First developed by Lockheed Martin, the Cybersecurity Kill Chain is a model for describing the steps an attacker must complete to carry a successful attack. This model is made up of 7 sequential steps, including:
- Command and Control
- Actions on Objectives
To disrupt the attack, one or more of these steps must be broken for the entire chain to fail. And in order for us to do that, we need to understand their playbook
Using the NIST Cybersecurity Framework as a reference, we’ll look at tools at every phase that will ultimately lead to a multi layered security plan for our organization.
The first step of any cybersecurity attack is to gather information about the victim, also known as reconnaissance.
The two different stages of reconnaissance are passive and active.
During passive reconnaissance, an attacker will use indirect methods to gather information from publicly available sources like WHOIS, ARIN registrations, Google, Shodan, Job Listings and company websites.
Once an attacker has collected as much public information as possible, the attacker will move on to active reconnaissance, which involves some level of interaction with your organizations.
During this phase, the attacker will actively probe your network or system looking for open ports and services. This includes technical tools like nMap for port scanning and banner grabbing, and vulnerability scanners. Vulnerability scanners are very loud and obvious, so attackers will limit their scope or slow scanning over a long period of time to avoid being caught
Defending against passive reconnaissance means limiting the level of detail we expose publicly. Some examples include: limiting the information we put on job postings, training personal on acceptable use of social media sites and removing specific error messages from public servers.
Our first protective measure is to ensure that unused ports and services are disabled. This essentials limits the number of entry points an attack can use to get into your system.
Honeypots are great tools that can be used as a decoy against a would be attacker. Not only do they divert attention away from real systems but it will also reveal what they’re after and who they are.
A firewall with IPS capabilities on the perimeter will provide filtering and segmentation, while also monitoring for port scans and banner grabbing. Most NGFWs can block connections from Tor networks and known proxy IPs which are commonly used during this phase to obfuscate the real IP of the attacker.
The entire goal of the reconnaissance phase is to find a weakness that can be exploited. Once the attacker has found that weakness, they can move on to the next step.
Once an attacker has found a weakness, their next step is find or create the attack that will exploit the vulnerability. The weapon of choice will depend on the info they collected from you during the reconnaissance step.
Some examples of commonly used weapons during this phase include:
- Metasploit or exploit-db for publicly available exploits
- The Veil framework is commonly used to generate evasion code for malware
- Social Engineering Toolkit, if they’ve decided they will deliver the malware through a Social Engineering campaign.
Since this stage is all about what the attacker uses as a weapon, we need to have some of the basics covered and that includes things like patch management.
Patch Management continues to be one of the best defensive measure against the weaponization stage, because you can exploit a vulnerability if there’s no vulnerability to exploit. The vast majority of todays breaches are due to unpatched servers.
Some technical controls we can apply at this stage are things like:
- Endpoint and network edge malware protection
- An IPS that specifically tuned to look for exploit attempts, not just scanning and banner grabbing.
- URL and domain filtering to prevent access to known malware channels
- And Email security that includes AV and AntiSpam
- In later stages, we’ll look at specific email security features to enable.
But because we know these solutions only protect against what we know of, we need measures in place to detect those attacks that get through our security measures. This is where a post infection tool, like a sandbox or an EDR, will help us detect zero day threats that are preventive measures didn’t detect.
During this stage, the attacker is selecting which tool to use but they haven’t actually delivered it yet. How they deliver the attacker is as critical as what they choose for a weapon.
By this point, the attacker has selected the weapon based on their earlier reconnaissance. Now, the delivery stage is where they try one or multiple avenues to deliver the weapon. The delivery of the attack varies by the type of attack. Some examples of delivery channels are:
- Websites (malicious or clean): An attacker can infect a legitimate website they know your users frequent.
- Social media: Cat phishing via social networks is a very effective way to gain trust
- User input: The attacker has some level of interaction with a server (like a web server or a DB)
- Email: Attackers love phishing email because it works. Phishing is usually a numbers game. If only .1% of a 20k enterprise corporation click on a link, I’ve successfully infected 20 people.
- USB: Common attack to leave infected USB’s in public areas and around employee’s car hoping the temptation is too much.
The single best security measure against the delivery of the attack is user awareness. This includes security training and phishing campaigns that teaches personnel the basics of good security practices.
While all the protection measure we discussed in the “Weaponize” stage still apply, there’s a few extra measures you can take to limit the Delivery channels an attacker can use:
DKIM and SPF are email authentication method to detect spoofed emails. SPF makes sure that emails are coming from the authorized IP of the domain while DKIM uses digital signatures. Both techniques help to make sure emails are coming from legitimate, authorized channels.
Some other effective measures include:
- Webfiltering can prevent a user from accessing questionable or known bad sites. This is particularly useful in preventing drive by downloads
- Disabling USB and not giving any user “admin” rights also prevents a big portion of delivery mechnism that malware can use
- DNS Filtering: While web filtering blocks web request destined to malicious sites, using a DNS security solution can block any DNS lookup attempt to prevent connections over any protocol. I always use this is combination with web filtering.
Remember that SSL accounts for >70% of web and email traffic today, so if you’re not doing SSL inspection in all your delivery channels – you may be completly blind to what’s passing through that encrypted tunnel.
During the exploitation stage, the attacker has effectively delivered the weapon of choice to the victim and the attack has been executed. This means we have failed to keep the weapon away from our environment, and the only thing left is for the attacker to pull the trigger.
Protective measures are limited once an attacker has been able to execute the exploit but they do exist:
- DEP (Data Execution Prevention) is a software and hardware feature which attempts to prevent the execution of code in memory where it doesn’t belong.
- Anti-Exploit is a feature on some AV solutions that monitor known applications for unusual calls to memory.
