Cyber Kill Chain vs. MITRE ATT&CK: An Insightful Comparison

Cyber Kill Chain vs. MITRE ATT&CK: An Insightful Comparison

There are two challenges we in cybersecurity face when it comes to communicating what we do the rest of the business (and the rest of the world). For many people, computers, networks, and Information Technology in general are opaque, and most businesspeople know how to use tech to get their job done, but not how it works “under the hood”. Hacking that technology to subvert it for malicious purposes is another level of mystery.

Hollywood doesn’t help much either, with most on-screen depiction of hacking in movies and TV shows being radically different from reality (with the exception perhaps of Mr Robot).

The first challenge is communicating the technology and basic understanding of how it works to then show how it can be misused. But the second challenge is then imparting how the criminals carry out their attacks. Most people think a hack is just a single “thing” that happened – “we got hacked” and then all the bad stuff happened, when it’s actually a set of steps.

In this article we’ll look at two different frameworks that are used to communicate hacking processes, both to the wider business and within the cyber security community – the Cyber Kill Chain, and the MITRE ATT&CK framework. We’ll look at the advantages and challenges of each of them, how they compare and how you can use them to fortify your organization’s cyber defenses.

Meet the Cyber Kill Chain

This is the older of the two approaches, having its roots in military kill chains such as the Four F’s from the US military during World War II: Find the Enemy, Fix the enemy, Fight the enemy and Finish the enemy. A more modern version is F2T2EA: Find, Fix, Track, Target, Engage and Assess; it’s called a chain because an interruption at any step can stop the whole process.

Cyber Kill Chain

Not surprisingly, it was Lockheed Martin, a large military manufacturer in the US that took this chain approach and transformed it into the Cyber Kill Chain, with seven steps (and a very different result at the end compared to the literal kill chains mentioned above).

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command and Control (often shortened to C2)
  7. Actions on objectives

As a communication tool for showing business leaders that there are steps in an attack, and that you want budget to interrupt or make each layer more difficult for the criminals, this is a good approach.

Cyber security after all always comes down to business risk. When you put it those terms, the CEO, CFO, and the board are more likely to pay attention. If you start talking about technical details, you’ll soon lose them, but business risk is something they’re used to dealing with, and cyber-attacks is just one of the many risks businesses faces.

Be aware that attackers may not perform every step, depending on their goals, their target, and any changes along the way, and that “attackers” might refer to different sets of people, where the early steps might be performed by an Initial Access Broker (IAB), who then sells the access to another group to actually run the ransomware and negotiate the payment.

In step one the attackers will gather information about your company and any employees of interest. This could be cursory, if they’re simply after a company with enough turnover to pay the ransom they might look at your financials, and who to target with their spear phishing emails.

It could also be more in-depth, when the scattered spider group went after the helpdesk at the MGM casino, they knew a great deal about the staff they were impersonating to ensure that the helpdesk would help them reset their credentials.

Phase two is taking advantage of the reconnaissance, to start exploiting a found weakness or packaging a payload, whereas step three is delivering the malicious bundle to the victims, via email, web etc.

Once the initial foothold has been established (someone clicked the link in a malicious email for example), step four starts the exploit to run code on the victims system, which may then continue with step five, further installations on other systems. This is often called lateral movement, as the attackers continue exploiting systems in your networks, to gain full Domain access.

They’ll also establish persistence (so they can come back in if you’re trying to expel them from your environment) and Command and Control (C2) in step six for covert communication with their external control systems. The final step, seven, involves the attackers springing their trap and encrypting all your files, after having corrupted your backup systems or perhaps exfiltrating all your sensitive data (or both).

The ”other side” of the cyber kill chain are the defensive actions your organization should take to deal with each phase:

  1. Detect – having sensors throughout your environment that trip when an attacker is present.
  2. Deny – control access and prevent information leakage.
  3. Disrupt – malicious processes and outgoing traffic to the attacker’s infrastructure.
  4. Degrade – means counter attacking the attackers C2 systems.
  5. Deceive – is about interfering with the C2 infrastructure.
  6. Contain – using network segmentation so that a single breached system or identity doesn’t have full access to every other system on the network.

