Cyber attacks have evolved dramatically over the past two decades. Social engineering, insider threats, and cloud technology have changed the way we look at the security perimeter, and in many people’s minds, has rendered the security perimeter irrelevant.

The cyber kill chain is a traditional security model that describes an old-school scenario — an external attacker taking steps to penetrate a network and steal its data — breaking down the steps of the attack to help organizations prepare. Nevertheless, it is still remarkably successful at describing threat vectors and attacks that are facing organizations today.

In this article you will learn:

What is the cyber kill chain?

The cyber kill chain (CKC) is a classic cybersecurity model developed by the computer security incident response (CSIRT) team at Lockheed Martin. The purpose of the model is to better understand the stages an attack must go through to conduct an attack, and help security teams stop an attack at each stage.

The kill chain model describes an attack by an external attacker attempting to gain access to data or assets inside the security perimeter. The attacker performs reconnaissance, intrusion of the security perimeter, exploitation of vulnerabilities, gaining and escalating privileges, lateral movement to gain access to more valuable targets, attempts to obfuscate their activity, and finally exfiltrate data from the organization.



Figure 1 – Cyber kill chain with examples

The kill chain model mainly describes an advanced persistent threat (APT), a sophisticated attacker waging an organized attack campaign against a specific company.

8 phases of the cyber kill chain explained

Below we briefly explain the stages of an attack according to the LM-CIRT CKC model. In each stage we show a brief list of attacks taken from the MITRE ATT&CK Framework, which is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

1. Reconnaissance
At the reconnaissance stage, the attacker gathers information about the target organization. They can use automated scanners to find vulnerabilities and weak points that may allow penetration. Attackers will try to identify and investigate security systems that are in place, such as firewalls, intrusion prevention systems and authentication mechanisms.

2. Intrusion
At the intrusion stage, attackers are attempting to get inside the security perimeter. Attackers commonly inject malware into a system to get a foothold. Malware could be delivered by social engineering emails, a compromised system or account, an “open door” representing a gap in security, such as an open port or unsecured endpoint, or an insider accomplice.

Example attacks in the intrusion stage:

  • External remote services
  • Spearphishing attachments
  • Supply chain compromise

3. Exploitation
At the exploitation stage, attackers seek additional vulnerabilities or weak points they can exploit inside the organization’s systems. For example, from the outside, the attacker may have no access to an organization’s databases, but after the intrusion, they can see a database uses an old version and is exposed to a well known vulnerability.

Example attacks in the exploitation stage:

  • PowerShell
  • Local job scheduling
  • Scripting
  • Dynamic data exchange

4. Privilege Escalation
In the privilege escalation stage, the goal of the attacker is to gain privileges to additional systems or accounts. Attackers may attempt brute force attacks, look for unsecured repositories of credentials, monitor unencrypted network traffic to identify credentials, or change permissions on existing compromised accounts.

Example attacks in the privilege escalation stage:

  • Access token manipulation
  • Path interception
  • Sudo attack
  • Process injection

5. Lateral Movement
In the lateral movement stage, attackers connect to additional systems and attempt to find the organization’s most valuable assets. Attackers move laterally from one system to another to gain access to privileged accounts, sensitive data, or access to critical assets. Lateral movement is a coordinated effort that may span multiple user accounts and IT systems.

Example attacks in the lateral movement stage:

  • SSH hijacking
  • Internal spear phishing
  • Shared webroot
  • Windows remote management

6. Obfuscation
At the obfuscation stage the attacker tries to cover their tracks. They may try to delete or modify logs, falsify timestamps, tamper with security systems, and take other actions to hide previous stages in the kill chain and make it appear that sensitive data or systems were not touched.

Example attacks in the obfuscation stage:

  • Binary padding
  • Code signing
  • File deletion
  • Hidden users
  • Process hollowing

7. Denial of Service
At the denial of service (DoS) stage, attackers attempt to disrupt an organization’s operations. Usually the aim is to draw the attention of security and operational staff and cause a distraction, enabling the attackers to achieve their real goal, which is data exfiltration. DoS can be waged against networks and production systems, including websites, email servers, or customer-facing applications.

Example attacks in the DoS stage:

  • Endpoint denial of service
  • Network denial of service
  • Resource hijacking
  • Service stop
  • System shutdown

8. Exfiltration
At the exfiltration stage, an advanced attacker finally “hits home”, getting their hands on the organization’s most sensitive data. Attackers will find a mechanism, typically some sort of protocol tunneling, to copy the data outside the organization, in order to sell the sensitive data, use it for additional attacks (for example, in the case of customer personal data or payment details), or openly distribute it to damage the organization.

