The computer security world uses a lot of military language and concepts. This is not just because it "sounds good" but because there are many useful analogies to be found.
One of those is Lockheed Martin's concept of the cyber kill chain: an intelligence model for the early detection, identification and prevention of attacks. The cyber kill chain is one of the methods you can use for understanding network intrusions.
Before we jump into what exactly the kill chain is, we need to understand one of the fundamental elements of intelligence: indicators. There are three types of indicators:
- atomic (e.g., IP or email addresses)
- computed (e.g., file hashes)
- behavioral (collections of computed and atomic indicators, often describing different steps in a part of the intrusion)
The indicators are what you use to detect the different phases of the kill chain.
The Cyber Kill Chain
The core idea of the kill chain is that an attacker must gather material to breach an environment, keep his foothold and then move onto their final objective.
The chain consists of seven phases:
- Reconnaissance: doing the research, identification and selection of the targets. A lot of this can be done via public sources.
- Weaponization: after identifying a possible vulnerability, the attacker builds (or acquires) a well-chosen malware that can exploit the vulnerability
- Delivery: sending the malware to the victim (e.g., via email attachment).
- Exploitation: executing the malicious code as sent to the victim.
- Installation: the installation of malicious code on the system of the victim so that the attacker can retain access.
- Command and Control (C2): when malicious code is installed, it has to inform the attacker it was successful and wait for further instructions.
- Actions on Objectives: this is the final objective that the attacker wanted to achieve, e.g., information theft.
A set of indicators for the delivery phase could be a specific email subject — for the installation phase, the local path where a file gets installed and an IP for the C2 phase.
So how can understanding network intrusions help defend against them?
In this model, the crucial point is that breaking any one single step breaks the entire kill chain, meaning that attackers must go through the entire model again to be successful.
For reconnaissance, you can use web analytics and log forensics for detection. Limiting the amount of information that you publicly expose can help. Not publishing your internal network scheme is obvious but you should also limit the amount of information on staffing and working procedures. Putting proper firewall rules and access controls is a no-brainer.
There's nothing much you can do about the weaponization because that occurs on the attacker's premises, but you can use different lines of defense for the delivery, exploitation, installation and C2 phases.
Raising awareness among your users (vigilance) and proxy filtering can prevent delivery.
The other phases can be stopped by using (host-based) intrusion detection, antivirus systems, isolating systems and proper outbound filtering. Also, you mustn't neglect using available threat intelligence data to update your filtering and inspection devices. It's 2016 and doing proper log management should be part of your IT processes, applying that same threat intelligence data to your logs can also help you to detect attacks in the other phases.
One of the criticisms of the cyber kill chain model is that it is too focused on malware. Malware is only one possible attack vector but current threats can now also involve an insider threat, social engineering, or intrusions based on intended remote access (e.g., via a supplier or captured credentials).
Some of the phases will still apply and can help prevent or detect incidents. But as the attackers are changing their methods, so should you.