Americans reading this may be like me and headed towards a food coma. My gift to you? I give you a crowd-pleasing topic for family banter. Rather than argue over controversial topics, avoiding Aunt Mildred’s hugs, or snoozing through a futile Cowboys game, cook up a retro feast for the family with the Cyber Kill Chain! If you’ve seen the “Fishes” episode of The Bear, you know how bad things can get. So consider this your safe topic, one everybody can enjoy. Your kids will thank you. Your family will be prepared to defend against nation state threats while bickering over the wishbone. Relative peace AND security? You’re welcome.

The Basics of the Cyber Kill Chain

bad rendering of a turkey in chains, looking very upset.
It’s been a rough year for Stu. He just never was able to untangle his SOC’s stack, AI drew him with 4 legs, and he missed a CISA bulletin about Thanksgiving scams…

Let’s start with the basics: Lockheed Martin adapted the military’s concept of a “kill chain” to the cyber realm. In doing so, they created the venerable Cyber Kill Chain in 2011 to describe the full lifecycle of a cyber-attack. More traditional ‘kinetic’ kill chains have existed in analysis since the early 1990s. These describe the typical steps that an attacker must execute or consider before they can have the impact they desire. You could even argue some strategists have used similar concepts for centuries prior.

What the 7 links in the Kill Chain?

Lockheed Martin’s Cyber Kill Chain (KC) defines 7 steps for their cyber-specific adaptation, and those are defined as follows:

  1. Reconnaissance: Attackers call this homework and any adversary serious about breaking your organization is going to spend time doing research. They gather intelligence on your environment and users, and carefully identify gaps or weaknesses (vulnerabilities) in your system. Armed with this insight, they select their targets.
  2. Weaponization: Once they have their list of targets, the adversary will select a suitable payload. They will also define a communications method to bundle into a payload and exploit.
  3. Delivery: This is where the adversary begins to act within your environment. They now seek to deliver their carefully curated payload. The better adversaries will do so through deception, guile, or brute force and land on a target system.
  4. Exploitation: Assuming the payload lands where they need it to, the adversary will now hope that they selected the right vulnerability to exploit. If they did, they can execute their initial code and begin to compromise the target.
  5. Installation: The exploit – if successful – allows malware or action to be installed or take control of some part of your system. This helps achieve persistence, allowing them to have longer-term access to your assets.
  6. Command & Control: Most adversaries need to communicate with their payloads throughout the operation. For this, a backdoor communicates to their attacker-controlled system to allow for additional tasking, attacks, or operations on your environment.
  7. Actions on Objective: Assuming the above steps succeed, the attacker can now reap the rewards and achieve their goals. These may be data exfiltration, destruction, ransomware encryption, or system takeover.

Vendors, consultants, or advisors often augment the 7 steps in the KC but the general flow is commonly understood. Armed with this knowledge about a type of threat, you can knock the adversary off their course disrupt a phase. Ideally, this could lead your adversary to retreat or look elsewhere to achieve their goals. The following graphic from Lockheed Martin’s website really helps tie the room together:

Lockheed Martin’s Cyber Kill Chain illustrated (from this page: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html)

Which steps do defenders have a say in?

Obviously, we’d love to deny everything bad happening to your environment. There are some steps (Reconnaissance) that happen outside of your ability to prevent them. You may be unable to detect them. You could use canary tokens, honey accounts, and decoy information or deception techniques (lures and fake personas) to close those gaps.

Break the Chain

Put on some Fleetwood Mac and let’s look at how we can tackle these phases, shall we? We counter the Kill Chain’s steps with potential mitigation approaches. In most implementations of the model fall into 6 categories:

  • Detect: Visibility (see what happened) and Detection (deciding it is of concern) is essential to any defense. These should be major objectives for any defensive projects your organization embarks on.
  • Deny: There are behaviors that you can ban in the first place. We can deny other malicious or unwanted behavior as it is detected too.
  • Disrupt: Maybe the attack step is already in process! There are still opportunities to prevent the step’s completion, and you should use any tools available to do so.
  • Degrade: Some Cyber Kill Chain advocates talk about hacking back or counter-attacking the command & control. This particular step can be controversial as attribution is a very inexact science. Within ethical bounds, impairing adversary infrastructure or exhaust their resources can be an effective defense . We could absorb all of their available connection capacity or bandwidth on purpose, for example. What is applicable to your environment will depend on you and the context.
  • Deceive: You can also seek to interfere with the adversary’s work by intentionally distracting their operators, blunting their attacks, or frustrating their operations. Most defenders use deception techniques like honeypots or honeynets, attack diversions, or system manipulation. These can both absorb and even gain intel from adversary activity.
  • Contain: Your network or other infrastructure solutions likely include features that allow you to adjust access. How? These capabilities include segmentation or otherwise provide some isolation between portions of the environment. This keeps areas prone to attacks away from those containing critical or sensitive functions or data.

Seems cool, but why the two models?

Characterizing attackers using the Cyber Kill Chain’s seven steps proved useful in earlier attacks. We finally had a way to break down an adversary’s behavior into manageable chunks! Vendors and security consultants adopted the terminology and structured products and processes to use the KC shortly after it was published.

When their customers or clients tried to adopt it, they found it had some limits:

  • It was registered to Lockheed Martin, and while LM has been gracious in allowing its use, it is not conducive to community-driven content.
  • Advanced persistent threats (APTs) evolved, enlisting dynamic playbooks to attack your environments. Much of a modern adversarial operation occurs outside of a traditional Kill Chain breakdown.
  • New threat vectors (like insider threats or even watercooler attacks) defy KC characterization.
  • Many APTs exhibit much less linear behavior, breaking the chain.
  • Most critically, the 7 rigidly defined steps offer little guidance for how to effectively drill down deeper into the  behavior. This gap in the framework caused paralysis in many organizations wrestling with how to deconstruct these complex operations.

We needed a more flexible and holistic approach, and this is where MITRE ATT&CK comes in. While they were released only a couple of years apart, ATT&CK most certainly benefited from lessons learned in applying the Lockheed Martin Cyber Kill Chain.