It really is a good thing
The term “kill chain” sounds extremely harsh. Almost as if after something is killed, it gets moved down the chain to be killed again. How dramatic! Indeed, the original definition was to describe how an enemy combatant of the military might attack; that is, the steps they would take to ultimately try and claim victory over the “good guys.” More recently, the term has been conscripted by the cybersecurity world to help businesses and security organizations go on the offensive, ensuring there are no gaps in their mitigation strategies and that their threat-hunting processes are sound.
So the goal is actually to make the lives of security personnel less dramatic. That’s good! Using kill chain fundamentals is key, because even if your controls have been thoroughly vetted over and over again, you’re not really addressing the full life cycle of an attack when creating solid offensive or defensive strategies. Let’s now take a look at some specifics: organizations that have defined ultimate standards in the world of kill chains.
Lockheed Martin Cyber Kill Chain
This framework was developed by the defense contractor behemoth to identify vulnerabilities and breaches as well as examine the effectiveness of existing controls. Phases of this instance:
- Reconnaissance is an information-gathering process leveraging any available means like social media channels, press releases, port scanning, and much more.
- Weaponization creates a malicious payload using familiar platforms and applications like malware, a compromised document, or a phishing email.
- Delivery transmits the payload directly to the target. If it makes it to you or your team, it has actually passed “Go.”
- Exploitation means the attackers are in the priming process of executing the mission at hand: to infiltrate and compromise your systems.
- Installation is when attackers gain access and establish a foothold in the targeted environment.
- Command and control is when the infected system “calls home” to a control system and allows the attacker to obtain remote control.
- Actions on objectives is the final step in this kill chain: With “hands on keyboard” access, attackers can achieve their objectives, such as data exfiltration.
The MITRE ATT&CK Kill Chain
MITRE began its attack project to document tactics, techniques, and procedures (TTPs) used in advanced threats, and to develop analytics to detect adversarial behaviors. It’s extremely thorough, and provides teams with a deeper understanding of adversaries.
MITRE ATT&CK is a commonly used framework by both blue and red teams, and features 2 focus areas: Pre-ATT&CK and ATT&CK. The latter focuses on steps taken after an attack is launched. This instance features a number of stages organized around 2 areas:
- Enterprise MITRE ATT&CK helps organizations understand and prevent threats on a macro business level. It takes into account aspects like reconnaissance, lateral movement, and privilege escalation. It also takes into account impact, where threat actors disrupt availability or compromise integrity.
- Mobile MITRE ATT&CK is a very similar tactical methodology, with 2 notable exceptions: network effects and remote service effects. When an attacker cannot gain access to a mobile device, network effects describe how that person might manipulate traffic to and/or from the device. It leverages platforms like Google Drive, iCloud, and mobile-device management to monitor—and potentially control—mobile devices.
The Unified Kill Chain
This kill chain iteration attempts to solve for the scope limitations and time-agnostic nature of the previous 2 kill chains, respectively. One of the biggest benefits of the Unified Kill Chain is that it more accurately captures the nuanced behaviors of attackers. There are a whopping 18 different attack phases detailed therein, with those phases coming under 3 areas of focus:
- Initial foothold is where attackers put most of their effort. They gain that foothold and, if they have their way, never look back.
- Network propagation occurs when they’re, again, not looking back. They’ve gone past the entry point and are on the hunt for anything of value.
- Action on objectives is achieved when the attacker finds what they were looking for in the first place and prepares to execute the main objective.
Spring into attack-tion
Jeffrey Gardner, Practice Advisor for Detection and Response at Rapid7, recently presented a deep-dive into all things kill chain and why adopting and adapting these methodologies to your security organization can cut down on threats and help drastically reduce breach response times.