Cyber Kill Chain
Increasing IT security in companies step-by-step
The Cyberkill Chain in detail
You must be aware of the strategies used by cybercriminals in order to detect Cyber Kill Chain attacks and fight against them. This is the only way in which you can initiate appropriate countermeasures. And this is exactly where Cyber Kill Chain by Lockheed comes into play:
This approach divides cyberattacks into seven steps in total, which the perpetrator has to accomplish step-by-stepin order to carry out his plan. Another possible approach, at a defensive level is to block the cybercriminal’s whole attack by interrupting it at any of the individual step. However, it would be advisable to build a multi-layer defense since the attacker might overrun one of the previous steps.
The basic idea of the model
The Lockheed Cyber Kill Chain is based on a military concept in principle. The key focus is on actions that need to be taken for detection and prevention of attacks. The Kill Chain describes the attack chain. Ultimately, this is responsible for the elimination of the target from the military point of view. Attacks can be divided into several levels and understood easily with the help of the Kill Chain. Through the Kill Chain, the attack scenario can be divided into the phases listed below:
- Determine the location of the target
- Carefully monitor the location
- Track the target
- Select an appropriate weapon individually designed for the target
- Apply the weapon to the target
- Evaluate the effects on the target in the Kill Chain
The perspective of the attacker is taken on the basis of these steps in the Kill Chain . In practice, this means you consider what tools or possibilities the attacker has for every single step to carry out his plan. Fiurthermore, it‘s about laying down measures to defend against attacks.
From the Kill Chain to the model of the Cyber Kill Chain
Its parent in the military sphere, Lockheed decided to establish the attack chain also on a digital level. This happened in 2011. The extended concept is also known under the terms “Intrusion Kill Chain” and “Cyber Kill Chain” since the transfer of the initial attack chain into the IT area.
The perspective of the perpetrator is taken here and the individual steps of the attack are divided into intermediate steps. Therefore, the entire attack process can be portrayed accordingly. These steps are the following steps, based on the Cyber Kill Chain from the original American Lockheed model:
The individual attack steps of the Cyber Kill Chain in detail
It might be useful to take a closer look at the various perspectives in order to understand this model. This means, on the one hand, the procedure of the cybercriminals and on the other hand, the preventive countermeasures on the side of the defending target.
1. Identifying the target (Reconnaissance)
The cybercriminal chooses an individual target and sets up a profile of the victim. Here, the contact information of the targetsuch as information from social networks, email address, as well as further details of the targeted employees/ targeted company are specifically researched, including details about the company’s IT structure.
The publication of company data on the Internet should be severely restricted. Additionally, a detailed analysis in terms of possible attack types is recommended. Meaning, for example, DDoS attacks on web servers or mail servers. But other attack types are certainly possible. Broadly speaking, it is about detecting abnormalities in time.
2. Preparing for the attack (Weaponization)
The perpetrator relies on selected tools from his repertoire in order to carry out a cyberattack. These tools can be, for example, special encryption Trojans such as WannaCry, Petya, Jaff or Locky in the case of a ransomware attack. But also other malicious programs certainly can be applied. This choice depends on the approach and the objective of the cybercriminal.
We can detect any possible attack directly and examine them carefully through special analysis engines. We find out the potential impacts of the malicious software in general among other things.
3. First steps to perform an attack along the Cyber Kill Chain (Delivery)
In the next step, the attacker starts performing the cyberattack. The cybercriminals, – based on the information gathered beforeselect a specific medium for their attack. A data carrier, such as a CD-ROM or a USB flash drive can be used. Communication via email also appears to fit the purpose. Alongside these, social media as a platform is becoming increasingly important for personal information espionage. Phishing attacks on malicious websites are also imaginable.
Definitely, the attack vectors are constantly controlled. It is possible to investigate the cyberattacks originating from the perpetrator and the precise effects on the system or company network, on the basis of individual analysis engines with an IT security service like Hornetsecurity Advanced Threat Protection (ATP). The focus is on detecting the intention of the cyberattack being performed and understanding the approach of the perpetrator.