This approach does have its detractors but as a conversation to start looking at different phases of an attack, whether your organization has security controls in place to detect it, disrupt it and contain it, it’s a good start. It also leads neatly in the modern approach of Zero Trust:

  1. Assume breach – work on the assumption that attackers will gain access and work on detecting it, containing it, and disrupting it.
  2. Verify explicitly – authenticate and authorize both human and workload identities at each access point in the infrastructure.
  3. Use least-privilege access – only grant identities access to the systems, data, and applications they need to do their job.

The challenges with the cyber kill chain is that it doesn’t work well for insider risks, the first couple of steps happen outside of the defenders control (unless you stop all staff from having LinkedIn profiles and posting anything, anywhere online) and it’s also quite focused on malware, some attackers now use Living Off the Land methods, only using built in administrative utilities in the systems, thereby often avoiding detection.

The MITRE ATT&CK Framework

MITRE is a not-for-profit company that works for the common good in the areas of security writ large, but for this conversation we’ll focus on their enterprise matrix (there’s also one for Mobile and one for Industrial Control Systems, ICS). The weird acronym comes from Adversarial Tactics, Techniques and Common Knowledge and it was initially released in 2013.

ATT&CK framework matrix

ATT&CK framework matrix

There are 14 tactics (the “why” of the attack):

  1. Reconnaissance
  2. Resource Development
  3. Initial Access
  4. Execution
  5. Persistence
  6. Privilege Escalation
  7. Defense Evasion
  8. Credential Access
  9. Discovery
  10. Lateral Movement
  11. Collection
  12. Command and Control
  13. Exfiltration
  14. Impact

And each of them has Techniques (and sub-techniques), the “how” of an adversary, so while you can see some overlap with the simpler cyber kill chain in the list above, this is much more comprehensive. I like to think of it as a common language we in the cyber security industry can use to communicate about different attack techniques. There’s also tracking of 143 threat groups and which Tactics, Techniques and Procedures (TTPs) they use.

As you can appreciate the matrix encapsulates all the different techniques, making this a tool to ensure that you’ve got coverage “across the board” in your cyber security strategy. Here’s an example from one client, using the Microsoft Sentinel SIEM, and the analytics rule detection coverage across the techniques.

MITRE ATT&CK Technique Detection Coverage in a SIEM

MITRE ATT&CK Technique Detection Coverage in a SIEM

Each Technique is described in detail, here’s T1563, Remote Service Session Hijacking, in the Lateral Movement Tactic, which has two sub-techniques (SSH Hijacking and RDP Hijacking) as an example. It has four mitigations that you can implement, and four detections that you can use to alert you if this is happening on your network. Most techniques also list Procedures which are the actual technical tasks applying that technique to a specific application or operating system.

Technique T1563 Remote Service Session Hijacking

Technique T1563 Remote Service Session Hijacking

While the matrix is very useful, it can be overwhelming with so many techniques and procedures. It’s also important to avoid thinking of the matrix as a long list of mitigations / detections – even if you have a “tick in every box”, for every technique you can still be compromised. Remember – “Attackers think in graphs, defenders think in lists” (John Lambert), so just implementing long lists of security controls isn’t the right approach, instead use MITRE ATT&CK with the context of your business priorities and unique network environment to build cyber resilience.

Comparing the Cyber Kill Chain and MITRE ATT&CK

The two are related in that they describe the steps in different cyber-attacks, but they have different aims. The cyber kill chain is more generic and is an excellent introduction to the idea of hacking occurring in stages, and it’s a chain that you can interrupt with security controls. I find it very useful when communicating with non-IT and non-security people in business to get that basic understanding of the phases and how it works.

