Cyber-Kill Chain Advises Defensive Activity At Every Stage Of An Attack

Digital transformation puts organizational assets at increased risk of cyber-attack, and companies need to mitigate to prevent incurring high costs of cyber-intrusion. The Cyber Kill Chain (CKC) is a defense-driven threat intelligence framework modeled after the Kill Chain, a traditional military defense strategy developed for counter-terrorism[1][2]. At its core, the framework seeks to identify adversary activity at the earliest stage of an attack to break the “Chain.”

According to CKC, an offensive cyber-campaign follows a necessary and predictable pattern of 7 stages [3]:

1. Reconnaissance - The attacker gathers information about the target and seeks to find vulnerabilities in defenses that could be exploited

2. Weaponization – The attacker seeks to exploit weaknesses identified during Reconnaissance by developing deficiency-specific offensive cyber-tools

3. Delivery – The attacker uses the cyberweapons developed in the Weaponization stage to gain an initial foothold inside the organization's network

4. Exploitation – After a successful attack, the attacker gains access to the target's network

5. Installation – The attacker imports more tools to further the exploitation process toward high-value targets

6. Command and Control (C2) – The attacker switches to goal-oriented exploitation inside the target network using remote access

7. Actions on Objectives – The attacker completes their goal often by stealing or encrypting data or causing denial-of-service

By defining the attack process as stages, CKC seeks to identify threats in their earliest stages by properly implementing threat detection and prevention [4].

Implementation

• Implement sensor alerts
• Implement event escalation
• Measure the effectiveness of the detection
• Track attack campaigns

Criticisms of CKC

There are plenty of examples of criticism of CKC [5][6][7][8]. While CKC provides a broad, high-level overview, tangible methods for preventing attack stages such as Reconnaissance and Weaponization are not immediately apparent and may be practically infeasible or ineffective. Another criticism of CKC begs the question: Does every attack follows the seven proposed stages? For example, imagine an attacker who Trojanizes a piece of popular commercial software and makes it available for download via torrent. The attacker has done zero Reconnaissance on victims.

Also, there is not much hope in preventing attackers from conducting Reconnaissance or building cyber weapons. Finally, masking ports with port-knocking or using non-standard ports or protocols is operationally infeasible for companies operating web applications, remote access databases, VPN access, or other commercial services.

Using a firewall to block all IP addresses makes service scans computationally expensive and impractical. Yet Lockheed Martin's report on CKC advises this tactic [4]. Also, while ensuring sensitive information is not publicly exposed on the internet is sound advice, it doesn't provide much on to base a defensive cyber-posture.

Preventing adversaries from gaining the resources they need to create weapons of war may be a feasible strategy for the traditional military, but preventing cyber-threat actors from weaponizing is impossible. CVE information publicly divulges exploitation details, and developing and testing exploit code cannot be contained. Anyone with a PC can create vulnerabilities.

Lockheed Martin's research literature about CKC seems to defy rationality. For example, weaponization is described as the "preparation and staging phase " before Delivery [8]. But another document recommends using NIDS and NIPS to combat adversaries during the Weaponization stage [4]. However, how could an intrusion detection or prevention system protect against the development of the payload before it has been deployed or "delivered"? It can't.

More Evidence Pointing Away from CKC

The MITRE ATT&CK framework offers much more in-depth resources for defense engineering. Let us examine Google search results to make a trend comparison between the search terms "MITRE ATT&CK" and "Cyber Kill Chain." While CKC was more popular than MITRE ATT&CK before 2018, the results show that MITRE ATT&CK now enjoys approximately a five-fold lead in search popularity.

Conclusion

While the CKC process seems rational, it does not provide deep insight into attacker behaviors, and exceptions to its claim that every attack must follow seven stages are easy to conceive. Early detection of cyber-attacks is a logical goal, but Lockheed's literature advises defensive tactics contradicting rationality.

The best robust enterprise IT security pathway starts with a more insightful cyber-threat intelligence framework that identifies tactics, techniques, and procedures that attackers use and builds solid defense. For example, the MITRE ATT&CK framework includes pre-attack tactics and methods and provides more insight than CKC.

References

[1] Varonis - What is The Cyber Kill Chain and How to Use it Effectively

[2] Lockheed Martin - Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains

[3] Lockheed Martin - The Cyber Kill Chain

[4] Lockheed Martin - Seven Ways to Apply the Cyber Kill Chain with a Threat Intelligence Platform

[5] Dark Reading - Deconstructing The Cyber Kill Chain

[6] Network World - Why the 'cyber kill chain' needs an upgrade

[7] CSO - What is the cyber kill chain? Why it's not always the right approach to cyber attacks

[8] Computer Weekly - Cyber kill chain is outdated, says Carbon Black

[9] Lockheed Martin - GAINING THE ADVANTAGE Applying Cyber Kill Chain® Methodology to Network Defense