Cyber Kill Chain

Steps in the Cyber Kill Chain

The Cyber Kill Chain is a model developed by researchers at Lockheed Martin that categorizes seven stages of targeted cyber attacks.  The Cyber Kill Chain is used to create an “Intelligence-Driven Computer Network Defense. This defense model is based on the military concept of the “Kill Chain,” which uses phase-based models to describe different types of attacks to identify capability gaps and prioritize their fulfillment.  The Cyber Kill Chain addresses Advanced Persistent Threat (APT) intrusions, which are more sophisticated and difficult to prevent than familiar “automated viruses.”  Organizations protect themselves using automated solutions, such as anti-virus apps and firewalls; however, these solutions are less effective against APT campaigns. APT threats are more stealth than other cyber attacks such as ransomware campaigns. The main objective in an APT campaign is to gain access to a targeted network and remain undetected while exfiltrating sensitive data over a long period of time.  The good news — there is a decreasing global median for APT dwell time (i.e., the time an APT actor stays on a network).  In eight years (from 2011 to 2019), the APT dwell time went from 416 days down to 56 days, a decrease of 86.5% (according to 2020 FireEye M-trends). The bad news is that despite a significant decrease in APT dwell time, APT actors often remain undetected for over two months in their target’s network. This gives them plenty of time to accomplish their objectives.

Automated solutions cannot thwart APT

APT campaigns bypass the most common cyber defense mechanisms implemented by organizations.  By mixing “simple” techniques with advanced techniques and tools, APT actors make their campaigns difficult to detect and tackle using only automated solutions.  The Cyber Kill Chain provides analysts with a framework that allows them to

1) Retrace the steps of a detected attempted intrusion 2) Identify the gaps “exploited” by attackers

Analysts can then mitigate those gaps to be better prepared to face intrusions using the same techniques.

Cyber Kill Chain:  7 phases of APT intrusions  

Let’s exam the seven common phases of APT intrusions, named the “Cyber Kill Chain”:  Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, and Action & Objectives.

Step 1: Reconnaissance 

In this step, attackers gather as much information as possible on their target, using various tools and methods.  Attackers may use active and passive reconnaissance to gather data on the target’s network (e.g.: exposed devices, used OS, versions), plus identify level of exposure. For instance, are there readily available credentials or information related to employees?  The goal for the attackers is to select the target’s weakest entry points, which can or should be used to achieve their goals.

Step 2: Weaponization

Attackers craft a specific “tool” based on the reconnaissance phase and chosen approaches. Attackers often use malware (commonly a Remote Access Trojan, or RAT, with other programs for the exploitation phase) coupled with a deliverable payload, such as an infected document (PDF, PPT or Excel file). 

However, depending on the delivery method, weaponization can take many other forms, such as exploit kits. In this case, attackers do not hide malware in a seemingly legitimate file and trick their target into downloading it.

Instead the target is encouraged to visit an infected website, which could result in the “drive-by download” of malware or a vulnerable host targeted directly by attackers. See more on exploit kits here.

Overall, the weaponization phase is about how the attackers tailor their malware to the target in order to hide malicious content. There can be several “levels” of weaponization and several malicious programs used to reach the intended goal.

Step 3: Delivery  

Things get more serious from this phase on, as the attack enters into an “active” phase. This phase refers to the delivery of the tool crafted in the previous phase, which can take many forms. For instance, if attackers found relevant credentials or unprotected devices on their target’s network, they could remotely access and compromise the devices with their malware. Other delivery methods include compelling an employee to share access credentials and exploiting vulnerabilities as they are found.

Sixty-five percent of known APT groups used phishing emails for targeted attacks (from Internet Security Threat Report by Symantec).  Attackers often send infected files or links through well-crafted phishing emails that use social engineering techniques. Email links account for nearly 40% of malware vectors, with email attachments accounting for about 18% (from 2020 Data Breach Investigations Report).  

Step 4: Exploitation

Once the weapon is delivered to the target, the exploitation phase can begin. The goal is to spread in the network, escalate privileges, or anything required by attackers to prepare for the phases that follow.

Malware commonly target vulnerabilities in applications or Operating Systems (OS), whether known (Common Vulnerabilities and Exposures, or CVEs), or unknown zero-day vulnerabilities (those that have not yet been spotted and patched by the provider of the exploited instance). 

Step 5: Installation

As mentioned previously, APTs are often about information exfiltration over a long period of time. In the installation phase, the attackers try to “install” themselves on the network and maintain persistence, frequently using RATs and backdoors. They can deploy multiple tools to provide redundancy, should one of their access points be discovered

Step 6: Command & Control (C2)

Once the attackers are “installed” in the network, a C2 server is implemented to create a channel between the compromised hosts and the malicious actors. This C2 server can be used by the intruders to directly interact with their target, be it to exfiltrate information or inject new malware.

Step 7: Action & Objectives

Once all the previous steps are completed, APTs finally begin to work on their initial objectives. These may include data exfiltration, remaining in stealth until a specific time, installing malware intended to disable or destroy systems, or pivoting toward higher priority targets or systems linked to the system they have compromised.

The phased approach is supported by the hypothesis that if a defender is able to detect and document one of the steps used in an APT attack, a similar intrusion will ultimately fail. However, a Kill Chain is conceptual and only reflects parts of how an intrusion can occur.  The Kill Chain is a great tool to help defenders map certain types of threat environments; but it needs to be adapted to the defender’s available resources and uses. 

CybelAngel in the Cyber Kill Chain

In an age of big data, APT actors can easily find information that is not secure.  It is necessary to make it increasingly difficult for attackers to target your enterprise. Opportunity tends to be a common denominator of many cyber attacks.  Even the most complex attacks are often enabled and devastating because an opportunity was found.  CybelAngel protects businesses by reducing the opportunity of attacks at the Reconnaissance Phase. The more difficult you make reconnaissance of your organization, the less likely you will be hit or even targeted.  By focusing on freely available resources on multiple perimeters across the internet (e.g.: Connected Storage, Dark & Deep Web, Surface Web, Cloud Apps, Open Databases), CybelAngel reduces opportunity for attackers, which is particularly significant in the Reconnaissance Phase. Every day, we detect a significant volume of information that could be leveraged by APT actors in an attack. Imagine one of your providers is exposing detailed technical documents about your network on a connected storage device without authentication; this is gold for APT actors. This vulnerability can be used as an entry point to your organization’s perimeter. CybelAngel detects such documents used in attack scenarios, and helps secure your documents before they can be used against you. Likewise, credentials exposed in code repositories can be dangerous entry points, which is why threat actors in the Reconnaissance Phase are in constant search for this sensitive data. CybelAngel detects exposed credentials before malicious actors identify and use these.

What to do if you’ve been hacked

CybelAngel can help in the investigation of a data breach by making sure that stolen documents are not shared or exposed on the perimeters we scan; we even find unprotected C2 servers! We also assist by looking for mentions of your organization on communication channels often used by malicious actors. CybelAngel reports back fraud schemes and discussions about attack vectors that may be used against you.   CybelAngel helps companies build an intelligence-driven network to defend against all kinds of cyber threats, including APT attacks.  If you would like to learn more, Contact Us