Knowing your attacker: a guide to the Cyber Kill Chain
- Published: Tuesday, 08 March 2016 08:43
The Cyber Kill Chain describes the different stages of an attack, from initial reconnaissance to objective completion. In this article Richard Cassidy describes the different elements of the Cyber Kill Chain and how to use it.
Today’s attackers are becoming increasingly sophisticated, using advanced techniques to infiltrate a business’s environment. Unlike in the past when hackers primarily worked alone using ‘smash-and-grab’ techniques, today’s attackers prefer to work in groups, with each member bringing his or her own expertise. With highly skilled players in place, these groups are able to approach infiltration in a much more regimented way, following a defined process that enables then to evade detection and achieve their ultimate goal: turning sensitive, valuable data into a profit. With attackers ready to pounce on any business at any moment, how can businesses stay ahead and ensure their sensitive data remains safe? Most attacks follow a ‘process’ that identified attackers’ behaviours, ranging from researching, to launching an attack and ultimately to data exfiltration: this is articulated as the ‘Cyber Kill Chain’.
The Cyber Kill Chain was developed by Lockheed Martin’s Computer Incident Response Team and describes the different stages of an attack, from initial reconnaissance to objective completion. This representation of the attack flow has been widely adopted by organizations to help them approach their defence strategies in the same way attackers approach infiltrating their businesses. As malicious activity continues to threaten sensitive data — whether it is personal data or company sensitive data — one certainty remains: attackers will continue to exploit weakness to infiltrate systems and extract data that they can turn into money. The best opportunity to get ahead of the hacker is to understand the steps he / she will go through, his / her motivations and techniques, and a security strategy around it.
In order to better understand this process and how attacks operate, the following example outlines an attack, categorising each attack activity in the context of the Cyber Kill Chain. The company in the example could be any company – from large corporations with global offices, to online retail businesses, or SMEs / SMBs. With hackers looking for valuable data that could net a sizeable profit from its sale in the cyber underground, no organization is immune to being a target.
Step one: identify and recon
The first step attackers usually take is to identify members of staff within the organization and the best attack vectors to utilise. This is done by scanning the organization’s public facing websites and gathering as much information about the sites as possible, while simultaneously performing scans against the internal networks. Through this they are looking for any possible vulnerabilities and/or holes in the perimeter protection. They can also use popular social media networks such as Facebook, Twitter and LinkedIn, to learn as much about the organization’s employees, partners, suppliers, and employees’ family and friends as possible for the purpose of social engineering. This process can take several months but afterwards attacks will have identified multiple potential entry points into the targeted organization’s network and is now primed to initiate their attack.
Step two: initial attack
Using several attack vectors, potentially deployed from different regions of the world to throw off their scent, attackers will attempt to gain access to an organization’s network. Based on their reconnaissance findings they will attempt to execute a targeted and sophisticated attack, as well as distribute malware via phishing emails and social engineering with the intent of misleading an employee to click a link that permits the malware to enter the network. Finally, the attacks will use brute force attacks to gain access to the network. Using different IP addresses and a significant number of computers, the hackers will kick off an automated dictionary attack and after only a few short days, their campaign could be successful, with malware is installed on the victim’s computer.
Step three: command and control
With the malware in place, the attackers can now begin a ‘low and slow’ in-depth recon against the internal network. Within command and control over their victim’s computer, they can disable several security controls on the machine, attempt to escalate privileges on the victim’s account, and create new user accounts with privileged access.
Step four: discover and spread
With unfettered access to the network, the hackers can now begin to spread it across the organization’s entire network using shares, unsecured servers, USBs and network devices, while simultaneously creating a detailed map of the company’s network and security controls. They will now have a significant presence within the network allowing them to wait, while making detailed asset maps, noting employee patterns and any other information that can assist them in their long term goal: data theft.
Step five: extract and exfiltrate
After a suitable amount of time has passed, the attacks will begin to siphon data out of their target company’s environment. They will do this by moving the targeted data to a remote server, taking additional steps to prevent a trace of the data’s location. After several weeks or possibly even months of siphoning data, the attackers can end their campaign. However, before exiting, they will ensure that they make several network modifications to enable them to return at anytime in the future.
The final step in the kill chain is when the organization finally discovers the compromise. Recent reports show that on average it takes more than 200 days to detect a breach (Mandiant), and the majority of breach notifications come from an outside party. This is exactly what attackers are hoping for, as after this time has passed the stolen data will already be converted into cash or Bitcoin.
Using this cyber kill chain perspective helps to uncover the weak spots in any framework and keep organizations one step ahead. As cloud adoption rapidly rises, so does the importance of effectively identifying exposures and vulnerabilities in applications and infrastructures. A common cloud security challenge is that traditional security tools are not built for the complexities of the cloud and often provide inadequate visibility into vulnerabilities.
As such, many businesses are now realising the benefits of having a managed security service where professionals know where to look and what to look for when it comes to cyber attacks; put simply, they know the Kill Chain, how it operates and therefore can recognise each stage of an attack with relative ease. With a managed service, highly trained staff are watching cloud data and systems round the clock in a security operations centre and are able to continuously monitor for abnormal network behaviour. This is not a luxury all businesses have to be able to do in-house and can be particularly tricky to do in a cloud environment.
Cyber attacks are going to happen. Vulnerabilities and exploits are going to be identified. Having a solid security-in-depth strategy, coupled with the right tools and people that understand how to respond, can ultimately put companies in the best position to minimize their exposure and risk.
Richard Cassidy is technical director – EMEA, Alert Logic.