Treating cyberspace like a battlefield is gaining momentum among information-security professionals. Proponents also suggest private organizations adapt military-style strategies to defend their internet presence. One such game plan involves analyzing what Lockheed Martin calls the Cyber Kill Chain. The concept first surfaced in the seminal paper: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.
The paper written by Eric M. Hutchins, Michael J. Clopperty, and Rohan M. Amin develops a cyber-defense framework based on a well-known methodology used by the military known as kill chain analysis. Writing in Foreign Affairs, Admiral Jonathan Greenert, chief of US Naval operations, and General Mark Welsh, chief of staff of the US Air Force, described the term kill chain: “[T]o attack our forces, an adversary must complete a sequence of actions, commonly referred to as a ‘kill chain.’ Because each step must work, our forces can focus on the weakest links in the chain, not each and every one.”
That is interesting. Anyone involved in IT security has heard the mantra: attackers only need one weakness, whereas defenders must protect every eventuality.
The authors specifically state the kill chain analysis is important because of an uptick in Advanced Persistent Threats (APT). Also, kill chain analysis offsets the fact that organizations do not collaborate anywhere near as much as the bad guys who are attacking them. Arthur Wong, HP senior vice-president and general manager of HP Enterprise Security Services (ESS), told ZDNet, “When anyone wants to launch an attack on a particular company, they’re going into chat rooms and asking, ‘Hey does anybody own a computer or a system inside this company?’, and someone will put up their hand, or they’ll know someone else, and a deal is negotiated.”
Cyber kill chain
The authors took the military’s kill chain analysis approach and revamped it for use by private organizations, mentioning in the paper’s introduction, “Using a kill chain model to describe phases of intrusions, mapping adversary kill chain indicators to defender courses of action, identifying patterns that link individual intrusions into broader campaigns, and understanding the iterative nature of intelligence gathering based on the intelligence-driven computer network defense.”
The introduction referred to “kill chain indicators.” The military’s version of the indicators is known as F2T2EA: Find, Fix, Track, Target, Engage, and Assess. The authors reworked the military’s indicators to focus on intrusion detection:
Reconnaissance: Research, identification, and selection of targets: for example, crawling internet websites for email addresses, social relationships, or information on specific technologies.
Weaponization: Creating a workable exploit by combining a trojan (get past defenses) with a malware payload constructed to accomplish the attacker’s goals.
Delivery: Transmission of the weapon to the target. Popular APT delivery vehicles are email attachments, websites, and USB removable media.
Exploitation: When the malware weapon is delivered, the payload activates exploiting a vulnerable program or system.
Installation: Installation of a backdoor on the victimized system allows the adversary to maintain contact.
Command and Control: APTs typically require manual intervention to explore the victim’s network. This is accomplished by the malware contacting a remote command and control server.
Actions on Objectives: If everything goes according to plan, the attackers now pursue the reason for the intrusion, possibly compromising additional servers or exfiltrating data.
An “after the fact” example
A telling example was A “Kill Chain” Analysis of the 2013 Target Data Breach. The report prepared for the Senate Committee on Commerce, Science, and Transportation described Target’s data breach using cyber kill chain analysis. Granted, it was after the fact, but if you want to learn how this militarization technique works, reading the report will help. The following slide points out the weak links in the chain, and suggested ways to improve Target’s defenses so the attack will not happen again.
To militarize or not?
To learn if organizations are implementing cyber kill chain analysis, I had a conversation with Rodrigo Bijou, consultant at the Data Guild in Palo Alto. Bijou said, “I’ve been tasked by major U.S. banks to build features into their security programs based on their concept of the cyber kill chain.’ Specifically, the roadmap for the work I was doing was to be delivered in stages based on the cyber kill chain: Reconnaissance, Exploitation, Exfiltration, etc.”
What Bijou said next was especially interesting and something worth looking into. “I think this [cyber kill chain], like APT and other buzz words, points to a trend where marketing is becoming more influential in driving product decisions, and what services are delivered,” he said.
Note: The initial slide is Websense’s interpretation and simplification of the seven indicators.