What is the Cyber Kill Chain?
The cyber kill chain is used in many organizations as a way to detect or identify attacks and threats and it is also used to categorize the different stages of an attack.
The term kill chain was originally coined by the military, which describes a series of actions with just these two words. In a nutshell, kill chain is used to identify a target, force dispatch to the target for more analysis, develop a decision and attack plan against the target, and finally, the destruction of the target.
The kill chain term was modified further in 2011 by computer scientists at Lockheed-Martin to better represent the process of disarming cyber attacks that they were facing at the time. Similar to the kill chain, the cyber kill chain is broken down into seven key steps and it is used as a management tool to help improve network defense.
Here is a short description of each of these seven steps:
The attackers gather information on the target before the actual attack starts. They can do this by looking for publicly available information on the internet.
The attackers use an exploit and create a malicious payload to send to the victim. This step happens on the attackers' side and without any interaction with the victim.
The attackers send the malicious payload to the victim by email, social media, phone, or other means.
The exploit gets triggered and begins to target the victim's vulnerabilities. This is only relevant if the attackers use an exploit.
The malicious payload begins to install malware on the victim's computer. This is only relevant if the attacker used malware as part of the attack. Even if there is malware involved, the installation phase is just the beginning stages of a much more elaborate attack process that can take months to execute.
- Command and Control
The attacker creates a command and control channel in order to continue to operate his attacks remotely. This step is relatively generic and relevant throughout the attack, not only when malware is installed.
- Action on Objectives
The attacker performs a series of extra tasks to achieve his goal inside the victim’s network. This is the elaborate active attack process that takes months, and thousands of small steps, to achieve.
Why is the Cyber Kill Chain no longer relevant?
The problem with the cyber kill chain model is that it has several gaps. It has been nearly eight years since its creation and it has not been modified or updated since then. In fact, if you look deeper, the cyber kill chain's weaknesses were exposed in 2013, just two years after establishing this model.
Through an analysis based on the Lockheed-Martin cyber kill chain framework, it was revealed at the U.S. Senate investigation of the 2013 data breach of the retail company, Target, that there were several stages where controls did not prevent or detect progression of the attack under this model. Fast forward to today, cyber threats extend far beyond the cyber kill chain's capabilities. The cyber kill chain can actually be unfavorable to the network security because it reinforces the old-school way of thinking, focusing on perimeter and malware prevention.
Another thing to note about this model is that, when used as a threat assessment and prevention tool, the first phrases of an attack commonly happen outside the protected network. This means it difficult to identify or defend against threatening activities during these beginning stages. The cyber kill chain is also designed and completely focused on malware prevention and detention, but malware is only one form of attack in today's networks.
Cyber Kill Chain Can Not Identify Insider Threats
It's important to note that the chain isn't suitable to identify insider threats or intrusion-based threats on remote access. These threats do not involve malware or payloads in most cases, and that means the cyber kill chain's model is rendered useless. There are also a large list of threats that face current networks that is far, far larger than what is covered by the cyber kill chain.
In order to accurately identify the insider and other threats, you first have to detect anomalies and behaviors in users, applications, subnets, and machines. This is accomplished by running a behavior profile on tasks and users. As an example, an accountant shouldn't be running PowerShell, but an IT manager might be running it very frequently. At the same time, IT managers have admin rights for almost everything, but they shouldn’t be accessing payroll information.
By automating the profiling process of these behaviors, we can tune alerts to represent real threats, reduce the time it takes shifting through alerts, and also significantly reduce the False Positive Activities (FPAs).
The use of Indicator of Compromise (IOCs)
The complexity of attacks are changing very rapidly in today's fast-paced environment. Attackers are using a combination of different Tactics, Techniques, and Procedures (TTPs) to achieve their goals. It used to be enough to have threat intel feeds look at a bad reputation IP or website and flag it. However, in today's world, it is very easy to quickly change an IP address and move on. Because of this, these intelligence feeds are creating a false positive outcome in their alerts, which then causes cybersecurity teams to react and lose focus on the real threats.
As an example, an IP address from Facebook could have had a bad reputation due to a phishing campaign that was placed in Messenger, but the IP itself is indeed a legitimate Facebook IP and not malicious. It is only an IOC, but the system will show an alert that a host is connecting to a bad reputation IP.
We can not rely on old methods to defend ourselves. This is why we have implemented several technologies and techniques to detect threats through the use of machine learning, AI techniques, algorithms, and statistical models to find patterns and trends. By doing it this way, we are able to significantly reduce the FPAs to almost zero.
The Best Way Forward
The best way to protect yourself is by having different technologies in your network to be as effective as possible against attacks and to focus on real threats rather than unnecessary noise (FPAs for instance). You can use technology like the Unified Kill Chain, which is the uniting and extending of Lockheed Martin’s Kill Chain and MITRE’s ATT&CK framework (a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations of cyber-attacks). By combining and using these frameworks, and comparing IOCs side-by-side against several reliable threat intel feeds, we can determine whether something needs attention or not.
This unified model can be used to analyze, compare and defend against end-to-end cyber attacks by Advanced Persistent Threats (APTs).
What other things can I do to protect myself or my company?
- Continue to use hardening tools, best practices, and techniques to reduce security risk by eliminating potential attack vectors. Be strict with what people can install on their machines. Applications can open a gate leaving your company vulnerable to attacks.
- Replace the existing firewall with a next-generation firewall, ideally monitored by a SIEM (Security Information and Event Management).
- Deploy cognitive tools, these tools give you the ability to process data at lightning speeds without human intervention. An IPS (Intrusion Prevention System) helps to prevent/remediate attacks but it is limited in its ability to determine if the attempt is valid or nefarious).
- Separate job roles from a network, security, and server perspective (sometimes we mix job roles to save money).
Cyber attacks continue to rise in number, in force, and in complexity. The risks for organizations and individuals are always present, but we are committed to help reduce these risks. This is why we offer very low-cost plans for small businesses and even free plans for individuals. The unified kill chain model can be used by organizations to develop new and improve on existing defense strategies in order to stay relevant in the face of new threats.
On the other hand, the cyber kill chain disadvantages has taught us that every model has its weaknesses. Even though the unified kill chain is more practical and fool-proof than the cyber kill chain, the only way we can keep up with the rising cyber threats is to keep finding improvement opportunities in our own ideas, methodologies, and technologies.