Cyber Kill Chain
- there are several methods to describe the process of an attack on systems security
- called a kill chain
A kill chain is a model developed by Lockheed Martin that describes the stages by which a threat actor progresses to a network intrusion.
- from the influential white paper Intelligence-Driven Computer Network Defense
- commissioned by Lockheed Martin
Weakness
- contemporarily critiqued for not accurately reflecting the chain of events in modern attack campaigns
- focuses too much on perimeter security
- modern models introduce:
- iterative internal reconnaissance
- lateral movement
- privilege escalation
- data collection
- once an attacker has achieved initial objective, they may
- maintain access
- seek out anti-forensics
Phases
- Reconnaissance
- attacker discovers information about the target and technologies in place
- may use passive information gathering and active scanning of target network
- desired outcome is identifying one or more potential exploitable vulnerabilities
- Weaponization
- attacker identifies a method by which identified vulnerabilities can be exploited
- often through weaponized code
- carefully crafted scripts
- custom malware binaries
- compromised website
- social engineering
- etc.
- often through weaponized code
- attacker identifies a method by which identified vulnerabilities can be exploited
- Delivery
- attacker identifies a vector to transmit the weaponized code to the target environment
- e.g., via email or USB
- Exploitation
- results in weaponized code running on the target system
- e.g.,
- phishing email tricks user into running the code
- drive-by download executes on a vulnerable system without user interaction
- Installation
- this mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system
- Command and Control (C&C)
- the weaponized code establishes a reliable channel to a remote server used to manage the session
- downloads additional tools to help advance the attack
- Actions on Objective
- attacker uses the access they have achieved to covertly collect information from target systems and transfer it to a remote system
- acts on any other objectives they have
Kill Chain Analysis
- kill chain analysis can identify a defensive course of action to counter the progression of an attack
- need to understand the kill chain phases to understand where the attack is at
- kill chain shapes analysis techniques
- different approaches are suited to different stages
- vital to identify suspicious activity as early as possible