UFCF7P-15-M Critical Systems

Security
The Cyber Kill Chain model
This week

• Intelligence-driven computer network defence

• The kill chain model
• Indicators
• Course of action
• Campaign analysis
Advanced Persistent Threats

Advanced: They are targeted. They may employ more than one attack methods
and multiple spreading mechanisms to increase the probability of a successful
attack on the target.

Persistent: They operate in stealth mode for a prolonged period of time until
they reach the final target. Often they hide their actions from monitoring
software.
The six steps of an APT (FireEye [5])

1) The cyber criminal, or threat actor, gains entry through an email, network,
file, or application vulnerability and inserts malware into an organization's
network. The network is considered compromised, but not breached.

2) The advanced malware probes for additional network access and

vulnerabilities or communicates with command-and-control (CnC) servers to
receive additional instructions and/or malicious code.
3) The malware typically establishes additional points of compromise to
ensure that the cyber attack can continue if one point is closed.
The six steps of an APT (FireEye [5])

4. Once a threat actor determines that they have established reliable network
access, they gather target data, such as account names and passwords.
Even though passwords are often encrypted, encryption can be cracked.
Once that happens, the threat actor can identify and access data.
5. The malware collects data* on a staging server, then exfiltrates the data off
the network and under the full control of the threat actor. At this point, the
network is considered breached.

6. Evidence of the APT attack is removed, but the network remains

compromised. The cyber criminal can return at any time to continue the data
breach.
APT Risk - the need for a new approach

• Technical security controls (IDS, antivirus software etc.) focus on the

vulnerability component of risk.

• APTs: Well-resourced and trained adversaries conducting multi-layer intrusion

campaigns, targeting highly sensitive economic, proprietary or national
security information [1].

Knowledge Information Decrease

about superiority/ likelihood
adversaries Intelligence of success

Intelligence driven computer network defence model

Intelligence-driven computer network defence

• Intelligence-driven computer network defence is a risk management strategy that addresses

the threat component of risk, incorporating analysis of adversaries, their capabilities,
objectives, doctrine and limitations.

• New understanding of the intrusions themselves, not as singular events, but rather as phased
progressions [1].
Intelligence-driven computer network defence

• Kill chain model – the basis of intelligence-driven computer network defence

• Kill chain analysis illustrates that the adversary must progress successfully through each
stage of the chain before it can achieve its desired objective; just one mitigation disrupts the
chain and the adversary [1].

• Objectives:
• Identify phases of intrusion.
• Map adversary kill chain indicators to defender courses of action.
• Identify patterns that link individual intrusions into broader campaigns.
• Understand the iterative nature of intelligence.
The Kill Chain model

• United States Department of Defense describes the kill chain with the stages:
Find, Fix, Track, Target, Engage and Assess (F2T2EA)

The United States Air Force

(USAF) has used this
framework to identify gaps in
Intelligence, Surveillance and
Reconnaissance (ISR)
capability and to prioritize the
development of needed
systems
Indicators and the indicator life cycle

• The fundamental element of intelligence in the Cyber Kill Chain model is the
indicator; any piece of information that objectively describes an intrusion.

• Three indicator types:

• Atomic
• Computed
• Behavioural
Atomic indicators

• Atomic indicators are those which cannot be broken down into smaller
parts and retain their meaning in the context of an intrusion.

• Typical examples here are IP addresses, email addresses and vulnerability

identifiers.
companyname@company.com

68.1.5
192.1 CVE-1999-0067

More on CVE: https://cve.mitre.org/

Computed indicators

• Computed indicators are those which are derived from data involved in an
incident.

• Common computed indicators include hash values and regular

expressions.
Behavioural indicators

• Behavioural indicators are collections of computed and atomic indicators,

often subject to qualification by quantity and possibly combinatorial logic.