The ATT&CK matrix on the other hand is overwhelming for a non-technical audience (there are over 200 techniques) but is an excellent tool for understanding the technical steps attackers can take during a breach. And it can be used as a tool for evaluating coverage across the entire spectrum – “do we have detections for every technique in every tactic”, whilst not losing sight of the fact that even if you do, you may still be compromised.

It’s also interesting to see how these two fit into the larger landscape of regulatory framework that mandate certain cyber security controls, and other approaches such as the Center for Internet Security (CIS) benchmarks. CIS offers benchmarks for different operating systems, SaaS cloud services (including Microsoft 365) and IaaS / PaaS cloud platforms, and much more, for free.

These cover all the controls that you should implement as a baseline for security controls for that particular technology. Microsoft offers CIS benchmarks for both Azure and Microsoft 365 in their Compliance Manager app. And the upside is that if you implement all these controls you’ll have covered most, if not all, of the MITRE ATT&CK techniques.

Enhance employee awareness and safeguard critical data by leveraging Hornetsecurity’s Security Awareness Service for comprehensive cyber threat education and protection.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.

Conclusion

For beginners in cyber security, I recommend studying the MITRE ATT&CK framework, it’s like a common language for talking about different types of attacks.

I warmly recommend the free courses offered by AttackIQ, they’ve got one on Threat-Informed Defense which goes in detail on the MITRE ATT&CK framework. And use the Cyber Kill Chain phases when talking to the rest of the business.

Both have their place and are useful in their own right in helping you build a more cyber-resilient business.

FAQ

What is the main difference between MITRE ATT&CK and Cyber Kill Chain?

The Cyber Kill Chain in a useful communications tool when conveying cyber security concepts to non-technical people, and a basis for an overall IT security strategy for a business. MITRE ATT&CK on the other hand exhaustively lists every attack technique, grouped by tactics, and mapped to different threat actors, allowing an organization to identify detection gaps.

What are the types of a cyber kill chain?

There are a few different versions of the Cyber Kill Chain, FireEye (now part of Mandiant, which is now part of Google) proposed their variant which also has seven steps but which focuses more on the persistence of threats, whereas the Unified Kill Chain has 18 unique phases and attempts to marry the best of the original Cyber Kill Chain and MITRE ATT&CK.

What are the types of MITRE frameworks?

Generally, when people mention MITRE ATT&CK they’re referring to the enterprise matrix, but there’s also one for Mobile and one for ICS. Furthermore, there’s the D3FEND matrix of cybersecurity countermeasures which is sort of the other side of the attack techniques, all the different controls that an organization can implement to mitigate the attacks outlined in ATT&CK.

How Difficult Is It to Remove Ransomware

How Difficult Is It to Remove Ransomware

Ransomware has been a part of the cybercrime ecosystem since the late 1980s and remains a major threat in the cyber landscape today.

Understanding Ransomware Mechanics and Its Short Evolution

The AIDS Trojan was the first known Ransomware attack that encrypted your files and demanded ransom through the postal services over the years, the functionality has been evolving, and it has become more sophisticated.

First, it employed symmetric key encryption, which encrypts data with a single key, however, now most threat actors started implementing asymmetric cryptography, which encrypts files with two keys for added security.

The delivery techniques have also evolved, moving on from the regular phishing email attachments, attackers now take advantage of software flaws and incorporate AI and Machine learning to enhance their evasion capabilities.

Cryptocurrencies like Bitcoin, Monero, and others are now the go-to payment option since they allow hackers to remain anonymous.

Ransomware as a service (RaaS) has made ransomware more accessible to novice attackers, or “Script-kiddies”. Larger organizations are now the target audience, or so we thought.

But attackers increasingly threaten to leak critical material as part of a double-extortion strategy and combine Distributed Denial of Service (DDoS) attacks with ransomware to overwhelm their targets.

Exploring Different Ransomware Types and Their Variances in Approach

As the world evolves, so do the ransomware types and their usage, mostly depending on the goal of the malicious threat actors. In the technology era, the gold standard is information, where the attackers keep their focus and entrapment.

