Why The Cyber Kill Chain Is Not Sufficient to Effectively Protect Your Organization
An epochal shift during the 21st century has led us to enter a new era of technological advancements, where cyber security has become vital in keeping an organization and business secure.
The rise of computers, telecommunications and the internet had opened the doors for cyberterrorism. Cyberattacks had become so rampant that they started to become a threat to the economy. Cybercriminals and hackers have also evolved their digital skills in stealing and destroying other businesses by breaching information security.
Having an effective security system to protect your organization is your best defense against cybersecurity threats. It does not only protect your business but your consumers and employees as well.
Investing in an efficient cybersecurity plan promotes risk management for monetary and reputational damage and ensures data integrity and confidentiality within your organization.
Ignoring cybersecurity is a grieve and an expensive mistake to make. Though it may not eliminate the risk of cyberattacks, a layered security approach can withstand cyber intrusion and assaults.
Lockheed Martin Cyber Kill Chain Framework
The Cyber Kill Chain is a stage-based framework (or methodology, if you like) originally developed by Lockheed Martin which traces the stages of cyberattacks. An adaptation of an established military defense operation, it is a part of their Intelligence Driven Defense Model that identifies vulnerabilities and prevent cyber intrusion activities.
This framework is named “Kill Chain” as it was adapted from a military term related to an attack’s structure. By stopping the attacker at any stage during the assault can break the chain of attack! The adversary must completely advance through all the stages to succeed. Each stage of intrusion will give us the chance to know more about the attacker and use their tenacity as our leverage.
The Kill Chain Framework works in 7 stages:
Reconnaissance – The step where the targets are identified. Adversaries plans and research their target organizations. These intruders will use automated scanners to find weak points in the system. They could scan firewalls to create a point of entry in the system. Detecting the intruders during reconnaissance could be challenging, but it could help reveal the attackers’ criminal intents.
Weaponization – The adversaries start staging their operation. After finding security vulnerabilities in the system, these attackers will develop malware. If their target is document-based, they produce a “decoy” file to present to the victim. They weaponize malware based on the attack’s intention. This is also the stage where adversaries could find ways to reduce their chances of being detected. The defender will not detect weaponization as it happens, but they can figure out the intent by investigating malware artifacts.
Delivery – The adversaries start to launch their operations. The attackers will start sending the malware to the defenders. They will deliver the weapon through email phishing or a removable/portable device. This is a vital stage for the defenders. Blocking the operation should be prioritized at this point. This can be done if the delivery medium is analyzed or targeted servers are detected.
Exploitation – Advancing to this stage is when the attackers start to gain access to their victims. The malicious malware was delivered and breached the secured parameter. Opening a phishing email attachment or clicking on a malicious link has triggered the “zero-day”, a phrase that refers to the exploit code. At this rate, custom capabilities are crucial to stop zero-day exploits. But traditional hardening measures could also help in adding resiliency to the security.
Installation – The hacker, had already established a beachhead at the victim. The malware has installed a backdoor that will serve as a point of entry for the intruder. Some adversaries would ensure that the malware looks like a regular part of the installed operating system. In this stage, it is important to stop the attack by using systems such as the Host-Based Intrusion Prevention System (HIPS). It can alert or block common installation paths.
Command and Control (C2) – The adversaries gain control of the system’s network. The malware has opened a channel of command to remotely manipulate the victim. They can gain access to secure and confidential accounts and could attempt damaging attacks. This stage is the defender’s last chance to block the attack. And this can be done by blocking the C2 channel. This will stop the adversaries from issuing a command to prevent further damage.
Action on Objectives – The adversaries have reached their goals-the stage where the hackers have successfully extracted their needed data from the system. They gained the power to damage further, such as collecting user credentials, destroying the system, or overwriting and corrupting the data. The longer the hacker has access to CKC7, the greater the impact of the damage. This stage could be detected as soon as possible using forensic evidence and network packet capture.
Key Elements of the Cyber Kill Chain:
The Cyber Kills chain was designed to assist companies in developing in-depth strategies for defense. By mapping out the steps that the hackers take to complete a cyberattack, organizations would be able to combat persistent cyber threats.
Since the Cyber Kill was derived from a military model, the main elements of this framework are established to identify adversaries, prepare for an attack, engage, and destroy a target. It can quickly identify and recognize social engineering, insider threats and innovative attacks.
