Guide to Cyber Kill Chain: Steps, Background, Alternatives
What Is the Kill Chain Concept?
“To know your enemy, you must become your enemy” – this philosopher’s quote describes well how the defense concepts work. Cyber security is no exception. The best way to prevent hackers’ attacks is to know how exactly they act during the process of intrusion.
To describe the intrusion process, Lockheed Martin Corporation suggested the Kill Chain in 2012 – a generalized model of a hacker attack.
The Kill Chain Cyber Security Definition
Lockheed Martin’s Cyber Attack Kill Chain describes the steps a criminal follows to successfully execute a malware attack against a target. Like any other complex activity, a cyber attack is a process that begins with planning and ends with reaping the fruits of the labor. It is a sequence of actions that can be carefully studied, defined, and prevented.
The idea of the chain of death in cyber security comes from military experience. Every war operation involves several basic steps. For example, the basic principles of combat are: Find them, Fix them, Fight them, and Finish them. Knowing the sequence, it is easier to create a plan or predict the enemy’s actions.
As a military defense company, Lockheed Martin predictably adopted a military principle for cyberspace. The modernized concept became part of the company’s Intelligence Driven Defence philosophy.
Kill Chain for Defense Strategy
The Kill Chain of a cyber attack describes the average steps an attacker takes to hack a system. There are different versions of the original Kill Chain. Lockheed Martin’s original method suggests 7 steps:
- Reconnaissance
- Weaponization
- Delivery
- Exploitation
- Installation
- Command and control
- Actions on objective
Each phase is a basis for creating defense solutions. Lockheed Martin suggests several layers of security control:
- Detect
- Deny
- Disrupt
- Degrade
- Deceive
These levels of control can be linked to stages of the Kill Chain to implement specific security solutions. This table of relationships is called the Kill Chain Matrix.
Kill Chain Cyber Attack Phases
Reconnaissance
Definition
Reconnaissance is a planning phase. During this phase, an attacker:
- Defines their goals and makes a list of potential targets.
- Collects information about the targets.
- Finds vulnerabilities in the target system or network.
Reconnaissance is a very important phase of any hacker attack. Wrong decisions made during this step can cost an attacker money and time. If an attacker feels that the company’s data is not valuable enough compared to a robust security system, he may choose an easier target instead. Adopting a large-scale security philosophy in an enterprise can scare off 80% of attackers even before the active reconnaissance phase.
On the other hand, the right reconnaissance actions can give an attacker immediate access. For instance, the French TV channel TV5Monde revealed some staff usernames and passwords because the desk with the passwords was accidentally caught on camera during filming.
How to prevent:
Detect
If an attacker has already selected a target and is taking active reconnaissance actions, Network Intrusion Detection Systems (NIDS) can detect those actions. Analysis of system integrity and behavior can reveal a trail of intrusion.
Deny
A system can monitor incoming connections using firewall access lists and disconnect suspicious connections.
Weaponization
Definition
The Kill Chain cyber security concept considers weaponization as an important part of the intrusion. Weaponisation is about finding the right weapon to exploit the vulnerabilities found in the first phase. There are hundreds of tools and applications that help an attacker carry out a planned attack
An attacker may also decide to write his code or develop a tool to achieve his goal. Most of the time, existing tools are outdated, so attackers often make changes to existing software or create their malware using new vulnerabilities.
How to prevent:
Detect
A user cannot prevent an attacker from obtaining a weapon, but cybersecurity companies can inform users about the latest weapons. Threat intelligence systems help security engineers conduct threat analysis and keep them informed of current and potential future threats.
The amount of newly released malware is enormous. According to the Economic Times, criminals publish more than 400,000 new malicious files every day. Only systems with the fastest malware database updates and constant system support can ensure the security of businesses and individuals.
Delivery
Definition
In the delivery phase, an attacker sends malicious code or malware to the target or intermediary. The simplest example of a delivery method is email. For example, an attacker sends a malicious executable file via email to gain access to his victim. Direct delivery methods, such as spam letters, even affect enterprises. For example, the Agent Tesla spyware has been sent to companies as an attachment to fake business letters.
Attackers can also use other transmission methods, for example by exploiting vulnerabilities in an enterprise system or web application.
How to prevent:
There are several ways to avoid malware from getting into the system, network, or computer.
Detect
The first line of defense can be a proxy server. A proxy server acts as an intermediary between the network and the endpoint computer. All malicious files can be scanned and stopped by passing through a proxy server before they reach the endpoint.
An organization can set up its proxy server with antivirus tools and intrusion prevention systems (IPS). Another option is to buy a ready-made solution from a trusted provider.
Deny
A proxy server or other gateway can use various tools to stop the attack or mislead the hacker. Host-based intrusion prevention systems (HIPS) and whitelisting are the basic tools and techniques to prevent the attack. A good solution for web applications is a firewall like Nginx WAF App Protect.
Disrupt
A web proxy is good to use with online proxy server antivirus software.
Deceive
Another way to prevent an attack is not to stop the delivery process, but to make the attacker deliver the data to the wrong place. Honeypots are special servers or network services that look like a real part of a network and contain sensitive data. In reality, they collect information about attacks for further analysis.
Exploitation
Definition
Exploitation is the process of injecting malicious code. It can be done manually by an attacker, or the code is executed automatically, or the code is executed by the end user. An example of user-executed code can be an executable file disguised as an enterprise application.
