Cyber Kill Chain Model Needs A Makeover
Adding new steps will trap threats before they strike.
Understanding the cyber kill chain and disrupting it could effectively defend against the most recent generation of cyber attacks. By scrutinizing the time and effort hackers invest in scoping out potential targets, network defenders can take advantage of several opportunities to block system access or, at the very least, drive up the cost, making attempts unappealing.
Criminals prefer easy targets, and the surging number of cyber attacks illustrates that there is no shortage of prey—even, and sometimes especially, in the largest organizations. Well-publicized breaches include the Democratic National Committee, Target, Sony and the Office of Personnel Management. But cybersecurity specialists also can learn a lot by dissecting less prominent incidents that resulted in devastating consequences. By getting inside the kill chain, as it is known in military parlance, network defenders can learn more about an adversary’s techniques, gaining information that could prevent future attacks.
Evidence of the effectiveness of this approach exists on the physical battlefield. Armed with their own kill chain plan, commanders often take aim at the enemy’s observe, orient, decide and act process—commonly referred to as the OODA loop—to gain an advantage. This strategy, with a few modifications, also can be valuable in the cyber realm.
One technique involves finding ways to deal with advanced persistent threats through intelligent data analysis. In 2011, while working at Lockheed Martin Corporation, Eric M. Hutchins, Michael J. Cloppert and Rohan M. Amin developed what they called a cyber kill chain. They took the military’s model of the kill chain used in the physical battlespace and applied it to cyberspace.
The model identifies seven steps adversaries must complete to achieve their objective. They include reconnaissance; weaponization; payload delivery; exploitation of a vulnerability; installation of malware; system command and control; and actions on objectives. As with the traditional kill chain, these steps are executed sequentially.
Although this model seems to fit well in addressing advanced persistent threats, additional analysis and several test cases indicate that when it is applied to the cyber world, two critical steps are missing: intelligence collection and fluid movement between steps once exploitation occurs.
In comparing the kill chains for the physical and cyber realms, the first three steps are the same. But then modifications and additions to the 2011 model are needed because of the nature of the medium. For example, after delivering malware, hackers gather intelligence about the system they have breached, a step that is not included in either the traditional kill chain or the cyber kill chain. In addition, after breaking into a network, hackers spend time learning about the location of high-value assets and system vulnerabilities.
Yet another difference between the Lockheed Martin and the modified cyber kill chains is objective execution. In the past, hackers scooped up information to use or sell. Today, they also may extract data from a database, encrypt information or install software for later use.
Several recent cyber attacks illustrate that the modified 2011 model more closely resembles current tactics. While the Target breach was relatively short-lived because law enforcement quickly detected it, an analysis revealed that hackers repeatedly stepped through the various phases of the revised kill chain and were only finished when Target closed the door.
According to a report on the 2013 Target Corporation data breach by the U.S. Senate Committee on Commerce, Science and Transportation, attackers had access to information about the company’s third-party contractors, who in turn had access to the Target third-party payment system. The attackers breached Target through a subcontractor and then took the time to discover how to move from the third-party payment system to more critical production systems.
The Target hackers eventually accessed the point-of-sale (POS) system and looped through intelligence gathering and executing their objective as they loaded multiple copies of malware to compromise the system. After the POS malware was fully installed and began data collection, the attackers exfiltrated the data to external servers, being careful to conduct their work during normal business hours to avoid detection.
Attacks on noncommercial entities also illustrate the need to update the Lockheed Martin model. Although relatively little information is available about a recent breach of the Port of Seattle systems, for example, law enforcement learned more about network attacker behavior from it. A shared regional cybersecurity monitoring system showed the signature of the Chinese cyber espionage unit APT1 in six Seattle area ports, according to a news report.
The delivery system and purpose of the malware is still unclear, but examining the activity through the revised kill chain model shows that APT1 reached the objective execution phase, then stayed there.
Another example of the need to amend the model is seen in the 2012 theft of millions of personal financial records at South Carolina’s Department of Revenue. A public incident response report indicates that the hackers performed reconnaissance, determined a number of employees to target and gained access to systems through a phishing email. Then they downloaded a key logger onto each victim’s computer to acquire credentials and proceeded to compromise 44 systems. This approach indicates a lack of specific knowledge about the targeted information because if the attackers had known where and how to get it, fewer systems would have been compromised.
The response report says at least 33 unique pieces of malicious software and utilities, including multiple password-dumping tools, Windows batch scripts and generic utilities, were employed over six weeks to execute commands against databases. The hackers’ final step involved downloading the department’s taxpayer database and moving it from the server before shipping it out of the network via small encrypted files.
All these attacks show how adding intelligence gathering to the cyber kill chain and exploiting this process could disrupt hackers and improve information security. Also, by understanding attackers’ movement among the steps of the chain, defenders can develop a clearer picture of their tactics and get inside their OODA loop. A new model can more quickly disrupt or break the chain before major damage occurs.
James R. Rutherford, Ph.D., leads the mission development and management section at the Southwest Research Institute. Gregory B. White, Ph.D., is executive director of the Information Sharing and Analysis Organization Standards Organization, professor of computer science at the University of Texas at San Antonio and director of the university’s Center for Infrastructure Assurance and Security. He spent 30 years with the Air Force and the Air Force Reserve.