At its core, ransomware is malicious software designed to deny access to a computer system or files until a sum of money (“ransom payment”) is paid. As the end goal varies, so does the approach. Here are some examples of how malicious attackers can infect your systems with ransomware:

  1. Crypto Ransomware (Encryption): The most notable and vicious variant where the attackers encrypt the data on the host or entire organization, demanding payments to be delivered with cryptocurrencies in exchange for the decryption key.
  2. Locker Ransomware: Another type of ransomware that locks your computer screen, rendering it unusable and restricting access to basic computer functions, accompanied by a popup and message demanding a ransom payment before access is restored.
  3. Scareware: A manipulative type of ransomware intended to trick or frighten the victims into going to particular websites or downloading malicious software. Popup advertisements and social engineering techniques are frequently utilized with the intention of fooling people into downloading or buying dangerous software. An example would be a flash message displayed that your workstation is infected and the attacker suggesting they are here to save the day with their free Antivirus, a classic strategy that unfortunately still works.
  4. Doxware: It involves a process called Doxing, a gathering of personal information about the target and using the scare tactic designed to make the victim feel shameful and disgusted by releasing their personal data. Threat actors breach people’s privacy by getting their hands on private documents and images, which they threaten to make public if a ransom is not paid. This is a more targeted approach, but it could have a wider ‘clientele’ as the target private information includes other potential victims.

Decoding the Mystery Behind Ransomware Removal and Recovery

Ransomware recovery demands a strategic approach, beginning with isolating infected systems to prevent spreading across the network. Simultaneously, it is crucial to discern the specific ransomware variant in play, a critical step as this information guides further steps and the search for customized decryption tools or focused solutions.

After identifying the malware, the eradication process may start, however, before complete removal, it is very wise to back up any essential data to protect against any unforeseen complications.

The employment of reputable antivirus or anti-malware ransomware software, updated to the latest definitions and signatures, becomes pivotal at this juncture, serving as a frontline defense mechanism.

Should circumstances permit, restoring the system from a meticulously maintained and uncontaminated backup stands out as a robust remedial measure.

Sustaining a proactive stance, keeping software and security patches current, educating users on Security Awareness Training, the ins and outs of phishing threats, and, where necessary, seeking professional cybersecurity assistance, complete the comprehensive ransomware removal strategy.

The dynamic nature of cybersecurity activities is highlighted by a post-removal phase marked by persistent monitoring for residual risks that could still bring the organization to its knees. Prioritizing prevention through regular backups and raising cybersecurity awareness is crucial for defending against the constantly changing ransomware threat scenario.

How to Select the Right Approach for Ransomware Removal and Preventative Measures

Ransomware removal is never guaranteed, and the best defense is, being able to focus on your preventative measures. Timing is of the essence when this type of malware gets into your system, and it is crucial to have continuous monitoring properly deployed.

  • Do not pay the ransom – Paying does not guarantee that threat actors will return your files, and even if they do, there is no certainty that they haven’t made a copy and use it for further agenda
  • Isolate the infected systems – The first step when there are indicators of ransomware compromise is disconnecting the affected hosts from the network to minimize and control the spread further to other devices and systems
  • Identify the ransomware – Recognizing the variant helps combat the ransomware, what common locations it resides in, and any remaining infection it may occupy. Using shared intel within the security community could also lead you to a decryption tool (that may or may not exist)
  • Knock, knock. Whos there? Identify the attack sources – This sounds counterintuitive, but if you can identify the attack source, it could be a piece of very useful information to defend yourself from a repetitive infection by taking proper measures, as backups are useless if you close the door again, unlocked.

Steps to Take If Your Email Security Has Been Compromised

MGM Resorts

The notorious ALPHV (BlackCat) crew has unleashed a ransomware attack on MGM Resorts, causing significant havoc that disrupted the website, casino functions, and essential systems such as email, reservations, and digital room keys, plunging MGM’s operations into disarray.

