Apr 20, 2022
Applying Kill Chain Thinking to Reduce the Cybersecurity Attack Surface
Today’s threats are sophisticated and complex which requires organizations to defend against every stage of attackBy Kyle Dewar, Director, Technical Account Management, Tanium
The attack surface — the sum of all attack vectors for IT assets in an organization — continues to expand as endpoints evolve at the speed of innovation. CIOs grow the attack surface every time they adopt a new cloud service or provision more endpoints to support business growth and digital transformation. They face the challenge now of defending that attack surface even as they grow.
In an earlier blog post, I wrote about the challenges CIOs face in supporting innovating and IT security at the same time. Now I’d like to go into more detail about defense strategies that CIOs can adopt to protect the attack surface of their modern, cloud-first IT environments.
Kill chain 101
Specifically, I’d like to draw on an important attack model called the kill chain. The U.S. military originally developed this model decades ago for analyzing capability gaps using operational data sets. A kill chain is a collection of sequential mission tasks or functions necessary to successfully employ a weapon against a specific target. Kill chains focus on outcomes by combining discrete capabilities to achieve synergistic effects. A kill chain used by the US Navy to evaluate air warfare capabilities consists of the following mission tasks or functions: find, fix, identify, track, engage, and assess. The desired outcome is to destroy a threat within a defined air space.
In 2009, in a technical paper by Lockheed Martin Corporation, several cybersecurity experts applied the kill chain model to the problem of defending against what was then a new form of an attack: the advanced persistent threat (APT). A lot has changed since that paper was written, but the idea of kill chains is still useful. Here’s why.
Before APTs came along, many people in IT thought that cyber defense could be boiled down to a simple checklist of tactics. If you wanted to block viruses, you deployed AV software. If you wanted to block intruders breaking into the network though unmonitored ports, you deployed a firewall and an intrusion detection system (IDS). And so on. Each of these solutions operated independently in silos to protect an area of the information network.
These simple security measures aren’t wrong. They’re just incomplete on their own. The rise of APTs made this obvious.
In an APT attack, intruders are willing to take their time. They’ll poke and prod a network, find an opening, and deploy some malware. Next, they’ll set up a command-and-control connection that gives attackers halfway around the world direct control of the malware that’s been installed. Then they’ll explore the network at their leisure. They might take days, weeks, or even months to find the valuable assets to steal or disrupt, depending on their purpose.
Stopping this kind of attack with a simple checklist of security steps is difficult at best and scales poorly as threats quickly consume limited IT resources. You need to see the bigger picture to understand how the attack’s various moving parts are working together in subtle ways. Only then can you detect the attack and take action to stop it.
Kill chains and the modern cyber-attack surface
This need for a broader vision of security is even more important considering the threats facing organizations today.
By comparison, in 2009, CIOs and CISOs were securing a relatively constrained and homogenous IT environment. Nearly all employees worked on site. Nearly all their desktops and laptops had been provisioned by the IT department, rather than being purchased by employees for their personal use.
Cloud adoption was in its infancy. Data centers hosted most applications under the watchful eye of local administrators. Network firewalls really could encompass most of the IT assets that needed protection. A CIO’s kingdom really was like a castle: everything valuable in one central place surrounded by a secure wall with sentries watching for trouble.
Fast forward to today, and the attack surface is much larger and more varied and more porous. The typical IT infrastructure spans multiple cloud providers as well as countless home offices with a mix of laptops, tablets, and smartphones.
Other endpoints include IoT devices and operational technology (OT) devices. Organizations had OT devices such as controllers on manufacturing floors before, but now they’re connected to the internet to take advantage of the digitization of practically everything.
Another difference: Last year’s alarming Log4j vulnerability reminds CIOs that risks can come from the software building blocks used in purchased commercial applications. And those same software risks in the applications and digital services the company is building itself.
In short, today’s IT environment is complex, varied, and ever-changing. If simple, checkbox security measures were somewhat inadequate in 2009, they’re wholly inadequate now.
That’s why I think returning to kill chain analysis is so useful. It reminds CIOs that today’s threats are sophisticated and complex and points out the importance of defending against every stage within the lifecycle of a cyberattack.
Understanding kill chain in cybersecurity
So what is a kill chain? It’s a sequence or “chain” of events that together make an attack by a cybercriminal or nation-state more effective. As described in the Lockheed Martin paper, a cyberattack kill chain includes these seven steps:
The attacker surveils and explores the target, looking for vulnerabilities and gathering information such as hardware, software, identities, email addresses or other information about the information network that might inform approaches or methodologies to probe, breach, or exploit a known or unknown vulnerability.
The attacker packages malware or RCE code in some way that can be delivered to initiate the attack. For example, the attacker might embed a remote access trojan in a Microsoft Office file or an Adobe PDF file.
The attacker delivers the weaponized artifact to the target’s network. They might deliver the file as an email attachment in a phishing campaign. Or an unsuspecting employee might download the file from a website or inadvertently copy it from a corrupted USB drive.
A user action or some other event triggers execution of the malware. The malware takes advantage of vulnerabilities in the operating system or an application. One way or another, it slips through gaps in an endpoint’s defenses.
The active malware installs itself on the user’s endpoint or an application endpoint. Now the attackers have a presence on the internal network. In effect, the robbers are in the house.
- Command and Control (C2)
In most APT attacks, malware on a compromised endpoint establishes a connection back to a remote system that serves as a controller for the attack. This command and control (C2) connection allows remote criminals, who may be thousands of miles away, to control the activity of malware on the victim’s network.
- Actions on Objectives
Now the attackers can proceed with whatever attack they have in mind. They might exfiltrate data from the user’s system, or they might move laterally across the network, installing ransomware or exploring other systems for valuable assets to exploit. With the C2 connection in place, the attackers can basically do what they want, stealing or encrypting data, running PowerShell scripts, and so on.
This sequence might sound complicated, even laborious, but steps 3 – 7 can occur in just a few minutes. But a lot of APT attacks aren’t fast at all. The attackers might decide to lay low and lurk on the network, exploring systems, installing more malware, or exfiltrating data at a trickle for months or even years.
In my next post, I’ll explain how you can detect and mitigate attackers’ kill chain actions, using modern security tools.