SecureState Blog

Read SecureState's award winning blog.

Like most areas of study, there are certain analogies that we learn as students that stick with us for the rest of our careers. In medical school, you might learn to associate the circulatory system with a tree and its branches, likewise a chemist might be taught to think about atoms as building blocks. No wonder, then, that the concept of an information security “kill chain” has so disrupted the way that we look at our own field. This concept, introduced by Lockheed Martin’s Mike Cloppert in 2009 and then formalized in 2011 as the Cyber Kill Chain® is quickly replacing the traditional “onion” mentality of how we defend our networks.

onion for real

See, the Security Onion encourages us to think about security in layers. It’s a purely defensive concept and can be used to think about our own networks, with the firewall on the perimeter, a few middle layers that represent various controls, and then finally our data in the center. It’s been with us forever, or at least as long as we’ve been taking our CISSP exams, and it’s also the basis for the tried and true Defense-In-Depth mantra. The kill chain, on the other hand, is basically a workflow. It’s how the attacker approaches the “problem” of extracting data from an organization. The “kill chain” moniker is meant to encourage those of us in the Incident Response world that we have the potential to stop the bad activity at any stage of the game, and this is a powerful concept.


The Target Breach, Kill Chain Version

This is especially true when we stop to consider the duration of some of the phases described. In our minds, we often think of large scale breaches like the recent Target issue as being instantaneous, when in reality these events take weeks or even months to unfold. Indeed the U.S. Senate report on the Target breach offers a timeline on page 17 that illustrates how the attackers’ methods and Target’s missed opportunities relate to the kill chain.

Possible Missed Opportunities from Target

In this report, commissioned by the U.S. Committee on Commerce, Science, and Transportation, the traditional Kill Chain graphic is applied to the events that occurred at Target, and the author uses it to highlight areas that were potential missed opportunities during the breach. Much has been written about this approach to understanding security in the past few years, and in a general sense we’ve talked about how various controls can help to mitigate each stage of the attack. That being said, there’s more we can learn from comparing an attackers’ methods with our own defenses. The report also contains a timeline that helps us visualize the many phases of the attack and how long each one took to execute.

Timeline of Target Breach

According to the U.S. Senate report, the attackers originally gained Target credentials from a contractor (Fazio) sometime in September. The report states that it’s unknown whether Target’s network was breached via Fazio’s network or if the credentials were reused elsewhere to gain access. Maybe the attacker started trying to penetrate Target immediately, or perhaps it took them some time to get around to it, but we start to see them in the Target network on 11/12. Now look what’s next, testing of Target POS malware from 11/15-11/28. This is starting to look more like a software development plan than an attack. And just like in software development, it’s never as easy as we think. We can guess that planning for this activity went back into September and October, but even if the attacker got started on 11/12, that’s half a month of getting the exploit ready for full release. Everything past 11/12 arguably fits into the final Actions phase in the kill chain, and perhaps the attacker even crossed that line in September when Fazio was hit. Regardless, when we put our Defense-in-Depth hats on, we start to see more opportunities to kill the activity – even after the attackers get a foothold.


Defense-in Depth Kill Chain

What would happen if we combined the Defense-in-Depth onion with this new attacker-focused kill chain theory? This concept is built-in to a certain degree – the kill chain is meant to encourage us to look at our controls at each stage. But there’s a jumping off point when we get to the final “Actions on Objectives” phase that skips some areas that hold value. Specifically, the place after initial intrusion, but before the attacker gets away with the goods. In order to do this effectively, we’re going to make some slight modifications to the chain. Let’s look at it from the perspective of when actionable things happen for a moment, instead of focusing on each of the attacker’s steps that lead up to these milestones. In other words, these are the moments of an attack where we have an opportunity to turn the tide.

• Recon. Scanning activity, identifying technologies in use, gathering potential targets. Same concept as defined in the Cyber Kill Chain, we do see the effects of this on our networks.

• Intrusion. For simplification, this combines WeaponizationDeliver, andExploit phases. Technically from a defense perspective, it’s not until a vulnerability is exploited (anything from a flaw in web server software to a user clicking a link) that it becomes an intrusion. From the perspective of the defender, we tend to not split hairs here unless we are doing forensics after the fact.

• Persistence. This encompasses the Install and Command & Control phases. From a defense standpoint, at this stage they’ve gotten a foothold and can “hang around” on the network. Until now the attacker’s efforts resulted in very specific actions, but now they can connect back into the environment and work towards a large-scale exfiltration of data.

• Exploration. Requires a persistent connection, this is where the attacker begins to “pivot” onto other systems and gain more access. If the attackers entered Target’s network via Fazio, that would be a great example of this activity. This phase tends to last weeks and months instead of days.

• Acquisition. The last scene in a heist movie, this is where it’s time to escape with the goods. Sometimes this occurs more slowly over time, but often it makes sense to the attacker to get out while they can with a large sum of data.

The primary change in this new kill chain is the Exploration phase, which attempts to draw focus to the fact that the attacker still has work to do post-intrusion. It’s also one of the more lengthy phases, and arguably offers one of the biggest targets from a defense standpoint. Now what really becomes interesting is when we map security controls to the defense-in-depth kill chain. Recon is mitigated by using firewalls and ACLs to provide a smaller attack surface, Intrusion is the phase where Intrusion Prevention Systems and Web Application Firewalls show their value, but if the attacker gets past these controls, things begin to get easier.

Using this methodology, we start to realize that so much of our industry is built around prevention of the initial intrusion, and that we focus so little on what we’re calling the Persistence and Exploration phases. This spot of the chain, which I’m starting to call the “linger area” is where industry best practices, risk assessments, and consulting provide value. It’s also interesting to see how two of our core services, Incident Response and Penetration Testing, address the kill chain from opposite ends. Penetration testing simulates the attacker workflow from left to right, while Incident Response travels backward, using forensics data and Indicators of Compromise (IOCs) to trace the incident back to initial intrusion.

Stop and think about the controls that could be put in place to prevent an attacker from pivoting into a Fortune 500 from their contractor. If it was the networks being connected that allowed the attackers to move laterally, we could look at network segmentation and authentication controls. If it was leaked credentials, two-factor authentication, access control, and even firewall rules come to mind – indeed how did they use those credentials from the outside to access this data in the first place? Initial intrusion should not be the same as a breach, said the onion. He’s old and smells kind of funny, but you have to hand it to him – he still has a point. See below for our take on how security controls map to the Defense-in-Depth Kill Chain and please chime in with your thoughts. Is this a good way to look at our defenses?

Kill Chain Approach SecureState