The cyber kill chain describes the process a threat actor would typically take to execute a cyber attack, starting with the initial scouting and scoping and ending with the exfiltration or destruction of data or encryption for ransom.
To be able to recognise, anticipate and combat cyber security threats, we need to understand the cyber kill chain and how we can respond, as organisations and cyber security professionals, to prevent or deter threat actors from progressing or succeeding at every stage.
The cyber kill chain, based on the military concept of the kill chain – the structure of an attack against an enemy – was initially developed in 2011 by researchers at Lockheed Martin, an American aerospace and defence company.
Lockheed Martin’s cyber kill chain describes 7 stages of a cyber attack: reconnaissance, weaponisation, delivery, exploitation, installation and, finally, actions on objective.
For security defences to be effective, we should align the controls we implement to the cyber kill chain, considering their place and purpose within it.
Reconnaissance is the action of gathering information on the target organisation or individual. This could be a broad scoping exercise to find vulnerable targets or a targeted search for a means of entry to a specific organisation’s systems. Threat actors use social media, search engines and publicly disclosed information, as well as information from the dark web and applications to find vulnerable systems. Threat actors are looking for gaps in organisations’ defences that they can exploit.
To counter threat actor reconnaissance, individuals and organisations can:
- Be careful what they share on social media, and the internet more generally, and who it is shared with.
- Securely destroy sensitive documents, data and IT waste.
- Perform regular auditing, vulnerability scanning and penetration testing to provide assurance that you are not advertising vulnerable services and software within your network on the internet and that your network is as secure as possible.
- Create a positive culture around reporting concerns and suspicious activity.
Through the process of reconnaissance, the threat actor will have identified one or more vulnerabilities that they can exploit. During the weaponisation phase, the threat actor builds or customises a method of attack that will exploit the vulnerabilities they have found. During this phase, the threat actor does not interact with their target and so weaponisation can be difficult to detect.
Threat actors use a variety of different ways to exploit the vulnerabilities they find, this can include many different types of malware, creating compromised hardware and social engineering – attempting to get the target to provide personal information through fraudulent emails (phishing), telephone calls (vishing) and/or text messages (smishing).
Due to the lack of interaction between the threat actor and the intended target, it is difficult to detect and specifically counter weaponisation. General cyber security health measures, such as those which are required by the Cyber Essentials scheme can impede many cyber attacks. These controls include running cyber security awareness training, updating software and operating systems, restricting administrator access, disabling auto-run, deploying well-configured boundary firewalls and employing two-factor authentication.
During the delivery phase, the threat actor executes their planned attack by delivering a malicious payload. This could mean sending an email with a malware-infected attachment or link to a spoofed login screen (a fake website), typical of a phishing attack, allowing the threat actor to steal user credentials. Delivery may also take the form of gaining entry to a secure area, vulnerable machine or network to connect compromised hardware or install malware. Threat actors have even been known to distribute USB drives containing malware to be picked up and plugged in by the threat actor’s target(s).
Some delivery methods are straightforward to intercept, but countering the delivery phase is often more reliant on people than technology:
- Scanning email and web traffic for malware can prevent malware from entering your network via these routes.
- Security awareness training that covers social engineering, as well as strong processes, can prevent spear phishing attacks from being successful – your staff are the first line of defence against emails and phone calls that are out of the ordinary or tell staff to, for example, make payments without following process.
- Enabling multi factor authentication means that threat actors require not only something you know, a username and password, but also something you have, such as a hardware token or code generator, to access systems and devices.
- Putting in place physical security controls, such as ID badges, a security presence, and a culture of challenging unfamiliar faces, as well as ensuring that secure areas and devices are locked when not in use can make it more difficult to access devices to plant malware or malicious hardware.
When the attack moves into the exploitation phase, the threat actor is making full use of their target vulnerability to access the network. This may mean triggering their malware to run, making use of the credentials they have gained through phishing campaigns or gaining access to computers or networks using identified vulnerabilities.
