Describing Security Event Analysis: Cyber Kill Chain
The cyber kill chain is a model that describes the structure of an attack.
One of an analyst’s key jobs is to understand exactly what the attackers did. The steps of the kill chain enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques, and procedures.
The following lists the seven stages of the cyber kill chain:
- Reconnaissance: Research, identification and selection of targets, often represented as crawling Internet websites such as conference proceedings and mailing lists for email addresses, social relationships, or information on specific technologies.
- Weaponization: Coupling a remote access Trojan with an exploit into a deliverable payload, typically with an automated tool (weaponizer). Increasingly, client application data files such as Adobe PDF or Microsoft Office documents serve as the weaponized deliverable.
- Delivery: Transmission of the weapon to the targeted environment. The three most prevalent delivery vectors for weaponized payloads by the attackers, as observed by the Lockheed Martin Computer Incident Response Team (LM-CIRT) for the years 2004-2010, are email attachments, websites, and USB removable media.
- Exploitation: After the weapon is delivered to victim host, exploitation triggers intruders’ code. Most often, exploitation targets an application or operating system vulnerability, but it could also more simply exploit the users themselves or leverage an operating system feature that auto-executes code.
- Installation: Installation of a remote access Trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment.
- Command and control: Typically, compromised hosts must beacon outbound to an Internet controller server to establish a CnC channel. Malware often requires manual interaction rather than conduct malicious activity automatically. Once the CnC channel establishes, intruders have “hands on the keyboard” access inside the target environment. Typically, CnC traffic are sent using commonly used and required protocols such as DNS, HTTP, HTTPS, and so on.
- Actions on objectives: Only now, after progressing through the first six phases, can intruders take action to achieve their original objectives. Typically, the objective is data exfiltration, which involves collecting, encrypting, and extracting information from the victim environment. Violations of data integrity or availability are potential objectives as well. Alternatively, the intruders may only want access to the initial victim box for use as a hop point, to compromise additional systems, and move laterally inside the network.