Improving IT security by focusing on the Cyber Kill Chain

Organisations of all sizes understand the importance of having defences against cyberattacks. From firewalls and endpoint protection to zero trust strategies and cloud-based identity management platforms, most organisations are likely to already have an array of tools in place.

Increasingly, security teams are coming to understand the full cyberattack lifecycle used by criminals to mount their attacks. Dubbed the Cyber Kill Chain (CKC), this framework developed by Lockheed Martin, outlines each of the steps an attacker must take to successfully break into an IT infrastructure and extract data or cause disruption.

Having an understanding of the CKC framework is important because it shows that, while adversaries must completely progress through all phases for success, a security team only needs to stop the chain at any step in the process.

According to the CKC framework, there are six basic steps a cybercriminal must carry out when mounting an attack. These steps are:

  1. External reconnaissance: This initial stage involves the selection of an attack target and the gathering of organisational details such as information on technology choices, social network activity and mailing lists. The adversary is effectively working to determine which attack methods are most likely to work with the highest degree of success and, of those, which are the easiest to execute in terms of the planned investment of resources.
  2. Weaponization and packaging: This step takes many forms and can include web application exploitation, off-the-shelf or custom malware (downloaded for reuse or purchased), compound document vulnerabilities (delivered in PDF, Office or other document formats) or watering hole attacks. The chosen attack is generally prepared with opportunistic or very specific intelligence on an intended target.
  3. Delivery: Transmission of the payload is either target-initiated (for example, a user browses to a malicious web presence, leading to an exploit delivering malware, or they open a malicious PDF file) or attacker-initiated (SQL injection or network service compromise). The choice will be made to suit the intended target.
  4. Exploitation: After the payload has been delivered to the user, computer, or device, it will work to compromise the asset, thereby gaining a foothold in the IT infrastructure. This is usually achieved by exploiting a known vulnerability for which a patch has been made previously available. While zero-day exploitation does occur, depending on the victim, in a majority of cases it is not necessary for adversaries to go to this expense.
  5. Installation: This step usually takes the form of something that communicates actively with external parties. The malware is usually stealthy in its operation, gaining persistence at the endpoints where it has access, and can go undetected by security teams for an extended period. The cybercriminal is then able to control this application without alerting the security team.
  6. Command and Control: In this final phase, the cybercriminal has control of assets within the target organisation through remote methods such as DNS, Internet Control Message Protocol (ICMP), websites, and social networks. This channel is how the adversary tells the controlled “asset” what to do next and what information to gather. Methods used to gather data under a command structure include screen captures, key stroke monitoring, password cracking, network monitoring for credentials, and the gathering of sensitive content and documents. Often a staging host is identified to which all internal data is copied.

Protecting against the kill chain

Once inside an IT infrastructure, a cybercriminal will undertake the same steps used to gain initial access. They will undertake internal reconnaissance, internal exploitation, escalate their privileges, move laterally and target endpoints.

By having a solid understanding of this process, security teams can be much better placed to stop the attack by focusing on one of the steps. It should also be remembered that, after gaining access, an attacker may hold off for the optimal time to launch the attack in order to get the most impact.

For this reason, IT security teams need to be vigilant for the first signs of an attempted (or successful) attack and have in place tools to prevent lateral movement and access to key assets and data.

With a comprehensive understanding of the CKC framework, IT security teams will be able to determine the point on which to focus for the most effective outcome. In this way, the chance of experiencing significant disruption or loss can be greatly reduced.

Mark Sinclair is Regional Director for Australia and New Zealand at WatchGuard Technologies where he is responsible for expanding the company’s regional market presence, overseeing new revenue opportunities, and managing local customer and partner relationships. He has more than 20 years’ IT sales and channel partner experience and previously worked at Oracle as ANZ Commercial Sales Programs & Strategic Director. Prior, he spent ten years at Trend Micro in several sales positions, including as Commercial Sales Director for Australia and New Zealand. He also previously worked at Tenix and Baltimore Technologies.