The Evolution of the Attack Kill Chain
Born of Necessity
Way back in 2011, Lockheed Martin introduced the cyber attack kill chain to the world. It was the year that the newly established US Cyber Command went fully operational. A year in which attacks increasingly focused on informational (as opposed to financial) theft. And a year that brought with it a growing realization of the complexity of cyber threats, as attacks became more intricate and well planned, wasting no time, and rapidly in honing in on their targets once inside the organization.
You could say that adoption of the cyber attack kill chain was born out of necessity, as security professionals realized that in order to truly protect their organizations, they need a way to understand and trace the development of these new, more complicated attacks. Adapted from kill chain military parlance, the Lockheed Martin version designated 7 now classic stages of cyber attack:
- Reconnaissance – attackers use publically accessible records to collect information on organizations and their targets within.
- Weaponization – they create a malicious file that takes advantage of a vulnerability to get in the organization.
- Delivery – the unsuspecting target receives infected item via email, the web, on key, etc.
- Exploitation – the scripted code is executed within the organization’s system.
- Installation – the infection spreads and malware quietly propagates within the organization.
- Command and Control – the attacker now remotely controls the system and begins commanding and navigating inside the organization.
- Activity on objectives – this is where attackers engage their ultimate goal, whether its stealing and selling information, or ransoming data back to an organization.
The RSA Attack of 2011
One example of this well delineated process is 2011’s RSA attack. In it, the security giant was compromised by a zero-day spear phishing breach, its exploit implanted in a regular-looking Excel, giving the attackers backdoor access to the organization’s network. The RSA attack, as with others that year, was a carefully coordinated series of movements. It began with significant research and reconnaissance, breach, elevation of privileges, and then exploration and clear lateral movement toward their goal data – the private keys/serial numbers of RSA’s high-selling SecureID tokens – before exfiltration to an external server.
As Attacks Evolve, so Must the Kill Chain
Theoretically, the kill chain is the ideal way to get the full picture of an attack operation over time. It can assist in gaining insights and serve as an invaluable tool to forensic investigations. But as attacks evolve, the way we look for them must as well. Today’s attackers skip parts of the kill chain, add steps, and even repeat steps. Many of today’s attacks do not fit the traditional kill chain process – for example, web-based attacks, breaches accessed through vulnerabilities in applications, insider attacks, and attacks that get through because of compromised passwords.
The bottom line, as we all know, is that attacks are increasingly found after the breach has already occurred, so clearly security should focus on what happens inside of the organization. But what does this mean? It means having protections in place for each step of the kill chain. But at the same time, actively engaging in threat hunting, looking for suspicious behavior within the organization and honing in on unusual traffic. Most importantly, an organization must have active automated remediation in place, so that any threats found can be immediately eliminated, without the chance of further damage.