Disrupting the Cyber Kill Chain
You often hear the words “kill chain” or “cyber kill chain” when people talk about cyber attacks. Kill chain is just another way of saying “the cyberattack process.” In case you’re wondering, cyberattacks, data breaches, data theft, ransomware attacks and malware infections do not just happen by magic. They may occasionally gain success through sheer luck (for the attacker), but just as with all good development and production endeavors, there is a process that attackers follow to ensure the success of their attack. That process is referred to as the “cyber kill chain.”
The original cyber kill chain involved seven basic steps that begin with reconnaissance of the intended victim, then progressed through the development, weaponization, and delivery of an attack, and end with the exploitation of some vulnerability to install needed malware and execute the attack to achieve the attacker’s objective. The cyber kill chain defines the steps that an attacker must complete in order to achieve their objective. Cyber attacks can be stopped or “killed” at any point in the cyber kill chain. However, most people become aware of and start the cyber attack discussion only in the middle of or, more worryingly, at the end of the cyber kill chain. Consequently, the discussion of attacks usually begins with phrases like “the attacker sends a phishing email with a malicious file or link to the victim” or “the attacker exfiltrated the company’s trade secrets” which completely miss the large amount of work and potential damage that the attacker has already performed prior to these visible events.
Unsurprisingly, the vast majority of cybersecurity tools focus on these visible portions of the cyber kill chain. Effectively, they attempt to mitigate attacks after they have already installed some malware or are otherwise far down the cyber attack process. These tools tend to be focused on one type of attack, such as malware for anti-virus tools, and operate at one step in the cyber kill chain, the installation, and execution of the malware for the anti-virus tool. So, not only are these tools effective only after the attacker has gotten into your network, but your organization is typically lacking cyber defense tools that protect at the earliest stages of the cyber kill chain.
If we can identify and stop the attackers at the beginning of the cyber kill chain, we can greatly reduce our risk of being a victim. Long before exploitations are used to gain access to our networks and before malware is downloaded to our systems, stopping attackers during their early reconnaissance efforts and during delivery attempts of their weaponized bundles keeps them and their malware outside of our network.
Identifying the Attackers
We’ll quickly talk about these three types of threats only for brevity and because they capture three broad categories of cyber attacks and kill chain.
Many cyber attacks are a direct result of our own employees. Whether they are disgruntled, have recently been let go, or have been bribed to steal, disrupt, or damage operations – often our own people commit and initiate a cyber attack on our enterprises. Also, they unknowingly make mistakes that achieve the same result.
We should always be aware and alert about what our own users are doing with network resources and our data. They gain access the minute you give them an account and permissions to data and resources on your enterprise. We can’t say for sure what percentage of cyberattacks are inside versus the others, but some claim a little over 20% of all cyber security incidents are a result of insider threats. The concept of Zero Trust really is founded on authenticating everyone and everything inside your network to reduce the insider threat, but has a twist on assuming the outside threat is already inside your network (click to read our blog on inside-out).
The categories and names of outsider threats is so broad we can’t cover it in one blog. But it ranges from curious people learning cyber security skills and hacking techniques for the first time all the way up to fully funded and supported Nation State advanced persistent threat actors. The bottom line is that anyone outside your enterprise that does not have authentic and approved access to your data and network infrastructure and resources is considered an outsider threat. And we spend almost 110% of our time worried about this threat. We also spend an inordinate amount of money on cyber defense solutions and teams of people to protect us, our data and networks from this threat.
There are two opposite effects of concern about outside threats. One is we may worry about them so much that we ignore the inside threat. The other is that we have too much faith in our cyber defense solutions and don’t worry enough about the outside threat. That’s what we paid for, right?
Supply chain is interesting because initially it begins as an outside threat. Someone on the outside has done something well in advance in order to be placed inside your network. Whether this is code embedded on chips, processors or components, or they invade a service or update server from one of your service providers and suppliers that you trust; somehow they eventually become a part of your internal infrastructure. There is a huge worry about Internet of Things (IoT) devices manufactured overseas having embedded code installed on processors that once they are turned on, they immediately find a network and attempt to notify the foreign company that they are on and alive and listening for instructions. It’s also a concern when you trust the update servers from your vendors to be secure and provide only certified and secure update files to your devices.