To counter a threat actor’s ability to exploit vulnerabilities, organisations should:
- Ensure that all devices have anti-malware software installed and configured to update at least daily, scanning files and webpages on access.
- Conduct security awareness training. Your staff are the first line of defence and an informed and cyber security aware workforce can prove invaluable in spotting and stopping cyber attacks.
- Install patches and software updates for applications and operating systems. Updates that address the most critical vulnerabilities must be installed promptly, definitely within 14 days of release.
- Ensure that sensitive data is encrypted when being sent (in transit) and when being stored (at rest) to stop threat actors being able to intercept and access it.
- Ensure that logging and monitoring solutions are in place, configured and actively monitored, so that evidence of an attack is logged and alerts are generated to trigger incident response.
Installation can sound a lot like delivery and exploitation. Indeed some attacks will, by this stage, already have installed malware inside a target network. When we talk about installation, we refer to a threat actor creating a persistent means of access to the network. This means installing a backdoor into the network, so that, even if the initial vulnerability is identified and remediated, the threat actor can still access and hide within the network to carry out their objectives.
Most organisations will require outside help to use the logs and other indicators of compromise within your network to find the backdoors that have been installed, respond to the incident and ultimately close out the incident. There are specialist computer forensic techniques that preserve evidence, which can be necessary if legal action is to be taken against the perpetrator(s).
Effective management of logging and monitoring is key at this stage, to ensure that abnormal activity is reported on, alerts are generated and remediation activity takes place. This is where a managed security operations centre can prove invaluable, as detection and response can happen before the organisation is even aware that there is an attack in progress.
An informed, trained and security aware workforce, who is able to spot or detect abnormal behaviour and report suspicious activity to your IT or security team, is extremely helpful. Having well trained staff enables an organisation to more effectively respond to a cyber security incident.
Command and Control
Command and control is typically associated with botnets, where devices are compromised and used en masse to direct huge volumes of traffic at a website or internet-hosted service, disrupting an organisation’s ability to serve their website or deliver their service. Command and control is, however, also used by other types of attack, for example, the encryption keys used to carry out a ransomware attack are often downloaded over a command and control channel and when creating persistence within a network, remote-access trojans create outbound channels used by the threat actor to connect back in to the network.
Organisations can make it significantly more difficult for threat actors to establish command and control channels by:
- Proxying and filtering internet traffic to block traffic to addresses known malicious domains.
- Restricting the ports that traffic can use to leave your network, which can block some command and control activity.
- Proactively looking or “hunting” for threats by iteratively searching through networks and systems to detect new and advanced threats, which can bypass or evade security solutions.
Actions on Objective
Once access has been firmly established, the threat actor is in a position to execute their strategy to achieve their objectives. A threat actor’s objectives are tied to their motivation. This could mean affecting one or all of the confidentiality, integrity and availability of data and systems. Does the threat actor want to disrupt your business or your customers? Is the threat actor intent on malicious harm? They may deface websites, steal, change or delete data, or encrypt your data for ransom. Once the threat actor has access to one machine, their objective can be to move through your network to access and compromise higher-value data held on other network endpoints or servers and in other services, such as software- (SaaS), infrastructure- (IaaS) and platform as a service (PaaS) providers.
When thinking about the cyber kill chain, it should be noted that not every attack necessarily follows all seven steps. Some methods of exploiting vulnerabilities do not require, for example, a command and control channel, some threat actors will not install backdoors; however, it is important to be aware of the entire cyber kill chain and to put in place cyber security defences to address each stage of the kill chain. Only by implementing a comprehensive security strategy and testing the controls, can organisations have confidence in their cyber security defences.
This article was written in collaboration with my colleague Jacques du Toit. For a personalised view of how your business can use knowledge of the cyber kill chain to improve your cyber security, please reach out to either of us via LinkedIn.