Example attacks in the exfiltration stage:

    • Data compressed
    • Data encrypted
    • Exfiltration over alternative protocol
    • Exfiltration over a physical medium
  • Scheduled transfer

Security controls you can use to stop the kill chain

SBS security proposed five methods an organization can use to stop different stages of an attack. These are:

  • Detect—determine attempts to scan or penetrate the organization
  • Deny—stop attacks as they happen
  • Disrupt—intercept data communications carried out by the attacker and interrupt them
  • Degrade—create measures that will limit the effectiveness of an attack
  • Deceive—mislead an attacker by providing false information or setting up decoy assets

The following table shows how security tools can be used to apply each of the security controls to each kill chain stage.

 

Phase Detect Deny Disrupt Degrade Deceive Contain
Reconnaissance

Web Analytics

Threat Intelligence

Network Intrusion Detection System

Information Sharing Policy

Firewall Access Control Lists

Weaponization

Threat Intelligence

Network Intrusion Detection System

Network Intrusion Prevention System

Delivery

Endpoint Malware Protection

Change Management

Application Whitelisting

Proxy Filter

Host-Based Intrusion Prevention System

Inline Anti-Virus

Queuing

Router Access Control Lists

App-aware Firewall

Trust Zones

Inter-zone Network Intrusion Detection System

Explotation

Endpoint Malware Protection

Host-Based Intrusion Detection System

Secure Password

Patch Management

Data Execution Prevention

App-aware Firewall

Trust Zones

Inter-zone Network Intrusion Detection System

Installation

Security Information and Event Management (SIEM)

Host-Based Intrusion Detection System

Privilege Seperation

Strong Passwords

Two-Factor Authentication

Router Access Control Lists

App-aware Firewall

Trust Zones

Inter-zone Network Intrusion Detection System

Command & Control

Network Intrusion Detection System

Host-Based Intrusion Detection System

Firewall Access Control Lists

Network Segmentation

Host-Based Intrusion Prevention System

Tarpit

Domain Name System Redirect

Trust Zones

Domain Name System Sinkholes

Actions on Objectives

Endpoint Malware Protection

Data-at-Rest Encryption

Endpoint Malware Protection

Quality of Service

Honeypot

Incident Response

Exfiltration

Data Loss Prevention

Security Information and Event Management (SIEM)

Egress Filtering

Data Loss Prevention

Firewall Access Control Lists

Source: SBS Cybersecurity

How UEBA technology helps identify and stop advanced threats

The cyber kill chain model primarily focuses on advanced persistent threats (APT). APT attackers excel at hiding their activity and covering their tracks and can be very difficult to detect once they are inside the corporate network. APT attacks are conducted by a group of skilled hackers who target enterprise systems by infiltrating and moving laterally through the organization over a period of months, while carefully avoiding detection. While each of those steps may evade traditional detection techniques, together they create an anomalous picture.

Modern security tools, such as user and event behavioral analytics (UEBA), can help detect various techniques used by modern attackers. Using machine learning with UEBA provides the ability to learn user behavior and integrate it into the detection engine, saving analysts an enormous amount of detection time.

UEBA dynamically adapts to an environment and unlike traditional methods, can detect subtle changes in behavior. UEBA can analyze massive amounts of data from disparate systems, and identify anomalous behavior with users, machines, networks and applications. When something seems different or suspicious, the UEBA system can pick up on it and alert security teams.

In order to resolve behavioral patterns into attack sequences, security analysts need to see the complete picture of the attack kill chain. UEBA should tie all the relevant events together into a timeline to make sense of the attack. This makes it possible to detect APTs and related attacker techniques early in the game before an actual breach occurs. For example, UEBA can detect reconnaissance activity, which appears as irregular network traffic; identify penetration attempts as unusual or suspicious logins, and pick up on anomalous behavior of compromised user accounts in subsequent stages of the attack.

Time is critical in finding sophisticated attack sequences. With modern tools such as UEBA, security analysts can now trace the steps an attacker has taken and detect them before they cause damage to an organization.

Want to learn more about Information Security?
Have a look at these articles:

Director, Product Marketing

Orion has over 15 years of experience in cyber security. Prior to Exabeam, Orion worked for other notable security vendors including Imperva, Incapsula, Distil Networks, and Armorize Technologies. He is a security enthusiast and frequent speaker at industry conferences and tradeshows.

Follow on Linkedin

More like this

If you’d like to see more content like this, subscribe to the Exabeam Blog

Subscribe