Cyber Kill Chain 101: Understanding Why Network Defenders Should Always Have the Advantage
Let’s think back for a minute to 2011. Adele topped the charts with her breakout hit Rolling in the Deep. Katy Perry was singing about Fireworks. Cam Newton led the Auburn Tigers to a BCS National Championship. Apple rolled out the iPhone 4S and introduced the world to Siri. We mourned the death of Steve Jobs and turned the page on a chapter in American history with the killing of Osama bin Laden.
In the midst of all these unforgettable occurrences, something else happened. An event that didn’t garner many headlines, but was historic in its own right. Three men working for the Lockheed Martin Corporation authored and published a 14-page paper that would forever change the cybersecurity landscape and become a cornerstone in the field of cyber threat intelligence. The paper was titled Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. The model they proposed has come to be known simply as the Cyber Kill Chain (CKC).
The concept of using intelligence analysis techniques to drive response efforts is thousands of years old. In the 5th century B.C., Chinese military strategist Sun Tzu famously wrote:
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
This idea made its way to law enforcement circles in the late 1970s in the form of Problem-Oriented Policing. That is, using specific, repeated indicators to perform a root-cause analysis of crime problems within a community and then using the results of that analysis to inform decision-making and police strategy. It (and subsequent similar models) empower police forces worldwide to overcome the ever-present challenge of using limited resources to get their job done. Or stated differently, getting the most bang for your buck.
As analogous as cybersecurity is to both warfare and crime fighting, it only makes sense that network defenders would adopt tactics that have already proven to be successful in both of those fields. No need to reinvent the wheel, just repurpose it to meet our specific needs. And that’s what Lockheed Martin did with the Cyber Kill Chain.
The Kill Chain: Sounds Cool But What Is It?
As much as a kill chain sounds like some terrifying weapon gladiators used in ancient Rome, it’s actually just a military concept used for both engaging the enemy and evaluating your own defensive capabilities. In the world of cybersecurity, the term kill chain is used to describe the phases of a cyberattack. It’s useful for analyzing two things:
- The specific actions taken by an adversary
- The measures defenders have in place to stop those adversaries.
Think of it as a roadmap (or framework) to evaluate offensive and defensive cyber operations. Each link in the chain represents a portion of an attack, is supported by the links that precede it, and — in turn — supports all the links that follow. For an intrusion to be successful, the entire chain must remain intact. That is, any phase of the attack that doesn’t work or is thwarted by defenders, stops the entire intrusion dead in its tracks. From the perspective of network defenders, break one link and you win. And the flip side of that coin for the attackers is this: if they make one mistake, they lose.
Advantage Defenders
This concept of the bad guys having a harder job than the good guys will seem counterintuitive to a lot of people. After all, with the current hysteria surrounding zero-day vulnerabilities and the emphasis (that is rightly placed) on end-user training that teaches people to avoid clicking unknown email links and doing other stuff they shouldn’t, it’s easy to fall into the trap of thinking that it just takes one push of a button to carry out a cyber attack. But that’s just not reality. The truth is, successfully carrying out a coordinated attack campaign against an enterprise environment isn’t easy at all. In fact — when the proper defenses are in place — it’s pretty doggone difficult.
Just as a regular chain is made up of multiple individual links, the Cyber Kill Chain is composed of the following 7 distinct phases of an intrusion:
1. Reconnaissance — the attacker gathers information about the target device
2. Weaponization — the attacker builds the weapon he will use to attack the target device (e.g., malware)
3. Delivery — the attacker transmits the weapon to the target device
4. Exploitation — the attacker activates the weapon, which gives it some level of control over the target device (e.g., exploiting a CVE)
5. Installation — the attacker installs/utilizes additional software on the target device so he can manually control it from a remote location
6. Command & Control (C2) — the attacker establishes an active connection between the remote access software and his command center
7. Action on Objectives — the attacker carries out his objectives on the target device (e.g., using it as a staging area for another attack, information gathering, lateral movement, data exfiltration, etc.)
To understand the benefit of conducting a kill chain analysis, you must first grasp the concept that a separate kill chain is required for each move an attacker makes within an enterprise network. For instance, if 3 different devices were compromised during an attack on an organization, then at least 3 separate kill chains would have been utilized during the attack. And since we know that each individual kill chain contains 7 distinct steps, this means that the attacker would have successfully completed 21 different steps during the attack campaign. And this is where you can start to see the overwhelming advantage that network defenders have over attackers.