•Example:

•“the intruder would initially use a backdoor which generated network traffic
matching [regular expression] at the rate of [some frequency] to [some IP
address], and then replace it with one matching the [MD5 hash value] once
access was established”
Indicator life cycle states and transitions
Intrusion Kill Chain

• Intrusion:
- aggressor must develop a payload to breach a trusted boundary,
- establish a presence inside a trusted environment,
- take actions towards their objectives (moving laterally inside the environment or violating
the confidentiality, integrity, or availability)

• Intrusion (Cyber) Kill Chain:

- reconnaissance, weaponisation, delivery, exploitation, installation, command and
control (C2), and actions on objectives.
Intrusion Kill Chain - Reconnaissance

• Research, identification and selection of targets, often represented as crawling

Internet websites such as conference proceedings and mailing lists for email
addresses, social relationships, or information on specific technologies.

1. Passive Reconnaissance: It is gathering the information about target without

letting him know about it.

2. Active Reconnaissance: It is much deeper profiling of target which might

trigger alert to the target [2].
 Intrusion Kill Chain - Reconnaissance

Type of
Techniques Techniques Used
Reconnaissance
Target Identification and
1 passive Domain Names, whois, records from APNIC, RIPE, ARIN
Selection
2 Target Profiling
(a) Target Social Profiling Passive Social Networks, Public Documents, Reports and Corporate Web- sites
(b) Target System
Active Pingsweeps, Fingerprinting, Port Scanning and services
Profiling
3 Target Validation Active SPAM Messages, Phishing Mails and Social Engineering
Intrusion Kill Chain - Reconnaissance

•Research, identification and selection of targets, often represented as crawling

Internet websites such as conference proceedings and mailing lists for email
addresses, social relationships, or information on specific technologies.

•Examples of reconnaissance in ICS environments?

Intrusion Kill Chain - Weaponization

•Coupling a remote access trojan with an exploit into a deliverable payload, typically by
means of an automated tool (weaponizer).

•Client application data files such as Adobe Portable Document Format (PDF) or Microsoft
Office documents serve as the weaponised deliverable.

•Weaponizer examples in ICS?

Intrusion Kill Chain - Delivery

• Transmission of the weapon to the targeted environment. The three most prevalent
delivery vectors for weaponised payloads by APT actors are:

- email attachments,
- websites, and
- USB removable media.

• Can you identify the prevalent transmission mechanisms in ICS?

Intrusion Kill Chain - Exploitation

• After the weapon is delivered to victim host, exploitation triggers intruders’

code. Most often, exploitation targets an application or operating system
vulnerability, but it could also more simply exploit the users themselves or
leverage an operating system feature that auto-executes code.

• Attack against the user or attack against the system?

Intrusion Kill Chain - Installation

• Installation of a remote access trojan or backdoor on the victim system allows

the adversary to maintain persistence inside the environment.

• Any examples of the Installation phase in ICS?

Intrusion Kill Chain - Command and Control (C2)

• Typically, compromised hosts must beacon outbound to an Internet controller

server to establish a C2 channel. Once the C2 channel establishes, intruders
have “hands on the keyboard” access inside the target environment.

• What is the difference in ICS?

Intrusion Kill Chain - Actions on Objectives

• Typically, this objective is data exfiltration which involves collecting,

encrypting and extracting information from the victim environment;
violations of data integrity or availability are potential objectives as well.
Alternatively, the intruders may only desire access to the initial victim box for
use as a hop point to compromise additional systems and move laterally
inside the network.

• What is the difference in ICS?

Course of action
Example
Use of Intrusion Kill Chain Model

• Defenders must be able to move their detection and analysis up the kill chain
and more importantly to implement courses of actions across the kill chain.
• Force an adversary to change every phase of their intrusion in order to
successfully achieve their goals; increase the cost for adversary
•-----------------------------------------------------------------------------------------------

• Equally important is synthesis of unsuccessful intrusions; what might have

happened should future intrusions circumvent the currently effective protections
and detections.
Campaign analysis

• The principle goal of campaign analysis is to determine the patterns and

behaviors of the intruders, their tactics, techniques, and procedures (TTP), to
detect “how” they operate rather than specifically “what” they do.