Drawbacks of Kill Chain Framework
The Cyber kill chain is modelled to respond to pre-determined attack sequences. It has been universally adopted for cybersecurity. But like any other model, it is not perfect and has its fundamental flaws.
The model assumes a perimeter focus defense where the main resistance is a firewall. It fails to cover other internal attacks and cyberattack vector paths.
Cyber Kill Chain framework’s phase sequence cannot precisely block all attacks. Most of its phases can be easily bypassed.
The framework only focuses on blocking an attack but fails to define what to do after the adversaries successfully breaches the system.
Once the adversary was able to penetrate the victim’s system, the framework’s timing of the attack in every phase was inconsistent. Adversaries could easily stay dormant for a longer period while they wait for the opportunity to launch their final phase of attack without being detected.
Teams that say their cybersecurity is really good are the ones to worry about. After our breach, the most difficult issue was deciding when it was safe enough to come back online. I learned that really smart engineers can talk English, under extreme pressure.
Other Frameworks with Similar Objectives Compared to the Cyber Kill Chain
MITRE ATT&CK vs Cyber Kill Chain
ATT&CK is an acronym that stands for Tactics, Techniques, and Common Knowledge.
The MITRE ATT&CK framework was designed based on observations in the real world. It reflects the different phases of an intruder’s attack lifecycle and the target platforms.
One could argue that there are Cyber Kill Chain and MITRE ATT&CK both share common views and understanding of cyberattacks i.e., most cyberattacks involve adversaries breaking into networks, avoiding getting detected, stealing as much data as they possibly can, interrupting as much network operations as they possibly can, getting out as quietly and stealthily as they got in, making hidden backdoor access available if they ever need to return, etc.
However, compared to Cyber Kill Chain, the Mitre ATT&CK framework maintains a matrix model that has more in-depth details on how the adversary will attack in each stage. Also, Cyber Kill Chain fail to factor in the different techniques and tactics of a cloud-native attack.
The Cyber Kill assumes that the attackers will deliver malware to a target environment but ATT&CK assumes that the adversaries may very well change their goals/objectives mid-way through an attack especially when the success of the attack appears either easier or more difficult than they had initially planned.
Yes, one could argue that the MITRE ATT&CK framework uses Situational Crime Prevention (SCP) techniques, a set of techniques which assumes that the goals/objectives of most adversaries are not linear but influenced/informed by opportunities, constraints, limitations, resistance, and situations presented to them by their targets during the execution of attacks.
Google BeyondCorp vs Cyber Kill Chain
BeyondCorp is an implementation of a zero-trust security concept that creates a zero-trust network. Designed to provide end-to-end real-time protection and platform security. It has embedded data built into the Chrome browser to prevent malware infection from networks and provide phishing-resistant authentication.
Unlike the Cyber Kill Chain framework, Google BeyondCorp “shifts access control from the traditional network perimeter to individual devices”. Its zero-trust access approach users to securely work with untrusted networks even if they are not using a client-side VPN.
NIST Cyber Security Framework (NIST CSF)
The National Institute for Standards & Technology (NIST) Cyber Security Framework (CSF) provides a set of structured standards and measurements for cybersecurity. The framework sets out “standards, guidelines, and best practices to manage cybersecurity-related risks.”
But the downside of the framework is that its 5 categories/elements i.e., Protect, Identify, Detect, Respond and Recover; fail to directly outline how it can dissect a cyberattack incident. It also fails to supply analytic markers to test the detection.
Nevertheless, the descriptive (and not prescriptive) nature of the NIST CSF has made it seem “business-friendly” and therefore, made it possible for the framework to be adopted by businesses and organizations of all sizes and across several industries, particularly organizations in industries that are guided by regulary controls and compliance requirements where industry-uniqueness and specificities are considered important.
In conclusion, there is no one defense framework or set of techniques that could be considered all-in-one sufficient for all cybersecurity defense requirements.
In a previous article, I had looked at how the proposed Digital Operational Resilience Act (DORA) could impact businesses and organizations once ratified and signed into law.
Given the significant penalties that would be imposed for non-compliance with DORA directives, it is perhaps reasonable to envisage that DORA could eventually have similar, if not greater, impacts in both the UK and the EU region as did GDPR, albeit with very different objectives.
Whilst some of these defense techniques may excel in certain aspects of information security, many of them are complimentary to each other and bring different or much enriched strengths to the conversation.