Assuming an enterprise network has the proper defenses in place (a BIG assumption, I know), the above example would have provided network defenders with 21 different opportunities to detect and stop the attack before it reached its ultimate goal. With hundreds of billions of dollars currently being spent on cybersecurity efforts worldwide (and that number is projected to keep growing), efforts by attackers to remain undetectable long enough to achieve their objectives are getting harder by the day. But going back to our BIG assumption, what happens when a network doesn’t have the proper defenses in place? That’s when the scales start to tip back in favor of the bad guys.
A properly defended network would have detection and response capabilities for all 7 phases of the Cyber Kill Chain. Additionally, all sensitive or critical information and data would be burrowed deep within the network, thus requiring the compromise of multiple devices and accounts (a.k.a., multiple hops) to be accessed by an attacker (a running of the gauntlet, if you will). While our P variable can never exceed 7 (number of phases within the Kill Chain), there is no upper limit on our H variable (number of hops required to reach the data). Increasing either of these variables increases our O variable (number of opportunities defenders have to detect and stop an attack). Consequently, decreasing either (or both) of these variables reduces the defender’s ability to successfully protect the network.
If we think about it as a quadrant chart where our P variable runs on one axis and our H variable runs on the other, the closer an enterprise network approaches the upper-right quadrant, the more secure the data on their network becomes.
It’s All About Repetition
A fundamental assumption underlying the Cyber Kill Chain is that attackers use the same tactics, techniques, and procedures (TTP’s)over and over again. So once we identify a TTP that correlates to any given link in the kill chain and implement a corresponding detection and response mechanism, we eliminate the ability of the attacker to reuse that same TTP in the future. This places the burden on the attacker to continually formulate new TTPs to overcome our defenses. As long as defenders are actually paying attention to what attackers are doing and implementing the proper detections within their security tools, advantage defenders. But if defenders aren’t paying attention to attacker TTPs as they evolve, advantage attackers.
And that’s why the first few words in the title Lockheed Martin’s 2011 paper are Intelligence-Driven Computer Network Defense. Because the Cyber Kill Chain doesn’t work for network defenders unless they’re actively gathering and integrating adversarial threat intelligence as a core part of their defensive operations. And truth be told, a lot of defenders aren’t doing this. If I’ve said it once, I’ll say it a thousand times: threat actors aren’t geniuses, they’re just opportunists who reuse TTPs defenders should have protected against and exploit vulnerabilities that should have been patched.
But What About Zero-Day Vulnerabilities — You Can’t Defend Against Those, Right?
Ah, zero days. The headline-grabbing boogeymen that keep way too many network owners awake at night. Just so we’re on the same page, when I say ‘zero day’ I’m talking about a flaw within a piece of software that has never been exploited and that only the bad guy knows about. We can’t protect against the unknown, right? Well, yes……….and no.
In the context of the Cyber Kill Chain, it’s important to recognize that zero-day software vulnerabilities are only one link in the chain — the exploitation phase. So while there’s no good way to build a detection for an exploit that no one knows about, it’s also worth remembering that — for any intrusion chain utilizing a zero-day — there are six other opportunities to detect and disrupt the attack.
So instead of worrying too much about stopping the unstoppable, why not spend that time making sure you have the proper detections in place to catch and respond to the other six attack phases that will undoubtedly accompany a zero-day? While you may not be able to stop the exploit, you can still stop the attack [insert overused truism about losing battles but still winning wars].
That’s why network defenders should always have an advantage over attackers. When Sun Tzu gave the advice to “not repeat the tactics which have gained you one victory, but let your methods be regulated by the infinite variety of circumstances,” he understood that defense is all about protecting against known attack patterns. And in today’s day and age of near-instantaneous sharing of attacker TTPs between network defenders worldwide, it’s really hard for any bad guy to come up with something new — entire attack chains — that haven’t been seen before.
But don’t just take my word for it. Read Lockheed Martin’s paper for yourself. There’s plenty in there that I didn’t touch on and that might come in handy the next time you do an evaluation of your defensive posture.