How to prevent:
Detect
The most popular “kill chain” cybersecurity tools for malware detection are Endpoint Protection Platform (EPP). If a malicious file is already on the endpoint, an endpoint Protection protection system can warn a user or administrator about the threat. EPP scans files as soon as they enter a computer or corporate network. It typically uses a threat database that is constantly updated. EPP can be local, cloud-based, or hybrid
Just as EPPs are passive protection systems, there are also proactive endpoint security systems: EDR. EDR stands for “Endpoint Detection and Response” EDR uses active threat detection and provides tools to respond to an attack. Security teams use EDR as a second layer of endpoint security in combination with EPP.
Disrupt
Most operating systems have a feature to prevent data execution. The system always responds to suspicious attempts to execute code. Security teams can use additional execution prevention if they deem the basic functions insufficient.
Installation
Definition
Installation may seem similar to exploitation, but it is not the same. They are different actions that can be prevented in different ways. Even if a file is successfully executed, the installation can be interrupted.
If a target skips the exploitation step and the malware is executed, the malware is installed on the target computer. An attacker can manually control the installation process, or the malware can execute it automatically. After this step, the attacker gains access to the system.
How to prevent:
Detect
Security information and event management (SIEM) systems collect and record security data for further analysis. These systems monitor processes within a network and detect suspicious activity by correlating events and threat indicators.
Disrupt
Access control lists are a set of rules for filtering incoming traffic. These rules typically determine which IPs are allowed and which are not. The security team can use ACLs to disconnect a suspicious connection.
Command and Control
Definition
Since Kill Chain’s cyber background is military in nature, he considers the takeover a game changer. An attacker takes remote control of and gains access to an infected network or computer. At this stage, an attacker may attempt to gain further access, find credentials, and obtain more information about the target.
How to prevent:
Detect
Network intrusion detection systems and host-based intrusion detection systems detect unauthorized actions.
Deny
A security specialist denies ( interrupts ) an incoming connection by managing the firewall’s access control lists. Another option is to use a kill switch to disconnect a network from the Internet. There are also automatic preventive solutions, such as a VPN kill switch. This means that every time a VPN connection is interrupted, the network is automatically disconnected.
Degrade
One of the most important roles of the security team in this step is to make it difficult for an attacker to move through the network. Segmenting the network can make it harder for hackers to gain more access and find more sensitive data.
Another example of a degrade strategy is a Tarpit system. Tarpit slows down incoming connections and makes connections slow and malicious activity less attractive.
Deceive
The DNS redirection function directs a malicious request to a domain other than the one intended by the attacker.
Actions on Objective
Definition
This is the final step of the original kill chain cyber method. In this step, an attacker implements his plan and takes the final steps to achieve his goals, which can be the theft or destruction of data, disruption of services, etc.
How to prevent:
At this stage, it is still possible to detect malicious activity with EPP, NIDS, or HIDS, disrupt a connection, etc., but the most important goal for a blue team is to recover the data.
Encrypting data at rest ensures network security and gives the Blue Team time to respond. Encryption of stored data usually involves RSA and AES standards. It is also recommended to store the most sensitive data with additional security measures.
Critiques of the Kill Chain
Lockheed Martin introduced the original Kill Chain model in 2012. In 2022, more and more people are claiming that this model is no longer up to new threats. Even the kill chain cyber wiki page points out its drawbacks. Network security specialists call it outdated and cite the following reasons.
- 1. Malware focus
The original Kill Chain is a fully unified model. It focuses on protecting against specific malicious software that must be delivered and executed. These are the threats that the original model covers:
- Ransomware
- Phishing
- Worms
- Trojans
However, other types of attacks are outside the scope of the model. It can explain them, but not in detail. In addition, it does not provide advice for some types of attacks. For example, this concept does not provide a defense strategy for attacks based on social engineering.
- 2. Perimeter security
The Kill Chain focuses exclusively on exceeding the safety perimeter. It assumes from the outset that an attacker is a person or group of persons from the outside. These individuals must break through, steal something, and leave. Unfortunately, there are other possible scenarios, such as insider threats.
Other Cyber Kill Chain Models
The drawbacks of Lockheed Martin’s original Cyber Kill Chain concept have encouraged other companies to develop other intrusion models. Some of them are versions of the original idea: expanded or slightly modified.
- 1. the Unified Kill Chain
A cybersecurity expert, Paul Pols, invented the Unified Kill Chain in place of the original model. This model expands the list of phases from 7 to 18, including the phases of social engineering, defense evasion, privilege escalation, etc.
- 2. Mitre Att&ck
Mitre also proposes his extended list of malicious actions. They provide an Att&ck Matrix where all steps and defense techniques are thoroughly examined and explained.
- 3. Pyramid of Pain
As a supplement to the original Kill Chain, the Cyber SANS Institute has proposed the Pyramid of Pain. The Pyramid of Pain ranks as the most worrisome indicator of compromise (IOCs). The most dangerous IOCs should be considered in the defense strategy of the appropriate levels of the Kill Chain.
Security with the Kill Chain and ProxyBros
Most of the security systems and defense techniques described above perform multiple tasks at different stages of the Kill Chain. Proxy filtering is one of the most powerful defensive tools at the inflection point of the attack: the delivery phase.
A proxy server acting as a filtering gateway prevents the following threats:
- DDoS
- Malware
- Ransomware
- Identity theft
- Email phishing
Conclusion
The anti-malware model, originally developed by Lockheed Martin in 2012, has become the basis for the defense strategies of a thousand companies. The importance of the Cyber Kill Chain cannot be underestimated, even in 2023.
It’s important to understand the Cyber Kill Chain to know how to defend against hacking, analyze potential threats, and find the right defensive solutions.