Kill Chains and Post Compromise Assessment Frameworks

Have you been hacked?

What are my options?

The two that I will focus on in this article are the Cyber Kill Chain, created by Lockheed Martin, and the MITRE ATT&CK framework. My goal is to introduce these frameworks to those who might not be aware of them and to show how they could be employed to provide a comprehensive defense against threats. Each framework has a somewhat different focus, so it is important to understand the advantages and weaknesses of each.

Before we begin, it is important to level set and come to an agreement that all networks are susceptible to attack. I have years of experience with DOD networks and have learned over the years, that even an air-gapped (physically separate) network can be breached and sensitive information accessed by those who do not have the proper access or permission. This understanding is critical to the rest of this article. As I have often said, there is no perfect code and all software is inherently buggy. People code and people are not perfect. People build networks and deploy security in depth, but people are not perfect.

Other Notable Kill Chains

AT&T Cyber Kill Chain, Unified Kill Chain

Cyber Kill Chain

The Cyber Kill Chain was developed by Lockheed Martin in 2011 to identify and prevent cyber intrusions by detailing the steps that adversaries must take to complete their objective. The terminology used in the kill chain is reminiscent of military jargon, which is no surprise as Lockheed is a very large government contractor. It is very fitting since cybersecurity is indeed warfare between the organization and opposing forces, each side with their own agendas and concerns.

It is important to understand what this kill chain provides an organization. It is not an epiphany. As you review the Cyber Kill Chain, you will not be surprised by anything you see. So what is the purpose? Why did Lockheed feel it was necessary to lay out this framework? The answer is quite simple. If security practitioners truly understand each of the stages identified and see the human element of cyber attacks. This element is often overlooked as most security defenses rely on technology, which is often employed by people who do not truly understand the human aspect of the attacker.

From a SANs article in 2019:

Security awareness is nothing more than a control, just like encryption, passwords, firewalls, DLP, or anti-virus. What makes security awareness unique is that it applies to and manages human risk.

The Cyber Kill Chain focuses on 7 steps that adversaries take to complete their objectives. The first is reconnaissance, whereby the attacker uses any available method to gain intel or useful information from the target. Your organization must be aware that it is a target. Each employee or representative of your organization could be used against you. This awareness drives initiatives such as least privilege, classification of data, phishing detection and mitigation, and many more.

The second focus area of the kill chain is weaponization. This is where the attacker develops their attack. This will most likely be driven by information gained through the reconnaissance phase or available exploits discovered during that initial phase will be used to deliver the weaponized attack. This step may or may not include interaction with the target. During this phase the attacker might be developing malware or constructing a phishing email to assist in delivery.

The third area is around delivery. This could be done through email, introduction of malware through connected USB devices, or a web exploit. This is the phase where the attacker acts directly against your organization to hand off their weaponized attack. Policies and governance can provide a great defense at this stage of the process, but since the current day workforce is made up almost entirely of humans, it is understandable that these processes often fail against attack.

Our forth area of focus is exploitation. At this point, the attacker has moved his attack onto the network and is able to exploit the network or system by executing code. When users or security devices allow the attack access into the environment, the attacker is able to finally enact his will. This does not require the hacker to be in the environment. The code execution could run autonomously, or it could phone home to a command and control mechanism to receive instructions.

The fifth focal point is around installation. While this may seem similar to exploitation, it is important to understand the benefit of looking at this step of the chain. If the attack is now installing software, that is something that can be detected through a number of mechanisms. Reviewing system logs, tracking installed software, governing and restricting the installation of unknown software are all methods that could be employed to defend against this step, among others.

The kill chain lists step six as command and control. As mentioned above, the attacker might want to ensure persistence. Why go through all this work without allowing for future attacks to be conducted effortlessly from within the boundaries of the network? Detection of common command and control points on the Internet within inbound and outbound traffic could alert your organization to the possibility of a current or post compromise event. There are many threat intelligence offerings by which to process your network traffic to determine if your organization is communicating with these known bad entities.

The final step of the kill chain is action on intended objectives. At this stage, the attacker is inside. The same methodologies used for detecting insider threat could be useful here. The endpoints are more of a focus at this point. Where is the attacker and what actions are they taking on the endpoints throughout the enterprise. At this point, we are really looking at a post compromise situation. An unwanted entity is in your network and attempting to complete their objective.

Note:

Regardless of which step you discover activity at within your network, you should be capturing intel on the attacker and learning from their actions. Some practitioners might want to allow certain actions to gather additional tactics, but many would want to take the necessary steps to get the intruder out. In either case, use the activity monitored or discovered to understand your attacker and begin to build a profile. Understanding the tactics, techniques, and procedures used by one attacker will not only help to defend against them, but future attackers as well. We will talk more about this profiling in our ATT&CK framework section.

ATT&CK Framework

The ATT&CK framework was developed in 2010 as a way to categorize and understand adversary behavior for activities conducted in one of their military research labs. This framework was developed for post compromise assessment through telemetry and behavior analysis.

The goal was to improve postcompromise detection of threats penetrating enterprise networks through telemetry sensing and
behavioral analytics

One important use case for the framework is adversary emulation. By cataloging and understanding the common behaviors of adversaries, organizations can run through scenarios and table top exercises to asses the efficacy of their deployed processes and mechanisms, both human and technology. The results of these exercises can then be used to cover gaps, understand risk, and mitigate risks.

One more critical use case is profiling adversaries. Using the framework to understand who your specific adversaries are and what techniques they might employ is extremely important for government agencies who are trying to identify nation-state actors. This provides not only an understanding of the motivations and objectives of the adversary, but also could shine light on political aspects that could be involved, such as interfering with elections or damaging the economy.

The ATT&CK framework is not so much a step by step roadmap of intended actions of the attacker as it is a matrix of objectives with the techniques that could be used to complete them. For instance, if an attacker’s goal is to gain persistence in the network, the framework will provide common TTPs (tactic, techniques, and procedures) commonly utilized to reach that goal. Once again, this information can be used to ensure the proper defenses are in place and to profile the attacker based on the methodologies they typically employ.

Conclusion

Regardless of the intent of the attacker, one truth remains. No network is inherently secure and no process or governance will provide complete protection against those who want in to our networks. Utilizing these tools above will help security practitioners understand their attackers. Understanding the human element of attacks as well as the technology common used will allow organizations to better posture for future attacks.

The Cyber Kill Chain can help your organization better detect possible attempts on your network as well as understand what next steps to prepare for. The ATT&CK framework will help the organization profile and identify attackers and prepare for future attacks by running scenarios based on historically factual information to ensure a defense in depth strategy. As with all security methodologies, there is a need for constant review of these tools and, as with any framework, there is a need to understand how your organization can make the best use of industry best practices. Some aspects may not apply to your organization, but some may.

I would love to get your feedback on this post. I hope it was informative and helpful. Criticism is appreciated and welcome in the comments below. Share this information with others you feel might benefit from it and keep the conversation going. New threats emerge daily and each of us needs our community to stay on top of the security landscape.

References

Author: Phil

Phil Williams is an engineer with around 20 years of information technology industry experience with past focus areas in security, performance, and compliance monitoring and reporting. Phil is a husband, father of 6 children, and an avid geek who loves building computers, gaming, and gadgets. He has an undergraduate degree in general IT sciences and has worked with the US Government as a contractor for over 20 years. He is now in a security solutions advisory role for a large vendor supporting commercial and enterprise customers.

Leave a Reply

Your email address will not be published. Required fields are marked *