Professional Documents
Culture Documents
Security
The Cyber Kill Chain model
This week
Advanced: They are targeted. They may employ more than one attack methods
and multiple spreading mechanisms to increase the probability of a successful
attack on the target.
Persistent: They operate in stealth mode for a prolonged period of time until
they reach the final target. Often they hide their actions from monitoring
software.
The six steps of an APT (FireEye [5])
1) The cyber criminal, or threat actor, gains entry through an email, network,
file, or application vulnerability and inserts malware into an organization's
network. The network is considered compromised, but not breached.
4. Once a threat actor determines that they have established reliable network
access, they gather target data, such as account names and passwords.
Even though passwords are often encrypted, encryption can be cracked.
Once that happens, the threat actor can identify and access data.
5. The malware collects data* on a staging server, then exfiltrates the data off
the network and under the full control of the threat actor. At this point, the
network is considered breached.
• New understanding of the intrusions themselves, not as singular events, but rather as phased
progressions [1].
Intelligence-driven computer network defence
• Kill chain analysis illustrates that the adversary must progress successfully through each
stage of the chain before it can achieve its desired objective; just one mitigation disrupts the
chain and the adversary [1].
• Objectives:
• Identify phases of intrusion.
• Map adversary kill chain indicators to defender courses of action.
• Identify patterns that link individual intrusions into broader campaigns.
• Understand the iterative nature of intelligence.
The Kill Chain model
• United States Department of Defense describes the kill chain with the stages:
Find, Fix, Track, Target, Engage and Assess (F2T2EA)
• The fundamental element of intelligence in the Cyber Kill Chain model is the
indicator; any piece of information that objectively describes an intrusion.
• Atomic indicators are those which cannot be broken down into smaller
parts and retain their meaning in the context of an intrusion.
68.1.5
192.1 CVE-1999-0067
• Computed indicators are those which are derived from data involved in an
incident.
•Example:
•“the intruder would initially use a backdoor which generated network traffic
matching [regular expression] at the rate of [some frequency] to [some IP
address], and then replace it with one matching the [MD5 hash value] once
access was established”
Indicator life cycle states and transitions
Intrusion Kill Chain
• Intrusion:
- aggressor must develop a payload to breach a trusted boundary,
- establish a presence inside a trusted environment,
- take actions towards their objectives (moving laterally inside the environment or violating
the confidentiality, integrity, or availability)
Type of
Techniques Techniques Used
Reconnaissance
Target Identification and
1 passive Domain Names, whois, records from APNIC, RIPE, ARIN
Selection
2 Target Profiling
(a) Target Social Profiling Passive Social Networks, Public Documents, Reports and Corporate Web- sites
(b) Target System
Active Pingsweeps, Fingerprinting, Port Scanning and services
Profiling
3 Target Validation Active SPAM Messages, Phishing Mails and Social Engineering
Intrusion Kill Chain - Reconnaissance
•Coupling a remote access trojan with an exploit into a deliverable payload, typically by
means of an automated tool (weaponizer).
•Client application data files such as Adobe Portable Document Format (PDF) or Microsoft
Office documents serve as the weaponised deliverable.
• Transmission of the weapon to the targeted environment. The three most prevalent
delivery vectors for weaponised payloads by APT actors are:
- email attachments,
- websites, and
- USB removable media.
• Defenders must be able to move their detection and analysis up the kill chain
and more importantly to implement courses of actions across the kill chain.
• Force an adversary to change every phase of their intrusion in order to
successfully achieve their goals; increase the cost for adversary
•-----------------------------------------------------------------------------------------------
• Purpose:
- gain access to information about the ICS,
- learn the system
- provide mechanisms to defeat internal perimeter protections or gain access to
production environments.
ICS Cyber kill chain model: Stage 1
ICS Cyber kill chain model: Stage 1
• Difficult to detect.
• There may also be significant lag between Stage 1 and Stage 2 operations
due to the need for prolonged development and testing time. This lag can
give the defender time to break the chain…
Validation
• The adversary may acquire physical ICS equipment and software components.
• While it is difficult for most defenders to have insight into the ICS vendor community,
various government organisations can utilise their sources and methods to identify
unusual acquisitions of such equipment that may indicate a Stage 2 attack for an
already established Stage 1 operation.
ICS attack
• The adversary will deliver the capability, install it or modify existing system functionality,
and then execute the attack.
• The attack may have many facets (preparatory or concurrent attacks) that fall into the attack
categories of enabling, initiating or supporting to achieve their ultimate effect. These may
be necessary to trigger conditions needed to manipulate a specific element of the process,
initiate changes in process set points and variables or support the attack over time by such
tactics as spoofing state information to fool plant operators into thinking everything is normal
[3].
ICS attack
ICS attack
•The most common methods to achieve functional impact fall into three categories: loss, denial and manipulation.
- loss of view,
- denial of view,
- manipulation of view,
- denial of control,
- loss of control,
- manipulation of control,
- activation of safety,
- denial of safety,
- manipulation of safety and
- manipulation of sensors and instruments
Wider reading
•[1] Hutchins, E.M., Cloppert, M.J. and Amin, R.M., 2011. Intelligence-driven computer
network defense informed by analysis of adversary campaigns and intrusion kill chains.
Leading Issues in Information Warfare & Security Research, 1(1), p.80.
•[2] Yadav, T. and Rao, A.M., 2015, August. Technical aspects of cyber kill chain. In
International Symposium on Security in Computing and Communication (pp. 438-452).
Springer, Cham.
•[3] https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-
cyber-kill-chain-36297 [Accessed on 24/02/2020]