Pulling off a heist is no easy feat – and in order to prevent theft, you best understand the plan of attack. Like any good ol’ traditional heist, there are multiple stages to consider in a cyber-attack. To help prevent and detect cyber-attacks and security breaches, we look to the cyber kill chain. Lockheed Martin derived the kill chain framework from a military model – originally established to identify, prepare to attack, engage, and destroy the target.
So what is a cyber kill chain?
It maps a potential security breach: tracing stages of attack from the early reconnaissance stages to the exfiltration of data. The kill chain helps us understand and combat ransomware, security breaches, and advanced persistent attacks (APTs). Since its inception, the kill chain has evolved to better anticipate and recognize insider threats, social engineering, advanced ransomware and innovative attacks.
How does a cyber kill chain work?
Reconnaissance. In every heist, you’ve got to scope the joint first. Same principle applies in a cyber-heist: it’s the preliminary step of an attack, the information gathering mission. During reconnaissance, an attacker is seeking information that might reveal vulnerabilities and weak points in the system. Firewalls, intrusion prevention systems, perimeter security – these days, even social media accounts – get ID’d and investigated. Reconnaissance tools scan corporate networks to search for points of entry and vulnerabilities to be exploited.
Intrusion. Once you’ve got the intel, it’s time to break in. Intrusion is when the attack becomes active: malware – including ransomware, spyware, and adware – can be sent to the system to gain entry. This is the delivery phase: it could be delivered by phishing email, it might be a compromised website or that really great coffee shop down the street with free, hacker-prone wifi. Intrusion is the point of entry for an attack, getting the attackers inside.
Exploitation. You’re inside the door, and the perimeter is breached. The exploitation stage of the attack…well, exploits the system, for lack of a better term. Attackers can now get into the system and install additional tools, modify security certificates and create new script files for nefarious purposes.
Privilege Escalation. What’s the point of getting in the building, if you’re stuck in the lobby? Attackers use privilege escalation to get elevated access to resources. They’ll modify GPO security settings, configuration files, change permissions, and try to extract credentials.
Lateral Movement. You’ve got the run of the place, but you still need to find the vault. Attackers will move from system to system, in a lateral movement, to gain more access and find more assets. It’s also an advanced data discovery mission, where attackers seek out critical data and sensitive information, admin access and email servers – often using the same resources as IT and leveraging built-in tools like PowerShell – and position themselves to do the most damage.
Obfuscation (anti-forensics). Put the security cameras on a loop and show an empty elevator so nobody sees what’s happening behind the scenes. Cyber-attackers do the same thing: conceal their presence and mask activity to avoid detection and thwart the inevitable investigation. This might mean wiping files and metadata, overwriting data with false timestamps (timestomping) and misleading information, or modifying critical information so that it looks like the data was never touched.
Denial of Service. Jam the phone lines and shut down the power grid. Here’s where the attackers target the network and data infrastructure, so that the legitimate users can’t get what they need. The denial of service (DoS) attack disrupts and suspends access, and could crash systems and flood services.
Exfiltration. Always have an exit strategy. The attackers get the data: they’ll copy, transfer, or move sensitive data to a controlled location, where they do with the data what they will. Ransom it, sell it on ebay, send it to buzzfeed. It can take days to get all of the data out, but once it’s out, it’s in their control.
Different security techniques bring forward different approaches to the cyber kill chain – everyone from Gartner to Lockheed Martin defines the stages slightly differently. Alternative models of the cyber kill chain combine several of the above steps into a C&C stage (command and control, or C2) and others into an ‘Actions on Objective’ stage. Some combine lateral movement and privilege escalation into an exploration stage; others combine intrusion and exploitation into a ‘point of entry’ stage.
It’s a model often criticized for focusing on perimeter security and limited to malware prevention. When combined with advanced analytics and predictive modeling, however, the cyber kill chain becomes critical for inside out security.
With the above breakdown, the kill chain is structured to reveal the active state of a data breach. User behavior analytics (UBA) brings advanced threat intelligence to every stage of the kill chain – and helps prevent and stop ongoing attacks before the damage is done.