“Understanding the Cyber-killchain”
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” -Sun Tzu
Many thousands of years of armed military conflict have offered many lessons to today’s next-generation of cyber-warrior. If you’re reading this, then that likely includes you. One of the most valuable lessons which echoes back to ancient times is the need to understand your enemy. We’ve discussed understanding cybercriminals motive, opportunity, and technique previously in this blog. Many modern cybersecurity terms are derived from military parlance; From Red/White/Blue Teams to Adversary to Killchain. There is a reason for this. Simply, we are operating within a virtual battlefield. While there are (often) no bombs or bullets, the stakes are equally as high. A modern cyber attack includes all of the same disciplines as that of a successful military operation. Ranging from open source Intelligence gathering (OSINT), target recon, weaponized resource engagement valuation, infiltration, and objective exploitation. In this post, we’re going to dissect the need to understand the killchain – The phases of an attack against a chosen target which possesses an objective of value. Understanding this allows cyber warriors to properly defend against the numerous modalities of attack.
The Cyber Killchain
Developed by the collective efforts of U.S. Military Cyber command and Lockheed Martin, the concept of the Cyber Killchain was developed to permit cyber analysists to better relate to the distinct phases of a successful cyber attack.
The Seven Phases of the Cyber Killchain
Attackers us open source intel sources, active target assessment (port scans, etc.), and technical means to ascertain potential weaknesses and entry points into a given target.
Using intelligence gathered, build a targeted weaponized payload which exploits one or more potential vulnerabilities. These vulnerabilities are increasingly non-technical in nature.
Create the opportunity for the weaponized payload to be delivered to the target. This can include methods like malicious links in email or infiltrating down-stream vendors.
Using the vulnerability(ies) identified and executing the weaponized payload on the target’s systems. Successful exploitation results in a foot-hold for an attacker to take control, establish persistence, or carry out malicious actions (like encrypting files) within a victim’s computer network.
Installing malware or other malicious code on the target’ computer asset(s).
Persistence | Command & Control:
Command and Control, also known as C2, establishes a virtual covert channel for an attacker to exercise control over a victim computer system. This allows for virtual ‘hands-on-keyboard’ access within a target’s computer network. Often, this access is at the level of an authorized user within a target’s organization. At this point, it’s generally ‘game over’ for a victim. Attackers can pivot throughout network systems and embed backdoors and other means to persist within the environment even if their primary (or first) method of access is discovered and closed.
In order to know your Enemy, you must first know yourself
“Generally you don’t see that kind of behavior in a major appliance.”
-Dr. Peter Venkman, Ghostbusters 1984
Each phase of the cyber killchain affords opportunities for detection of an attacker’s actions. Understanding both how attackers may carry out actions at each phase and what is “normal” for a given organization is a key to successfully being proactive against cyberattacks. This wouldn’t be an IT blog if the phrase “and these are ever-changing” wasn’t included. Unfortunately, it’s true in these instances. The methods, vectors, and technical techniques that attackers use change frequently. Cyber-warriors charged with the defense of their organizations must have intelligence which is regularly updated and actionable. Most business people hear this and will drop a few terms into Google to find such intelligence sources. While these sources are commercially available, more importance should be placed on understanding what’s “normal” for a given organization. Even the best and most up-to-date threat intelligence data is useless if an organization either doesn’t have the mechanisms or baseline data to quantify what “normal” activities are within its systems.
Implementing or paying close attention to technical systems such as Security Event and Incident Monitoring (SIEM) devices, Intrusion Detection / Intrusion Prevention Systems (IDS/IPS), and anti-malware software is one of the first actions to take. These actions are, almost ironically, hugely beneficial post-breach but often not the most effective pre-breach. That’s based on the experiences of forensic investigators from leading Security Incident Response Organizations, including CIT, the past 3 year’s Verizon Data Breach Investigations Report (DBIR) data, and data from the TrustWave Global Security Report. Implementing regular security training for the non-technical users of computer systems was far-and-away the most effective prophylactic measures which could be implemented pre-breach. Providing all employees the ability and training to identify and report suspicious activities results in earlier detection of potential malicious actors. Earlier detection permits internal defensive staff to more quickly isolate, analyze, and contain a potential intruder.
Understanding the Motive: Monetizing the attack.
Looking critically at the motive of successful attacks over the past 36 months, we can ascertain that in over 90% of those which were successful that a financial motive was behind the attack. That could be realized in the form of a monetary gain for the attacker, or a less considered objective, the financial burden of post-attack remediation for the victim. Armed with this data in a post-Equifax era, we must look at both the financial and information assets of an organization through the eyes of potential attackers. Considering questions like, what might an adversary hope to monetize? How might that transaction take place? What information does the organization share publicly that could present an opportunity for reconnaissance? Careful consideration of these answers, often will reveal unexpected areas of value.
Putting it all together . . .
The Cyber-killchain allows defenders to dissect and quantify the various stages of an attack. Using this information and analysis, a more informed and targeted detection and defense strategy can be formulated based on each phase of the attack. Breaking any one path in the chain thwarts attackers and causes them to identify alternate means of attack. Defenders should incorporate both technical and human factors into their defense strategy. Human training and security awareness of related behaviors has resulted in a greater number of attacks being detected and stopped than through purely technical means. Information assets are the new target in the modern cyber war, understanding what assets exists, where those assets reside, who requires access to each asset, and then securing them appropriately is the new defensive frontier. A combination of informational, procedural, and technical tools are the weapons to effectively combat adversaries on this new battlefront. Deploying the appropriate tools and techniques at the right time along the cyber-killchain may be the most effective and direct way to combat the ever-evolving threat landscape.
Corporate Information Technologies provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.
Contact us to learn more and let us show you how good I.T. can be!