To detect and defend against cyberattacks earlier, you need to understand the attackers’ objectives and approach and build defenses accordingly. The Lockheed Martin Cyber Kill Chain is a multi-step model for analyzing attacks and building defenses along with the attack steps.
Cyber Kill Chain – Basics, Application, and Development
Detecting and disabling attackers is not just a cybersecurity goal. Military defense aims to do the same. One model of military defense is the so-called kill chain, the attack chain that should lead to the destruction of the attack target. With this model, attacks are structured and broken down into individual steps. Steps of an attack can be: Determining the target, locating the target, observing the target, choosing weapons suitable for the target, applying the weapons, and monitoring success by examining the attacked target.
For each step, such a model considers what the attacker’s objectives are in that step and what attack methods he can use to achieve his objectives. On this basis, the appropriate defensive methods can be defined for each attack step. The key here is that the attacker’s perspective determines the model, not the defenses.
In 2011, Lockheed Martin, which is also active in the defense sector, transferred the kill chain model to cyber security. Here, the model bears the now trademarked name “Lockheed Martin Cyber Kill Chain.”
Components of the Cyber Kill Chain
Just like the military kill chain, the Lockheed Martin Cyber Kill Chain provides for multiple stages of the attack. These stages map the structure and sequence of an attack. For each stage, the model indicates what activities attackers undertake so that you can set up your defenses accordingly. In the case of the Cyber Kill Chain, the stages are:
RECONNAISSANCE (Identify the Targets).
Attacker: searches for his target, collects information about the target (email addresses, data from social networks, information about companies and IT systems).
Defense: Minimizes publicly viewable information, evaluates access to websites and servers to uncover suspicious search activity.
WEAPONIZATION (Prepare the Operation).
Attackers: Assembles the appropriate attack tools (malware, exploit).
DEFENSE: Looks for traces of attack attempts, analyzes discovered malware, checks the typical purpose of the discovered malware.
DELIVERY (Launch the Operation).
Attacker: Launches attack, distributes malware (e.g. via email, USB stick, social media, contaminated websites).
Defense: Monitors potential attack routes, analyzes detected attacks (IT forensics) to better understand targets and intentions.
EXPLOITATION (Gain Access to Victim).
Attacker: Wants to exploit vulnerability (hardware, software, user), entices users to participate (social engineering).
Defense: Eliminates vulnerabilities, makes users aware.
INSTALLATION (Establish Beachhead at the Victim).
Attacker: Installs and hides malware, attaches backdoor.
Defense: Checks installations, activities, certificates and permissions, blocks suspicious actions.
COMMAND & CONTROL (C2) (Remotely Control the Implants).
Attacker: Searches and opens communication channels to remotely control malicious functions.
Defense: Investigates malware activity to detect and block communication channels.
ACTIONS ON OBJECTIVES (Achieve the Mission’s Goal).
Attacker: Abuses access and privileges, attempts to gain additional privileges, manipulates and destroys data and systems, steals information.
Defense: Looks for suspicious activity, performs forensic analysis, launches contingency program, attempts to contain damage.
Benefits of the Cyber Kill Chain.
Cyber attacks are becoming increasingly complex, so it’s important to bring structure to the flow of attacks in order to structure and organize defenses. This is where a model like the Lockheed Martin Cyber Kill Chain helps. Although the Cyber Kill Chain is several years old, it can be applied to more than just classic malware attacks. It can also be used to map advanced persistent threats (APTs) and break them down into steps.
While according to the model the attacker has to go through the complete process to gain the target, the defense can try to interrupt the cyber kill chain at each stage and thus stop the attack. Nevertheless, it is necessary to actually build the defense in multiple stages, because at each stage the attacker can already cause damage. The earlier the attack can be detected and stopped, the less damage can be expected.
Based on the cyber kill chain, companies can analyze their existing defenses by assigning solutions to the individual stages and thus identify potential gaps in their cyber defenses. Even the functions of individual security solutions can be assigned to the various stages of the Cyber Kill Chain. This makes it possible to identify whether the security functions used to represent the necessary multi-stage approach to defense.
An approach based on the cyber kill chain also has the positive consequence that the defense is more strongly oriented toward analysis and experience. The defense looks for attack patterns and learns from detected attacks. Companies are building their own security intelligence as a result.
Correct use of the cyber kill chain
Security intelligence or threat intelligence is considered a core element of modern cyber defense. Accordingly, so-called threat intelligence platforms are increasingly being used to help security analysts detect, assess, and defend against cyber attacks.
A model such as Lockheed Martin Cyber Kill Chain aids in the use of threat intelligence platforms by allowing priorities for finding a suspicious activity to be derived from the model. If an attack is detected at one stage of the Cyber Kill Chain, special priority can be given to searching for expected follow-on activity for the next stage. The Cyber Kill Chain can thus help to find the right levers in cyber defense and to use them properly.
Current further development
Critical to security intelligence is sharing threat intelligence with other organizations. The Lockheed Martin Cyber Kill Chain has informed the development of related standards and exchange formats for security intelligence such as STIX (Structured Threat Information eXpression).
Security reports such as the Annual NTT Global Threat Intelligence Report (GTIR) use the stages of the Cyber Kill Chain as reference points to indicate, for example, what percentage of attack activity was detected at which stage of the attack and what defensive measures to apply at that stage.
The Lockheed Martin Cyber Kill Chain has also received criticism in recent years that it is too focused on malware attacks and the process of a system intrusion. Some critics say that focusing defenses too much on the cyber kill chain is dangerous because it then ignores other avenues of attack.
In principle, however, the Lockheed Martin Cyber Kill Chain is welcomed as an aid to defense. There are also variations of the cyber kill chain, for example, to map insider attacks and to be able to respond better (internal kill chain). Insider attacks can exploit insider information and privileges for attacks that external attackers must first obtain.