4. Systematic detection of security flaws (Exploitation)
Looking for vulnerabilities in the targeted system or network of a company, the aggressor angles the attack strategy at technical compromising. Some of the most attractive attack vectors are employees who are not sensitized for IT security. This includes thoughtless actions like for example being taken in by business e-mail compromise scam like CEO Fraud.
The primary focus of any company should be on open attack vectors. These can either originate from the technology utilized or personal data. The security flaws are anchored in the periphery or in the area of conventional or systemically relevant programs and services. Penetration tests uncover potential weak points. Furthermore, people also pose a blatant security risk.
5. Implementing a backdoor (Installation)
The implementation of the malicious program on the target system takes place without the knowledge of the targeted user. This can be achievedby the infiltration of the system or the whole network levelby installing a Trojan.
The attack prevention stops measures adopted by a perpetrator. This can be done on the company-side by issuing appropriate certificates, by establishing individual policiesand by examination for current signatures using ordinary virus scanners.
6. Remote controlling the target system (C&C)
An unprotected incident vector is enough to realize a specific attack like this. One example would be the Remote Desktop Protocol which can potentially be exploited as a weak point for remote access.
Respective recommendations for companies can be derived based on the analysis of the attack vectors used by the malicious software. The primary issue here is to reveal any existing security flaw. This may meanopen ports that can carry possible risks and that allow the perpetrator to gain access to systems. This applies on both the client and server levels.
7. Actions on Objective – Goal attainment
Once the cyber criminal has access to the targeted system, the measurements get more concrete. Spionage, sabotage and data theft could be some of them. The intention of the cyber criminal is to dig deep into the system and infiltrate it step by step, which terminates the attack.
In the worst case scenario, the specific actions that should be performed must be clearly determinedand the responsibilities must be precisely defined beforehand. This includes the personal responsibilities in the company as well as technical procedures and analysis to be performed. This is the only way to prevent extensive damage.
How useful is the Cyber Kill Chain model?
The sophistication of the perpetrators is continually increasing,particularily in relation to cyberattacks based on CEO fraud, spear phishing or whaling. But, other sophisticated, persistent types of threats also pose significant danger and should not be underestimated by anybusiness or public authority.
Coming from English language, Advanced Persistent Threats can be very complex and highly innovative types of attacks. The Cyber Kill Chainmodel comes into effect most of the time, making it possible to perform step-by-step analysis and detect attack structures that are difficult to identify.
It is especially important because attacks like these generally remain undiscovered over a long period. And within that time, the attacker can act freely.
Companies have the ability to promote their knowledge in the field of IT security or develop it more through the application of the Cyber Kill Chainconcept. Constant learning based on the analysis of current threats helps you protect yourself against cyberattacks.
Read more about IT security in our blog
Criticizing the basic idea of the Kill Chain
As technology continues to innovate at a rapid pace, so does the nature and makeup of cyberattacks.This is particularly applicable to the Advanced Persistent Threats (APTs) mentioned above, which makes implementing a appropriate defense strategy significantly more difficult.
In cases where the Cyber Kill Chain approach is applied, this issue is particularly important. because this model has a very static design. That’s why the Cyber Kill Chain has been often criticized in the past.
When we look closely, these are legitimate doubts. Although the perspective of the attacker is taken in this model, there are significant barriers in the model itself. For each level, not only the attack strategy but also the defense strategy is viewed and adjusted accordingly, however, regarding the first two steps of the Cyber Kill Chain, it is a challenge to define appropriate countermeasures for the case of defense.
Identifying the target of cybercriminals is also a challenge, mainly because of the large number and complexity of cyberattacks. This is also quite noticeable in the second step of this approach. Because adjusting your own preventive measures to the strategy of the perpetrator, – especially to the individual preparations of the perpetrator, is almost impossible with the Cyber Kill Chain model. Even though this approach is aimed at staying a step ahead of the perpetrator, in practice, this is only possible to a very limited extent.
Nevertheless, it is advisable to keep the definition of the defense strategy very abstract for the first two steps, in order to maintain and use the Cyber Kill Chainprocess. At the end, the challenge is to find an appropriate way of handling potential definition flaws in the Cyber Kill Chain model.