Cyber Kill Chain[1] Coleman Kane September 8, Cyber Defense Overview The Cyber Kill Chain[1] 1 / 12

Size: px

Start display at page:

Download "Cyber Kill Chain[1] Coleman Kane September 8, Cyber Defense Overview The Cyber Kill Chain[1] 1 / 12"

Kory Lucas
7 years ago
Views:

1 [1] Coleman Kane September 8, 2014 Cyber Defense Overview The [1] 1 / 12

2 The is a generalized attack model which attempts to describe the sequences of accomplishments, or milestones, that an attack will need to proceed through in order to accomplish the intended objective of the perpetrator. While not intended to be a one-size-fits-all approach, the goal is to break an attack up into discernable stages, to better describe the observed uses of certain tools as well as illustrate the investment of the attacker at each phase, as well as to help define where and how actions of the attacker within each phase might be detectable. Cyber Defense Overview The [1] 2 / 12

3 There are seven phases defined by the Kill Chain, as described by Lockheed Martin. All of the definitions below are verbatim, or slightly edited from the content in LMCO s Intelligence-Driven Computer Network Defense paper[2]. Reconnaissance Research, identification and selection of targets, often represented as crawling Internet websites such as conference proceedings and mailing lists for addresses, social relationships, or information on specific technologies. Cyber Defense Overview The [1] 3 / 12

4 Coupling a remote access, or other, tool with an exploit into a deliverable payload, typically by means of an automated tool (weaponizer). Increasingly, client application data files such as Adobe Portable Document Format (PDF) or Microsoft Objectivesce documents serve as the weaponized deliverable. In this phase is where an attacker would also likely organize the rest of their toolchain, register new domain names if necessary, and activate attack infrastructure. Cyber Defense Overview The [1] 4 / 12

5 Delivery Transmission of the weapon to the targeted environment. The three most prevalent delivery vectors for weaponized payloads by APT actors, as observed by the Lockheed Martin Computer Incident Response Team (LM-CIRT) for the years , are attachments, websites, and USB removable media. The attacker delivers the malicious payload to the target(s) at this stage. In many cases, this is also the Kill Chain phase where the attack first crosses into the border of the defender s network. Cyber Defense Overview The [1] 5 / 12

6 After the weapon is delivered to victim host, exploitation triggers intruders code. Most often, exploitation targets an application or operating system vulnerability, but it could also more simply exploit the users themselves or leverage an operating system feature that auto-executes code. This phase occurs when the attacker attempts to exploit a machine-level, network-level, or even human-level vulnerabilities in your environment in order to proceed to the next phase. The goal of this phase is to achieve adequate level of access in the target environment so as to install the backdoor. Cyber Defense Overview The [1] 6 / 12

7 of a remote access or other tool on the victim system allows the adversary to maintain persistence inside the environment. Once exploitation has succeeded, the attackers tools have established adequate access to the system. This access usually provides the attacker with user-level or sometimes administrator-level access to the target environment. Using this access, the tools now must embed themselves in the environment. The goal is to maintain "persistence" such that access can be resumed even if systems or whole networks are restarted. Cyber Defense Overview The [1] 7 / 12

8 Control Typically, compromised hosts must beacon outbound to an Internet controller server to establish a C2 channel. APT malware especially requires manual interaction rather than conduct activity automatically. Once the C2 channel establishes, intruders have "hands on the keyboard" access inside the target environment. Once completed, this phase provides real-time access of the compromised system to the attacker, enabling them to access the contents of the system and even enabling them to utilize the compromised host to gain further access, through impersonation, to other resources on the network. Cyber Defense Overview The [1] 8 / 12

9 Actions Only now, after progressing through the first six phases, can intruders take actions to achieve their original objectives. Typically, this objective is data exfiltration which involves collecting, encrypting and extracting information from the victim environment; violations of data integrity or availability are potential objectives as well. Alternatively, the intruders may only desire access to the initial victim box for use as a hop point to compromise additional systems and move laterally inside the network. Finally, once real-time command-and-control is established, the intruder will then actually go after the intended purpose of their intrusion. In some cases, this may be simply gaining access to systems for executing later attacks. Other times, this might be intended to steal sensitive technical diagrams, formulas, access credentials for future intrusion attempts, or numerous other objectives Cyber Defense Overview The [1] 9 / 12

10 The imminent risk to the network is increased as the attacker gets into later phases of the kill chain The investment (and thus, expense) on the part of the attacker also increases the later they get into the kill chain One could say that: The value of detecting/preventing a serious attack increases the earlier you can accomplish it in the kill chain The amount of information available regarding the nature of an attack increases in later stages of the kill chain Cyber Defense Overview The [1] 10 / 12

11 ...continued from prior slide Actions on Objectives Cyber Defense Overview The [1] 11 / 12

12 [1] Lockheed Martin Corporation. Cyber kill chain R. /information-technology/cyber-security/cyber-kill-chain.html. is a registered trademark of Lockheed Martin Corporation. [2] Rohan M. Amin Eric M. Hutchins, Michael J. Cloppert. Intelligence-driven computer network defense Cyber Defense Overview The [1] 12 / 12

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015 Cybersecurity Kill Chain William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015 Who Am I? Over 20 years experience with 17 years in the financial industry