- Both of these techniques act as the last line of defense against common exploit attempts
The reality is when an attacker gets to this point you’re relying on post-infection tools like a sandbox, EDR or a SIEM to find indicators of compromise (IoC). A Sandbox has some prevention capabilities depending on the scenario but for most network environments, you have what’s called “Patient Zero”. Patient Zero refers to the first time an unknown file is seen on the network. The first person to download that file will be infected because the malware analysis can take several minutes to complete. However, once the Sandbox determines the file is malicious – it can then block that file and protect all your other other users . It will then alert you that patient zero is infected, and you can move towards remidation and recovery.
Its worth noting, that an exploitation takes advantage of some weakness in an application or OS, but it’s not the finish line for the attack. The goal of the exploit is gain access, and that leads us to our next step.
The exploitation and Installation phase go hand in hand. A successful exploit allows me to inject a payload that will give me a better level of access to accomplish the mission. From an attackers perspective, gaining better access allows me to control the victim at any point in the future, even after a system has been patched.
Some common payloads and techniques during this stage involve:
- DLL hijacking
- Injecting Meterpreter or other similar payloads
- Installing Remote Access Tools (or RAT)
- Registry changes to make my program automatically start up
- Executing Powershell in fileless attacks
Once an attacker has gotten this far into the system, very limited protective tools exist . Linux based systems can use Chroot jail is a way to isolate processes from the rest of the system and in this way, limiting the amount of a data the malicious file has access too. Windows based systems can disable powershell on all systems that dont require it.
Fortunately, we have some post infection tools we could use at this stage that can monitor system files and registry for unusual changes and behavior. A good EDR solution should flag any new unauthorized program that was installed, as well as detect any changes to registry and system process.
The unauthorized changes to system process and registries should immediately cause an log and alert to go off. And way before you get to this stage, your team should already have a SOP or plan for this type of even. This includes things like identifying if the device is mission critical, removing the device from the network, changing all credentials for the user that was on the device and so on.
Once a system is determined to be infected, you can then begin the process of restoring the system to a known good state.
Command and Control
At this stage, the system has been completely compromised and in control of the attacker. If they completed the previous stage correctly, their access is persistent – even if you reboot or patch the vulnerability.
The infect device could be used immediately for carry out the mission, or it could sit back and wait for further instructions from it’s command and control server. Our defensive tactics are going to be around limiting what they can control, and detecting unusual activity.
Limiting the damage of a breach starts with segmentation. Segmentation will make it harder for the attacker to move laterally, and easier to detect using audit logs. If you have the ability to do micro segmentation through a “Zero trust security” model, even better. This would essentially leave the infected user completely isolated on that port until they can verify their machine is clean and have been authenticated.
As for technical controls, most NGFW’s have a DB of known C&C servers. Enabling this feature will help block remote access from known bad actors. (DNS:Redirect)There are also many free and paid DNS servers offer botnet and C&C protection at the DNS level. This would prevent any DNS lookup to shady sites or known C&C servers. Attackers will often use evasion techniques such as DBA or fast flux to generate a large number of domains that are used as a rendezvous. Blocking access to recently observed domains will stops connections to these common hops.
While on the topic of NGFWs, make sure that you are using Layer-7 application control to block commonly known remote access tools like telnet, ssh, powershell, RDP and various other protocols that really have no business leaving your network. If you do have a business case for using these tools, try to lock it down to specific IPs.
An attacker will almost always use encrypted connections to avoid being caught, so if you’re not doing full SSL DPI on your network perimeter – you’re completely blind to all communications attempts going through that encrypted tunnel.
For detection, IoCs or Indicators of Compromise are an excellent post detection tool. An IoC, is an observed behavior by a user or server that are indicative of a breach. IoC’s can be observed and collected on the endpoint, or it could be detected by a SIEM with an IoC feed.
Actions on Objective
With the machine now infected and the attacker in full control, they can now execute the action to achieve their objective. The action is predicated by the motivation of the attacker, so understanding the type of attacker that could be targeting your organization is crucial. Attackers could be motivated by: financial reasons, political, Nation-State, Malicious Insiders, or simply moving laterally to go after other systems on the network.
If the goal is data exfiltration, we can look into tools that prevent data from moving off the endpoint or server. On the endpoint, tools like a DLP or UBA solution have complimentary features to detect and prevent specific files from moving off the network. The problem is, if an attacker has already gained access into your system – doing something as simple as screenshooting a protected document may not be detected by any of these tools.
Moving laterally is a common step for an attacker to take once they gained access to your system. At which point they begin their reconnaissance stage all over again to gain information about internal network. This is why network segmentation between different clearance levels is so important to a network design.
The Zero trust security model is built around the idea that eventually, we’re all going to fall victim to this stage of the kill chain. By removing the idea of “trust” on your inside network, you treat all users as untrusted until proven otherwise. While we wont go into the detail of zero trust security, this model is very effective at detecting infected machines and limited the damage that can be done by an attacker.
Once a compromised machine is identified, you can begin your incident response and eventually re-image the system before putting it back on the network (recover)
The CISO Perspective
The kill chain is more then just a model for how an attack executed, it’s also a blueprint for building a good cybersecurity program. By using multiple layers of security throughout each phase, we make it more and more challenging for the attacker to be successful – and that by itself is a victory because so many attacks are opportunistic in nature.
The challenge I always give my clients is to rate their security posture from 1-10 at each phase of the chain. How would you’re organization deal with an attacker who got all through to the installation phase? Do you have processes in place that could detect that? If so, how long would the attacker sit in this phase before it remediated? Minutes? Hours? Days?
Dwell time is the length of time an attacker is active inside the network before being detected. For CISOs or Security Directors, this is a critical metric to follow. According to a report by Ponemom Institute and IBM, the average dwell time is 191 days.