It’s possible those manufacturers simply need the ability to provide firmware updates, or need data tracking for marketing and customer support reasons. The problem is that if that IoT device is also connected to your network for device management reasons, it can provide a direct tunnel into your enterprise. What’s worse is that many of these devices rely on wireless technology and use your wireless access points for that connection. Again, a discussion about IoT security is for another article.
A real-world example of the kill chain in action
A common kill chain using the phishing email attack vector looks like this:
- Attacker does reconnaissance on your organization to gather data about you and your network
- Attacker embeds malicious script in a fake link to a website in a draft email. We call this weaponization.
- Attacker uses a spam email service to send draft (now actual) email to thousands of email addresses. This is the attacker’s delivery method.
- Employee uses company web browser to check personal web mail (that’s okay because most webmail uses a secured HTTPs, port 443 connection between user and webmail server).
- Employee receives deceiving phishing email in personal webmail and clicks the link. This begins the attacker’s exploitation cycle.
- Embedded malicious script in email now runs in victim’s RAM while the browser is open and sends notification to attacker’s command and control (C2) server that it is active and here (your employee’s workstation). You could say this is the initial or stage 1 installation of a downloader or use of the exploitation that makes the call back to the attacker’s C2 infrastructure.
- While employee is happily checking more email and working, leaving the browser open the whole time, the attacker’s C2 server is downloading malware to your workstation. Worse, the attacker may be live and now working directly on your workstation while your employee is doing their work. The initial downloader and next few potential steps to download additional malware or establish direct hands-on may take a few minutes, or could last days and weeks as the attacker would like to remain quiet and unseen on your network.
- Once the attacker or attacker’s programs establish this positive connection the attacker can start taking further actions against your workstation.A nd until detected, removed or blocked, the attacker will continue his efforts. The attacker is now actioning objectives on your network. This includes manipulating log files to hide his/her traces of activity, attempting to elevate privileges and so on until they’re ready to really pull the pin on their cyber grenade. By this time they will start exfiltrating your data and/or installing and executing their ransomware programs to encrypt your network and extort their ransom.
What do the attackers have in common?
Interestingly, the insider, outsider and supply chain threat actors all have a feature in common although the insider threat’s may be more discreet. In all three scenarios, almost all the time, there are connections made from both directions to high-risk, low-reputation IP addresses or domains. We mean to say whether it’s outside-in traffic or inside-out traffic, there are connections that simply should not happen.
Pay attention to step six through eight in the above kill chain. Outsider and most supply chain attacks eventually rely on a connection between a victim machine and the attacker’s malicious infrastructure “out there” spread around the internet. These connections can often go undetected or not be set for alert by your next generation firewalls because not every security solution can maintain risk rating information for every IP (around 8.5 billion of them) on the internet. Also, many IPs may look less suspicious because of who is hosting the IP, even though the activity on the IP is mostly suspicious.
The bottom line is that regardless of the threat actors attack vector, at some point in order to continue the attack and place necessary tools on your network for their purpose, there will be connections to IP space that shouldn’t happen.
What you can do
Every organization should first recognize that it is only a matter of time before their domain is under attack, if it’s not already. And there’s a fair chance you have an insider threat situation already.
One key action you should take to protect your organization is real-time, bidirectional packet inspection of 100% of all packets entering and leaving your enterprise.
Many don’t like to think about blacklisting, IP block, or domain blocking, however a different approach with a better effect is whitelisting. Instead of blocking all the bad (of which there is too much), allow network traffic to only trusted known-good domains and IP space (whitelisting). And even if you think you’ve done this right, you should still packet inspect 100% of the packets 100% of the time.
Even in what you consider white or good space, IPs reputation status can change suddenly with no notice based on who is registering what, or what other threat hunters are reporting about suspicious activity they see in that white space. Remember, it’s also white space that threat actors compromise and use to disguise their activities.
Many are unaware of a capability that can monitor and inspect all packets 100% of the time without introducing latency to network traffic where speed is time and time is money. Many are hesitant to use IP blocking in fear they’ll inadvertently cut themselves off from important partner or client space. However, if you can prevent the threat actor’s initial Stage 1 call back to his/her C2 or Stage 2 download infrastructure, you’re simply rendering their attack as a one-way dead-end failed attempt.