The “Cyber Kill Chain®”1 is a model for framing an incident response/analysis capability that was developed by Lockheed Martin’s Computer Incident Response Team. It is a useful framework for talking about why and how we do things in security. Think of the Cyber Kill Chain as an attack chain, the path that an intruder takes to penetrate information systems over time to execute an attack on a target.
The framework breaks down the stages of a hack as follows:
- Reconnaissance – studying public information about the target, the target’s environment, software mix, practices and software loadout
- Weaponization – preparing a backdoor and a penetration plan intended to deliver a successful attack
- Delivery – launching the attack and injecting the backdoor
- Exploitation – triggering the backdoor
- Installation – installing the backdoor as a bootstrap and any additional remote access tools
- Command and Control – use of the tools to establish remote access
- Actions on Objectives – collecting and exfiltrating information, or other actions against the target
By breaking the chain of causality at any point, we avoid the consequences of the subsequent non-events. That’s a very powerful concept. And it argues strongly that our intuitive response to computer security is pretty common sense: doing whatever we can at the early stages of the sequence of events saves us grief later; we are right to put most of our effort into our front-line defenses. Think about it this way: if your anti-virus software is even only 50% effective, that wipes out 50% of the potential problems you might have to deal with later on – at much greater cost.
The Cyber Kill Chain is also a good model for explaining to management why you might want to front-load your blocking efforts. As we look at each stage of the kill chain, we can talk about the various technologies that are available to us and the cost of failure and response at that stage.
Significance of Failure versus Preparation
| Stage | Cost of Failure | Preparation | |
| Reconnaissance | Zero | None – we remain unaware | |
| Weaponization | Zero | None – we remain unaware | |
| Delivery | Zero | None – we remain unaware | |
| Exploitation | Proactive security |
|
|
| Installation | Cleanup |
|
|
| Command and Control | Forensic response |
|
|
| Actions on Objectives | Business response |
|
|
It’s useful to point at this table and say, “We want to do a few things at the top of the chain, so that we don’t get to the end of the chain.”
Kill chain analysis confirms the need for data that can only be collected in advance of something going wrong. The time to start collecting more information about your network, servers and systems is a couple of months before someone exfiltrates your customer database, because you’ll have a better chance of figuring out what happened so it doesn’t happen again, and you can shorten your disaster response cycle.
A complete, continuous network monitoring approach is crucial for reining in the time spent dealing with incidents, by providing traffic data and log information, as well as helping detect and track initial outbreaks as they occur. Part of what makes this a hard problem is the need to search backward and forward in time: when you detect that something has gone wrong now, you need to be able to go back to see how it happened then, and figure out what else happened between then and now. You stress every aspect of your system, from prevention at endpoints to vulnerability management, up through malware detection, log and event correlation.
The final place where you can use the kill chain model is as an abstract framework for training and assessing your organizational readiness. At each stage of the kill chain, you can hypothesize a reasonably realistic failure, and do a paper-drill assessment to compare your capabilities against what you might want.
If you walk through a plausible scenario such as a disgruntled engineer leaving the company and what he might take with him to a competitor (and how you would discover the theft), it will help you define what you think are reasonable expectations and capabilities — you might decide you need even tighter data controls than just improved logging. Creating a few paper-drill assessments for management with plausible “if-then” scenarios will provide information to reasonably explore the trade-offs that are exposed.
It’s a truism that there’s never enough data. Cyber Kill Chain analysis exposes that truth and tells us that we might need data that can only be collected in advance of something going wrong.
1 CYBER KILL CHAIN is a registered trademark of Lockheed Martin Corporation.
COMMENTS