To understand and repel cyber-attacks, security breaches, and advanced persistent attacks (APTs), Lockheed Martin introduced a new “Cyber Kill Chain” framework or model in 2011. Derived from a military model, the cyber kill chain is a 7-step model that exhibits the stages of a cyber-attack from early reconnaissance to the final data exfiltration.
Used for identification and prevention of cyber intrusions activity, the model identifies what the adversaries must complete in order to achieve their objective. The cyber kill chain model gives analysts a better perspective and insight of an adversary’s tactics, techniques, and procedures. It also assists organizations in consistently enhancing their network defense and come up with strong countermeasures.
Since its establishment, the kill chain has evolved, and several organizations proposed their own version of the framework; however, the core of all of them remains the same: get in, do not get caught, do your business, get out.
Consisting of 7 steps, the Lockheed Martin cyber kill chain appears to be the most comprehensive model among all the frameworks.
The Lockheed Martin Cyber Kill Chain
In the first stage of an attack, the adversary gathers information about the targeted organization. Reconnaissance is classified as active and passive reconnaissance. Active reconnaissance includes direct interaction with the target; the adversary could record IP addresses and log activity. Whereas in passive reconnaissance, the attacker does not directly interact with the organization, and gathers information through the available data online such as social media platforms like LinkedIn or Instagram, and calling or emailing employees. In this stage, the attacker turns social engineering to their advantage by exploiting the human weakness to derive as much intel as possible from employees.
During weaponization, the attacker designs his/her attack; using the intel gathered in reconnaissance, the attacker identifies system vulnerabilities and develops malware to exploit those specific vulnerabilities. For example, the adversary creates exploit kits or phishing emails that contain document attachments or links coupled with malware.
The third stage of an attack, described in the framework, is the transmission of the malicious payload crafted in the previous phase. The first method of delivery relies on the human aspect; the adversary distributes infected USB drives or sends out phishing emails which contain malicious links or attachments like Microsoft Office documents or PDF files in hopes that an employee clicks on the link, opens the attachment, or plugs in the infected storage drive to execute the malware. The second method of delivery is the active endeavor to directly hack neglected systems.
Security awareness remarkably matters at this stage; employees must possess knowledge of security to deal with the various security threats during their daily work. They must also inform professionals when security-related incidents are detected, and be aware of which security processes to follow.
exploitation is the execution of the malware to exploit the vulnerability and establish a foothold inside the organization’s network to download additional tools, escalate privileges, etc.
In this stage of the cyber kill chain, the adversary installs malware on the victim organization’s system. Malware types could be ransomware and remote access Trojans (RATs). Installation of either a web shell on a vulnerable web server or a backdoor on a vulnerable system allows adversaries to bypass security controls and maintain their presence in the victim’s environment.
6. Command and control
The sixth stage of the cyber kill chain is command and control (C2) which is the influence an attacker has developed over a compromised computer system they control. Once the system is infected, it opens a command and control connection to allow remote access. Opening a command and control channel grants the attacker persistent connectivity, and allows them to move deeper into the network, exfiltrate data or launch denial of service attacks. Threat hunters use various tools to detect this type of abnormal activity.
7. Actions on objective
The actions in the final stage of an attack depends on the attacker’s goals. Attackers could have various goals and motives to achieve by an attack; their mission could aim to espionage, sabotage, exfiltrate data, launch denial of service, or compromise additional systems. An attacker could also move laterally inside the network from one system to another to escalate their privileges and gain access to privileged accounts, sensitive data, or access to critical assets.
The attackers also try to cover their tracks by deleting or modifying logs, altering timestamps, etc. They also take other actions to remove their previous footprints and make it look like nothing was touched in the system.
Is the Cyber Kill Chain Framework still useful?
The problem with the kill chain model is that it assumes a traditional perimeter defense where a firewall is the main impediment to intruders and does not consider alternative attack vectors that do not operate by the traditional cyber kill chain’s workflow. Threats and attacks have become increasingly sophisticated and versatile that the model is not sufficient anymore. Furthermore, some stages covered in the framework could be skipped by the adversary, and only 2 phases are absolutely necessary for an attacker to infiltrate a system — step 1, Reconnaissance and step 7, actions. However, the kill chain model is still valuable in analyzing threats and understanding the attacker’s strategy; the model helps security analysts to prioritize threats and where to focus their time on.
Secure Your Organization’s Mind with Securemind.se