• As defenders study new intrusion activity, they will:

• either link it to existing campaigns
• or perhaps identify a brand new set of behaviors of a theretofore unknown
threat and track it as a new campaign
ICS Cyber kill chain model

•Cyber attacks on industrial control systems (ICS) differ in impact based on a

number of factors, including the adversary’s intent, their sophistication and
capabilities, and their familiarisation with ICS and automated processes.

•ICS Cyber Kill Chain is broken into two stages:

- Stage 1: Cyber intrusion preparation and execution

- Stage 2: ICS attack development and execution
ICS Cyber kill chain model: Stage 1

• Traditionally classified as espionage or an intelligence operation.

• Very similar to Lockheed Martin’s cyber kill chain model.

• Purpose:
- gain access to information about the ICS,
- learn the system
- provide mechanisms to defeat internal perimeter protections or gain access to
production environments.
ICS Cyber kill chain model: Stage 1
ICS Cyber kill chain model: Stage 1

• Can be a critical phase for the planning and execution of

Stage 2.
• A significant amount of information about the ICS and the
industrial process, engineering and operations exists in
Internet-facing networks such as corporate or enterprise
networks.
• An attacker may perform Stage 1 against a supplier or
partner network to gain necessary information.
• Phase 1 can be bypassed in case of Internet-facing ICS
components.
• Unintended affects of Stage 1 attacks (e.g. port scanning
can lead to communication disruption) [3]
ICS Cyber kill chain model: Stage 2
Attack development and tuning

• Aggressor develops a new capability tailored to affect a specific ICS

implementation and for the desired impact.

• Difficult to detect.

• There may also be significant lag between Stage 1 and Stage 2 operations
due to the need for prolonged development and testing time. This lag can
give the defender time to break the chain…
Validation

• Attacker tests his/her capability on similar or identically configured systems if the

capability is to have any meaningful and reliable impact.

• The adversary may acquire physical ICS equipment and software components.

• While it is difficult for most defenders to have insight into the ICS vendor community,
various government organisations can utilise their sources and methods to identify
unusual acquisitions of such equipment that may indicate a Stage 2 attack for an
already established Stage 1 operation.
ICS attack

• The adversary will deliver the capability, install it or modify existing system functionality,
and then execute the attack.

• The attack may have many facets (preparatory or concurrent attacks) that fall into the attack
categories of enabling, initiating or supporting to achieve their ultimate effect. These may
be necessary to trigger conditions needed to manipulate a specific element of the process,
initiate changes in process set points and variables or support the attack over time by such
tactics as spoofing state information to fool plant operators into thinking everything is normal
[3].
ICS attack
ICS attack

•The most common methods to achieve functional impact fall into three categories: loss, denial and manipulation.
- loss of view,
- denial of view,
- manipulation of view,
- denial of control,
- loss of control,
- manipulation of control,
- activation of safety,
- denial of safety,
- manipulation of safety and
- manipulation of sensors and instruments
Wider reading

• FireEye Report provided invaluable incident response insight (fireeye.com)

• Dragos Report provides Necessary ICS Context in regard to SIS Operation
and Adversary Kill Chain Mapping (dragos.com)

• Schneider Electric Security Notification Document provides vendor

recommendations and reference point for customer to pursue ongoing
discussions (Schneider-electric.com)
• NCCIC Malware analysis report provides two execution flow diagrams and a
brief reference to some program capability regardless of Key switch position.
(https://us-cert.cisa.gov/ncas)
References

•[1] Hutchins, E.M., Cloppert, M.J. and Amin, R.M., 2011. Intelligence-driven computer
network defense informed by analysis of adversary campaigns and intrusion kill chains.
Leading Issues in Information Warfare & Security Research, 1(1), p.80.

•[2] Yadav, T. and Rao, A.M., 2015, August. Technical aspects of cyber kill chain. In
International Symposium on Security in Computing and Communication (pp. 438-452).
Springer, Cham.

•[3] https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-
cyber-kill-chain-36297 [Accessed on 24/02/2020]