<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1678611822423757&amp;ev=PageView&amp;noscript=1">
Defrag This

| Read. Reflect. Reboot.

Understanding Network Intrusions With the Cyber Kill Chain

Koen Van Impe| October 06 2016

| monitoring

sci-fi scene.Alien ship invading night city,illustration painting

The computer security world uses a lot of military language and concepts. This is not just because it "sounds good" but because there are many useful analogies to be found.

One of those is Lockheed Martin's concept of the cyber kill chain: an intelligence model for the early detection, identification and prevention of attacks. The cyber kill chain is one of the methods you can use for understanding network intrusions.

Indicators

Before we jump into what exactly the kill chain is, we need to understand one of the fundamental elements of intelligence: indicators. There are three types of indicators:

  • atomic (e.g., IP or email addresses)
  • computed (e.g., file hashes)
  • behavioral (collections of computed and atomic indicators, often describing different steps in a part of the intrusion)

The indicators are what you use to detect the different phases of the kill chain.

The Cyber Kill Chain

The core idea of the kill chain is that an attacker must gather material to breach an environment, keep his foothold and then move onto their final objective.

The chain consists of seven phases:

  1. Reconnaissance: doing the research, identification and selection of the targets. A lot of this can be done via public sources.
  2. Weaponization: after identifying a possible vulnerability, the attacker builds (or acquires) a well-chosen malware that can exploit the vulnerability
  3. Delivery: sending the malware to the victim (e.g., via email attachment).
  4. Exploitation: executing the malicious code as sent to the victim.
  5. Installation: the installation of malicious code on the system of the victim so that the attacker can retain access.
  6. Command and Control (C2): when malicious code is installed, it has to inform the attacker it was successful and wait for further instructions.
  7. Actions on Objectives: this is the final objective that the attacker wanted to achieve, e.g., information theft.

A set of indicators for the delivery phase could be a specific email subject — for the installation phase, the local path where a file gets installed and an IP for the C2 phase.

Related Article: Military Open-Source Software Crucial to Defense

Defensive Measures

So how can understanding network intrusions help defend against them?

In this model, the crucial point is that breaking any one single step breaks the entire kill chain, meaning that attackers must go through the entire model again to be successful.

For reconnaissance, you can use web analytics and log forensics for detection. Limiting the amount of information that you publicly expose can help. Not publishing your internal network scheme is obvious but you should also limit the amount of information on staffing and working procedures. Putting proper firewall rules and access controls is a no-brainer.

There's nothing much you can do about the weaponization because that occurs on the attacker's premises, but you can use different lines of defense for the delivery, exploitation, installation and C2 phases.

Raising awareness among your users (vigilance) and proxy filtering can prevent delivery.

The other phases can be stopped by using (host-based) intrusion detection, antivirus systems, isolating systems and proper outbound filtering. Also, you mustn't neglect using available threat intelligence data to update your filtering and inspection devices. It's 2016 and doing proper log management should be part of your IT processes, applying that same threat intelligence data to your logs can also help you to detect attacks in the other phases.

Malware Oriented

One of the criticisms of the cyber kill chain model is that it is too focused on malware. Malware is only one possible attack vector but current threats can now also involve an insider threat, social engineering, or intrusions based on intended remote access (e.g., via a supplier or captured credentials).

Some of the phases will still apply and can help prevent or detect incidents. But as the attackers are changing their methods, so should you.

Topics: monitoring

Leave a Reply

Your email address will not be published. Required fields are marked *

THIS POST WAS WRITTEN BY Koen Van Impe

Free Trials

Getting started has never been easier. Download a trial today.

Download Free Trials

Contact Us

Let us know how we can help you. Focus on what matters. 

Send us a note

Subscribe to our Blog

Let’s stay in touch! Register to receive our blog updates.