Lockheed Martin Cyber Kill Chain
In information security, the Lockheed Martin Cyber Kill Chain, released in 2011, is commonly used to illustrate and define the steps used by adversaries during a cyber-attack from beginning to end, in order. Why use a this kill chain model? Well, it is an effective method to map and create a baseline framework in order of operations for each phase of a cyber-attack, allowing cyber professionals a methodology to identify and stop attacks depending on the categorized phases. Each phase opens an opportunity to identify and respond to an attack. Are there limitations to this kill chain? Most certainly, but we will discuss more about this later.
Let’s look at the 7 stages of the Cyber Kill Chain.
1. Reconnaissance: The adversary’s objective is to identify gather information on victim’s security systems through various social engineering tactics or automated scanners for mapping organization systems and networks. The identification of security gaps and vulnerabilities will aid adversaries where to focus their attack.
2. Weaponization: Adversaries take reconnaissance information and develop tailored malware to exploit discovered vulnerabilities. Threat actors may develop viruses, worms, ransomware, rootkits, trojans, etc.
3. Delivery: Attackers initiate the delivery of weaponized malware into the organization’s system and identified vulnerabilities. Common delivery vectors include phishing attacks, drive-by downloads, or infected USB devices.
4. Exploitation: Threat actors now execute their payloads on the identified vulnerabilities, executing malicious code through successful phishing attacks or other means of exploitation.
5. Installation: The installation of malware in an organization’s device or asset for remote access or creating a backdoor. Attackers commonly cover their tracks by modifying data or recoded timestamps to stay undetected.
6. Command and Control (C2): The attacker maintains remote access and persistence on the infected device through the command console. For instance, constant communication is disguised as normal HTTP traffic to maintain contact between infected device and threat actor for a long period of time (C2 persistence).
7. Action on Objectives: Threat actors complete and achieve their mission of delivering cyber-attack through data theft, asset destruction, data leakage, system encryption, etc.
Limitations to the Cyber Kill Chain
There certainly are a ton of limitations and things to keep in mind when using this framework. For instance, modern cyber-attacks are becoming more sophisticated where the sequence of events don’t even follow a conventional order of operations. Therefore, the Cyber Kill Chain cannot not be an end all be all framework cyber professionals use to map out every single attack. The kill chain provides a solid baseline of the order of operations a cyber-attack may be carried out, but not necessarily in that order every time. In this day in age, it wouldn’t be surprising if three different stages be executed all at once. Alternatively, threat actors are adding or repeating stages, evolving their methodologies with the intent to execute malicious payloads quicker, quieter, and more damaging. However, one thing remains constant in the flow of the cyber kill chain model. The nearer to the start of the kill chain an attack can be identified and stopped, the better. For example, detecting an adversary conducting reconnaissance within the network or blocking suspicious phishing emails at the email gateway will effectively thwart further and more damaging adversarial behavior.
MITRE ATTACK Framework
The Cyber Kill Chain and the MITRE ATTACK Framework were developed with the same goal in mind: illustrate and define the events of an attack. However, there are a couple of differences. The MITRE ATTACK is a list of techniques by tactics that do not follow a specific order of operations. ATTACK stands for Adversarial Tactics, Techniques, and Common Knowledge. Unlike the Cyber Kill Chain, MITRE ATTACK is a much more comprehensive directory that contains tactics (the columns) and techniques (the cells) that do not follow a linear order of operations of an attack. Tactics are strategic adversary goals like reconnaissance, privilege escalation, credential access, lateral movement, and impact. On the other hand, techniques are the actual activities carried out by the adversary like phishing, drive-by compromise, lateral tool transfer, and endpoint denial of service. The cybersecurity community is constantly updating the MITRE ATTACK with newly discovered techniques and adversary behaviors that frequently help organizations’ red (pen-testers) and blue teams (incident responders) redefine their practices and attack methodologies.
Conclusion
Although it no longer can be applied to every scenario due to the ever-changing landscape of cyber-attack, the Cyber Kill Chain remains one of the most widely used cybersecurity models by both the government and private sector. It is a clear illustration of the steps and stages of a typical cyber-attack. However, the MITER ATTACK framework is a more comprehensive and updated model that tracks the various phases of a cyber-attack by categorizing tactics and techniques in no particular order. At the end of the day, both have quickly become very respected in the cybersecurity community to identify, mitigate, and prevent adversaries from conducting cyber-attacks.