This breach, initiated by social engineering, underscores the escalating risks faced by major enterprises. It’s particularly alarming as it follows a previous security breach at BetMGM, a branch of MGM Resorts, where hackers absconded with data from 1.5 million clients.

In a parallel episode, Caesars Entertainment faced a similar hacker incursion but swiftly recovered by ponying up a substantial ransom.

LockBIT 3.0

Among the prominent players in today’s ransomware arena is the feared LockBit 3.0. This group creates and distributes LockBit ransomware, operating under the ransomware-as-a-service (RaaS) model.

This setup implies that LockBit 3.0 collaborates with affiliates who deploy the ransomware in attacks, with both parties sharing the financial gains.

Affiliates of LockBit employ spearphishing and phishing techniques to penetrate victims’ networks. LockBit group ‘Customers’ acquire and misuse login passwords of active accounts in order to obtain first access, and while LockBit 3.0 is running, the malware executes commands like batch scripts to run malicious commands.

LockBit 3.0 has a global reach, orchestrating impactful cyber attacks on businesses spanning public and commercial sectors. Renowned for their cunning tactics, the gang employs diverse channels to distribute malware, including phishing emails and exploit kits.

What sets them apart is their triple-extortion approach, where they encrypt victim data, threaten public exposure, and engage with partners or customers. Balancing sophisticated techniques with human-centric exploits, LockBit 3.0 remains a formidable force in the cybersecurity arena.

To properly protect your cyber environment, use Hornetsecurity Security Awareness Service and Advanced Threat Protection to secure your critical data.

To keep up with the latest articles and practices, visit our Hornetsecurity blog now.

Conclusion

To wrap it all up, ransomware is a category of computer infection. It is employed to trick people into making payments. This typically indicates that the ransomware has encrypted your data and requests payment to unlock them. The best course of action is to prevent getting infected and make strong backups of your files in case you do get infected. Depending on how sophisticated the virus is, there might not be a method to get around this.

FAQ

Can ransomware be deleted?

Removing ransomware from a system is more complex than deleting a regular file. Caution is essential, and paying the ransom is strongly discouraged as it doesn’t guarantee file recovery and may support criminal activities. Prevention, regular backups, and updated security software are vital for protection against ransomware attacks.

What tool removes ransomware?

Keep in mind that no tool can ensure that every ransomware variant has been completely removed and that the effectiveness of a tool can vary based on the particular ransomware strain. Furthermore, proactive defense, timely security software updates, and a solid backup plan are essential to exhaustive ransomware protection.

Is ransomware difficult to remove?

To remove ransomware, think about performing a factory reset on affected systems once you’ve located and isolated them. Paying the ransom is discouraged as removal is never guaranteed, and you only look weak in the eyes of the attackers, making you a recurring target. Rather, prioritize creating a thorough incident response strategy that includes instructions for security partners, how to isolate assaults, and how to record important attack logs for forensic analysis. To guarantee a backup of crucial data, keep up a robust backup management program and evaluate risks regularly. Your organization’s defenses against prospective cyber threats are strengthened by advance planning and abstaining from ransom payments.

Can ransomware be solved?

Ransomware can be solved depending on the variant, your organization’s preparation, and your incident response plan. It is very important to have proper security awareness training and exercises to prepare you for this event, as time is valuable once you become a victim. Tabletop exercises, communication with other security professionals, and intelligence sharing will only boost your chances of fighting this attack. Preparation is key, as it is not an ‘if’ issue but a ‘when’. Ransomware can be solved depending on the variant, your organization’s preparation, and your incident response plan. It is very important to have proper security awareness training and exercises to prepare you for this event, as time is valuable once you become a victim. Tabletop exercises, communication with other security professionals, and intelligence sharing will only boost your chances of fighting this attack. Preparation is key, as it is not an ‘if’ issue but a ‘when’.