Sector 7G's Learning Center
Articles • Tips • Tutorials
Kill Chain Primer
Intro
Ransomware’s Extortion Levels references kill chain, a cybersecurity defense framework. This post covers kill chain basics, specifically Lockheed Martin’s “Cyber Kill Chain®”1 with their summary deck (PDF): Gaining the Advantage: Applying Cyber Kill Chain® Methodology to Network Defense.
Cyber Kill Chain® derivations have spawned since Lockheed introduced it, but none seem to materially differ. Lockheed’s thus remains a practical nexus presenting straightforward insight into how cyber threats are both conducted and may be defeated. Additionally, although originally published in the context of advanced persistent threats (APTs) in the early 2010s, today arguably all cyber threats have APT fingerprints, especially ransomware2 and attacks of equal or greater gravity.
Cyber Kill Chain®
The Cyber Kill Chain’s role is “understand[ing] the aggressor’s actions” and presents seven tactical steps an aggressor must complete to achieve the objective.3 It follows that once the tactics are known, defenses may be allocated and tuned accordingly. Furthermore, its reference defense model requires that each step kills the applicable tactic thus preventing an attacker from proceeding, hence the term “kill chain”.
The summary deck devotes a slide to each tactic (step) with example attack and defense techniques. In sequence with additional elaboration, the tactics (and only the tactics) are:
Reconnaissance | Information gathering and tracking culminating in target and vulnerability identification. |
Weaponization | Malware created and honed. |
Delivery | Malware reaches target. |
Exploitation | Malware exploits vulnerabilities for which it was designed. |
Installation | Attacker establishes environmental presence operating undetected for weeks, months, or longer. |
Control | “Game over” since the attacker is in control and positioned for the final step. |
Actions on Objectives | Mission accomplished. |
Additional Advantages
Besides focusing cyber defense beyond firewalls and endpoints (the Cyber Kill Chain’s impetus and perhaps a testament to its adoption and derivations), kill chains facilitate:
- Enforcing paths
This concept is not new—it’s literally ancient—and even whiteboarding what ingress and egress should be against what is may itself justify a simple kill chain exercise. Eliminating paths equates to fewer chains, a benefit unto itself.
- Defense refinement
The whitepaper1 addresses refinement at length. Assessing the blocking link for failed attacks still warrants strengthen prior links since they were necessarily overcome. Furthermore, a successful attack means all links failed and assessment may focus on the weakest. In either case, kill chain models necessarily foster adapting defenses tactically.
- Resource acquisition and allocation
Since all kill chain models define discrete tactics, organizations are positioned to shape cyber roles, processes, and tech accordingly. Tactics overlap, thus not inherently siloed, but nevertheless double as taxonomies potentially allowing more precise defense personnel and asset decisions than otherwise.
Final Thoughts
This post’s intent is not to promote a particular cyber defense framework. Rather, ideally it’s provided foundational and tangible insight into a framework illustrating not just a model, but also how cyber threats operate regardless of purpose. As we begin with fundamentals and understand more, disadvantage necessarily decreases thus increasing advantage, and the whitepaper’s “information superiority” reference is perhaps more than aspirational.
1 Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains (PDF)
2 2017’s “WannaCry” may not have been history’s first ransomware, but nevertheless presented APT design, execution, behavioral, and indicators. Whether as a technical matter it was “persistent” may be debatable, or even unknown, but any lack in persistence was substituted with propagation impacting at least 200,000 machines globally.
3 Cyberattack “tactics” form a trio with “techniques” and “procedures” (“TTPs”) defined collectively in NIST’s Computer Security Resource Center’s glossary as: