Lockheed Martin Cyber Kill Chain
- 4th Sep, 2020
- 15:19 PM
Data and internal security information of an organization may often contain various confidential documents that may put the organization at greater risk if it goes to a wrong hand. In recent times most of the cyber crimes that involve the violation of privacy are tracked down eventually but by the time it gets done, major damage is already done. That is why LM Cyber Kill Chain helps the target organization to stop such crimes at the various stages of the entire process. It is a systematic programming process that enables the target organization not only to prevent the damage from happening but also to ensure the proper identification of the attacker.
What is LM Cyber Kill Chain?
The Lockheed Martin Cyber Kill Chain is a model that has been formulated to identify and prevent cyber intrusions activity. As commented by Hallberg (2020), the system tackles all the adversaries at different stages of their operations. This model helps the trackers to follow the adversaries with their intentions behind the operation. Therefore it ultimately leads to a better understanding of the same. The national security system of the countries is highly dependent on such cyber protection techniques in order to secure all the confidential information that is otherwise risky if it falls into the wrong hands.
The cyber kill chain is focused on understanding the various stages that are involved to conduct an attack. This is done to help the security teams to give a better hold over the attack as they follow an eight stages process to completely fulfill the attack (Khan et al. 2018). This model as it allows the security teams to stop the attack at any stage is, therefore, a full-proof way to gain access to all the necessary details of the attacker. Getting hold of all these pieces of information is important because it helps in further stopping such attacks and also ensuring other safety measures than can be taken.
Attackers often have certain targets and goals to achieve a certain kind of information of the data that are of some importance to them. As observed by Dargahi et al. (2019), it is often noticed that through their entire hacking process, they also try to achieve further added resources whether monetary or personnel. This makes the organization which largely depends on the varied passwords and other adaptive defense measures. It is due to this reason that most organizations try to create a more resilient strategy in order to protect all the confidential information that they might have over time.
Stages of attack
The whole cyber kill chain consists of a series of steps that hold the capability to trace the different stages of a cyber attack or hacking starting from the reconnaissance stages at the beginning to the exfiltration of the data and the information. The overall construction of this kill chain has been structured in order to help us comprehend and combat ransomware, advanced persistent attacks or the APAs and security breaches.
In this kill chain, there exist a few core stages. It started from reconnaissance, which is generally considered as the first step in malware attack, through lateral movement, as it functions laterally throughout the system and the network for the access of important data, to data exfiltration, meaning getting the data out (Koch and Golling, 2019). All of the existing attack components and vectors, whether it is a phishing or a recent strain in malware or a brute force, can result in triggering some or other activity on this cyber kill chain. The entire process of this model includes eight different stages each of which has a distinct function relating to a specific type of activity in the overall cyber kill chain, regardless of the fact that the source of the attack is internal or external. The stages are as follows –
This is the primary stage where the attacker seeks all the available information regarding the target organization. This process requires automated scanners on the attacker's ends to investigate the target's security system. This is the observation stage as the attacker generally evaluates the scenario from the outside in order to develop a strategy to identify the target and the needed measures to attack.
After the first stage of identification and understanding of the entire system, the intrusion stage begins with the attackers to start attempting to get inside the system. Through various ways like social engineering emails and other external remote services are often used in this stage to start the intrusion (Lee, 2018). This stage is largely based on the observable and discovered data of the previous stage which helps the attacker to get access into the system, typically by leveraging security or malware weaknesses.
This is the stage where the attackers attempt to exploit all the information or data that they are targeting. In this stage, the target organization can try to stop the attack as the exploitation starts happening from here. Exploitation can be of various levels depending on the organization's database. This stage can be referred to as the act of exploiting vulnerabilities with the target of delivering malignant code into the system in order to achieve a better and strong foothold.
In the stage of privilege escalation, the attacker tries to gain privileges to other accounts or information. In this way, the attacker tries to look for unsecured credentials for future purposes. This additional information often helps the attackers to track the encrypted network and change the permissions and confidential passwords that block the access of the target organization. However, the model allows other measures that can be taken in each of these stages to stop the so-called attacks.
Hijacking seems to be one of the most important phenomena of the whole lateral movement from the attacker's end. In this stage, they try to overpower all the confidential information and gain access to such accounts that contain sensitive data (Nguyen, 2017). This may take place simultaneously through other user accounts too. Once the attackers get into the system, they can perform their malicious act and move laterally to the other systems and accounts as well for the benefit of gaining more leverage, whether it is in the form of more data, higher security permission or greater accessibility to the systems and the accounts.
This particular stage often involves the installation of certain malware in the system of the target that will allow access to the attackers even after the current process ends. In other words, the adversary can easily control all the activities through this malware without having to alert the organization in the process. In this stage, the Obfuscation or the Anti-forensics stage also takes place. It is the act of a successful pull off a cyber attack as the attackers get to cover their tracks and histories. In order to do that, they generally lay deceitful trails, clear the logs to baffle the system owner, compromise the data or halt the forensics teams.
Denial of service
In this particular stage, the adversaries have the overall control over the assets of the target organization through methods like DNS, Internet Control Message Protocol (ICMP), and other social networks. This kind of control involves different mechanisms like screen captures and keystroke monitoring. The purpose of this stage is to disrupt the users to normally access the system in order to resist the attack from being blocked, monitored or tracked.
This is the last stage where the attackers exfiltrate the data that are primarily hijacked by them so that the organization is unable to access the information about the entire hacking that gets done. The entire process of CKC is in fact repeated once again as the adversary enters the network and the next time the internal operations may vary. In this stage, the attackers generally get the data, copy, transfer or move the important data to an external secured location, where they use the data in accordance with their purpose. They can either ransom it, sell it on various sites, or send it to the wikileaks (Red, 2016). Normally, it can take much time to take the data and the information out but once it is out, it is out of the control of the user.
The cyber kill chain consists of a wide array of approaches brought forward by different security techniques. From Gartner to Lockheed Martin, every company defines the stages of this kill chain in different ways. There are alternative models developed on the cyber kill chain which integrate certain steps from all the steps as mentioned above into a C2 stage, also known as C&C stage or Command and Control stage and the other steps into an Actions on Objective stage (Pols and Berg, 2017). However, there are other companies which integrate intrusion and exploitation into an entry stage.
With regards to the above breakdown of stages, the cyber kill chain is designed to track the active stage of a security breach. Each and every stage of this chain requires a particular tool or instrument to detect any attack from the external source. In this regard, Varonis has unique threat models to identify those attacks at every single stage of this kill chain. These monitors have the capability to attack at different stages, namely the entry, exit and at points in between. It can monitor outside activities like Proxy, VPN and DNS, helping in guarding the primary ways of the system to get in or out of the system. By monitoring the user activity and the file behavior, Varonis can detect the malicious activities at each and every stage of the cyber kill chain, from malware behavior to kerberos attacks.
Critical analysis of the model
Understanding and analysis of the LM kill chain model as a concept allows the implementation of a more practical approach towards the establishment of a detection program. It requires the understanding of the methodical ways of the attackers and hence understanding of the best points to detect their activities (Dimitriadis et al., 2020). So it typically leads to the formation of defense mechanisms at certain stages in the flow of data within the system or the network.
The kill chain concept can be referred to a term which is originally used to describe a military concept of “target identification, force dispatch to target, decision and order to attack the target and the destruction of the target.” In the sphere of information technology and security, a kill chain defines the structured and systematic process to target and employ an adversary for the creation of desired effects. So Lockheed incorporated this term in the context of information security. The identification and understanding of the stages of a cyber attack can prove to be beneficial in enabling better protection and response. So in case of a cyber attack, this kill chain functions to disrupt or deny the attacker from performing that particular incident by detecting, mitigating and preventing the activity (Lozano and Otriz, 2019).
The cyber kill chain is a more circular and complicated process where the hacker of the attacker tries to repeatedly go for the lateral movement internally through the established system, thereby making it difficult for the tracker to track down their movements. As the goal remains to achieve as much information as possible within a limited time, the attacker spreads out to other systems leaving footprints for the tracker. This complicated process is called extended cyber kill chain which is a combination of both the external and internal cyber kill chain.
This process is the overall addition of multiple steps in the process including reconnaissance and internal weaponization. This way the attacker gets to buy more time through plotting and repeatedly implementing the malware in the process. However, proper identification might lead to an interruption of the whole process thereby causing a hindrance for the attackers. Since most of these stages involve no proper connection with the attacker, it requires the organization to be even more careful about the security measures that it has applied to the software that has been installed. This includes proper supervision of the applications and the system that run in the devices.
In the internal reconnaissance, the attackers enter the periphery of the target organization's systems. It is therefore equally important to have proper safety measures that prevent such action from happening in the first place. Some of the important measures involve implementing layered security to decrease the chances of threats slipping through without detection. Creating policies for dealing with malware occurrences are also helpful and should be done continuously by the security analyzers. Mapping various other defense strategies should also be primal to the security teams of an organization. Extended CKC models have the capacity to prevent, detect, and disrupt the occurrences without causing much delay (Nguyen, 2017). However, this is considered a more difficult task to do as the applications that are developed today have an increased level of complexity and interconnectedness. While most people look at the technical errors that might go wrong, many times it has been witnessed that some kind of insider information leads to an exploitation of such data. In such cases, the attackers have upper hand information about all the systems of the target organization making it almost impossible to detect the hijackers. Thus the confidentiality of the matters becomes an important governing factor behind the kind of tactics and the techniques that are adopted by the attackers.
There are various kinds of malware both known and unknown which means that it becomes a difficult task for the organization's security teams to detect such a complex phenomenon. In such cases, continuous and critical study of the whole situation can often give major leads in order to detect the attacking malware. Often cloud-based systems face the vulnerability to get effected and this needs an in-depth involvement of a technician to understand the behavior and pattern of the attacker and the system involved.
The LM cyber kill chain has been developed from the conception of defense in depth security strategies. The prevailing idea behind defense in depth can be stated by saying that there is actually no secured measure which can fully protect any computerized system and network. So, various companies seek to set up a series of technical, administrative and physical layers of security protection which has been aimed to function in concert for the establishment of an acceptable security posture. Although it is known that 100% mitigation of risk is not possible, defense in depth security has been focused on a layered form of security with the fact keeping in mind that the deployment of several layers of security at different points of the flow of the data may prove to provide a better defense by preventing, mitigating or disrupting the attack. In this regard, the strengths and weaknesses of this cyber kill chain need to be analyzed.
LM cyber kill offers a wide of range leverages to the users which are mentioned below -
• It is able to track the structure of the cyber attack, from the beginning to the end,
• It alerts the users regarding the slightest hint of any invasion of a foreign component,
• Using this cyber kill chain, the security managers of different organizations have the advantage of obtaining the distinctive layers of security protection,
• By the deployment of security and defensive tools and techniques at each of the steps, efficient and in-depth security architecture can be implemented,
• The LM cyber kill chain can also be used for the checking and verification of the existing security infrastructure,
• By taking each step of the kill chain model, comparison and assessment can be done regarding the effectiveness of the defense of the existing model.
Although the LM cyber kill chain majorly provides a wide array of advantages and solutions to the users against cyber attacks, it still consists of some weaknesses and threats as discussed below -
• It does not necessarily ensure cent percent security and resistance against cyber attacks,
• It cannot resist an attack from internal sources like from the own employees of the organization.
The structure of the cyber kill chain based on the defense in depth can be explained through the structure of a building of a medieval castle. The concept of guarding a castle is based on an approach of inside-out. The important assets are located at the very center of the castle whereas it is surrounded by other layers of security like rooms, walls, towers, guards, gates etc. to keep it safe from any risking factor from an external source. The same kind of mechanism is followed in developing the structure of a cyber kill chain. As developed by Lockheed Martin, this cyber kill chain has been designed to expedite the organizations to develop defense in depth measurements to prevent and resist the advanced persistent threats by structuring the control to the needed steps which the attacker has to undergo for a successful attack on the system (Hallberg, 2020). This chain provides a wide range of control implementation as mentioned below -
? Detect - Determination of the time and the way of the attack and related performance against the system or the organization.
? Deny - Stopping the attack from taking place within the system by preventing the disclosure of data and unauthorized access.
? Disrupt - Disruption of the flow of the data and information to the attacker.
? Degrade - Limitation of the efficiency or effectiveness of the attacker.
? Deceive - Interference with an attack through misinformation or misdirection.
? Contain - Limitation of the scope of the attacker to specific points of the system or the network. (Zeng and Germanos, 2019)
In order to avoid the unfortunate exploitation and theft of confidential information, this model plays a very important role in preventing further losses on the part of the target organization. Therefore, to do the same the security analysts get hold of a better picture of the entire process that can help them track all the relevant events that are simultaneously occurring. This helps in detecting advanced persistent threats and other attacker techniques that are related to the actual breach. LM Cyber Kill Chain has the resources and the capacity to detect the reconnaissance activity as it shows through the irregular network traffic thereby alarming the target organization. Therefore it is safe to say that modern techniques like these help in securing all the confidentiality of an organization thereby detecting the infiltrators in the process. Thus this model seems to be quite a secured one given all the intricacies that are involved and maintained in the same.
- Dimitriadis, A., Ivezic, N., Kulvatunyou, B. and Mavridis, I., (2020). D4I-Digital forensics framework for reviewing and investigating cyber attacks. Array, 5, p.100015.
- Hallberg, J., (2020). Event-driven Analysis of Cyber Kill Chain.
- Khan, M.S., Siddiqui, S. and Ferens, K., (2018). A cognitive and concurrent cyber kill chain model. In Computer and Network Security Essentials (pp. 585-602). Springer, Cham.
- Lee, A., (2018). Nevermore Security. Accessed from: https://www.nevermoresecurity.com/wp-content/uploads/2018/03/ICS_Cybersecurity-Strategy_Paradigm_White-Paper_March2018.pdf
- Martínez-Lozano, J.E. and Atencio-Ortiz, P.S., (2019). Creation of a DDOS attack using HTTP-GET Flood with the Cyber Kill Chain methodology. Iteckne, 16(1), pp.41-47. Accessed from: http://www.scielo.org.co/scielo.php?script=sci_arttext&pid=S1692-17982019000100041
- Nguyen, T.N., (2017). Attacking Machine Learning models as part of a cyber kill chain. arXiv preprint arXiv:1705.00564. . Accessed from: https://arxiv.org/pdf/1807.10446
- Pols, P. and van den Berg, J., (2017). The Unified Kill Chain. CSA Thesis, Hague, pp.1-104. Accessed from: https://www.csacademy.nl/images/scripties/2018/Paul_Pols_-_The_Unified_Kill_Chain_1.pdf
- Dargahi, T., Dehghantanha, A., Bahrami, P.N., Conti, M., Bianchi, G. and Benedetto, L., (2019). A cyber-kill-chain based taxonomy of crypto-ransomware features. Journal of Computer Virology and Hacking Techniques, 15(4), pp.277-305. Accessed from: https://link.springer.com/article/10.1007/s11416-019-00338-7
- Zeng, W. and Germanos, V., (2019). Modelling Hybrid Cyber Kill Chain. In PNSE@ Petri Nets/ACSD (pp. 143-160). Accessed from: https://pdfs.semanticscholar.org/f5cb/1f80c669562d3dd61b4dcbc6410a5d015c62.pdf
- Koch, R. and Golling, M., (2019), May. Silent Battles: Towards Unmasking Hidden Cyber Attack. In 2019 11th International Conference on Cyber Conflict (CyCon) (Vol. 900, pp. 1-20). IEEE. Accessed from: https://www.ccdcoe.org/uploads/2019/06/Art_29_Silent-Battle.pdf
- Van den Berg, J., (2017). The Unified Kill Chain. Accessed from: https://www.csacademy.nl/images/scripties/2018/Paul-Pols---The-Unified-Kill-Chain.pdf
- Red, V., (2016). Expanding the cyber kill chain for embedded system architectures. Accessed from: https://val-red.com/static/red-val-expanding-the-cyber-kill-chain-for-embedded-system-architectures.pdf