread and success.
Installation—installation and instantiation of functional code that enables remote access to a victim system and permits continual use and access to the adversary.
Command and control (C2)—establishment of outbound communications from a victim system for secure communications between victim and adversary systems. Compromised hosts typically beacon out and await further instruction or exploit when higher order interaction or data exchange is required. This is the hallmark of advanced persistent threat (APT) attacks and data exfiltration.
Actions on objectives—adversaries accomplish target objectives. These objectives range from additional and expanded undetected residence and lateral movement (also referred to as dwell time), within a target environment, to explicit exfiltration of data from the victim environment, to any level of unauthorized access in between. The scale and overall choreography of the attack will dictate the action on the objective for a given system or data element, and demonstrates the importance of considering the entirety of the adversary activity and motive in attempting to thwart adversary actions.
Applying the Cyber Kill Chain to Detection
When you understand the phases of an attack, you can begin to determine where and how an adversary will come at you. It allows you to anticipate where you can best see their activity.
For example, we have worked with companies that have been successfully attacked by a traditional APT, most likely Chinese hackers. In almost all occasions, the way the attacks were discovered was because their command and control activity was discovered. The early phases of the attack were completely missed, but things like malformed DNS packets and unusual use of other traditional network protocols were used as covert channels. This is why many of the latest intrusion detection tools, such as Darktrace and Securonix, are applying behavior analytics, which search for patterns of behavior to user actions and network traffic that are unusual.
The growing use of these tools is notable as it demonstrates the reality that attacks are not being detected until an attack is successful. These tools are ideally catching behaviors that indicate reconnaissance and other activities associated with earlier phases of the kill chain. Additionally, by applying threat intelligence and knowing the methods and operations of your likely adversaries, you may be able to tune your detection processes to search for behaviors typical of those adversaries.
Applying the Kill Chain to Protection and Reaction
Clearly, an understanding of kill chain principles can help determine protection and reaction countermeasures as well. As we state early in this chapter, when you anticipate reconnaissance as an action by all attackers, you can determine how to make reconnaissance more difficult. Similar measures can be taken in all phases of the kill chain.
With regard to reaction, once you detect an adversary, you can apply kill chain principles to determine where and how to stop the ongoing attack. You can go back earlier in the kill chain and end their method of entry into your organization. You can also identify their command and control systems and remove them, thereby stopping the attack in progress. This may also help you identify the compromised systems, and repair them. Alternatively, you can anticipate the next phase of the attack and put extra protections in place to stop the attack, before the adversary achieves their ultimate goal.
Summary
Understanding the kill chain, as a concept, allows you to implement a more logical approach to implementing a detection program. When you can understand the methodic way a skilled adversary attacks you, you can determine the best places to detect their activity. This then leads to the determination of where to place detection mechanisms within your network and security program, and what mechanisms might be optimal for the environment.
While there may be an assumption that only advanced adversaries use a methodic approach to execute an attack, the fact is that all attackers use the same principles, whether they realize it or not. For example, a script kiddie, who just wants random access to an organization, would run random scans looking for openings into the organization. They might not call it reconnaissance, but the principle applies. They then attempt to gain a foothold in the organization, which is delivery. The process would continue. While skilled adversaries have specific processes to accomplish an attack, and likely document the process and have reviews of the attack in progress, unskilled attackers implement the processes intuitively. They will be less effective and more haphazard, but a process is there.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.