What is the cyber kill chain?

Learn how this iterative approach to cyber defense works, and how advanced tools such as NDR can improve it.

What is the cyber kill chain?

The cyber kill chain is a process based on a military targeting framework that subsequently was applied to cybersecurity. In 2010, three researchers with Lockheed Martin—Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin— published a paper that adapted the framework specifically to assist security teams in their efforts to anticipate, detect, and deter Advanced Persistent Threats (APT) launched by well-resourced, patient, and persistent adversaries.

While the kill chain defines steps taken by adversaries while compromising digital assets, it is orientated to a proactive, evolving approach to cyber defense. By analyzing evidence of attackers’ past actions and techniques within the kill chain framework, security teams can make adjustments to their defensive security posture to expand visibility, reduce the attack surface, and improve threat detection capabilities. These refinements tend to have direct performance benefits to SecOps teams, often leading to improved mean time to detect (MTTD) and mean time to respond (MTTR) metrics.

While attack methods and security tools have evolved significantly since the cyber kill chain’s introduction, it remains a useful framework for proactive defense, with relevant application to any organizational adversaries (e.g. APTs, ransomware, cybercrime, nation state actors).

In this article, we’ll outline the cyber kill chain sequence and how Network Detection and Response (NDR) solutions improve network security and provide defenders with crucial context needed to detect and disrupt attacks.

The cyber kill chain sequence

Although adaptations and extensions have been suggested over the years, the fundamental construct of the cyber kill chain is still applicable to a modern security approach.

The paper’s authors define objective evidence of a cyber intrusion as “indicators,” which fall into three classifications: Atomic (e.g., IP or email addresses); computed (indicators sourced to actual data, such as hash values); and behavioral (a collection of atomic and computed indicators analyzed and qualified by security teams or tools).

The indicators are the traces left behind in the wake of an intrusion, comparable to evidence gathered at a crime scene and, possibly, matched to evidence found at earlier crime scenes. The buildup and linking of evidence is key to the kill chain’s iterative process: By accumulating and enriching evidence at every stage, security teams can develop a more intuitive understanding of how attackers operate and iterate on their established methods.

The seven steps in the kill chain are as follows:

• Reconnaissance. The adversary begins with due diligence: They may seek out any relevant information that could ultimately assist at later stages of the intrusion. They may scour websites, gather publicly available information (such as email addresses) or scan the target’s networks for details about their security systems or network connections. It is important to note that adversaries are continuously performing reconnaissance, and little of that activity can be detected since the activity occurs on the exterior-facing side of the firewall or network detection and response system, which is prohibitively expensive, in terms of cost, time, material and storage, to monitor.
  
  
• Weaponization. The Lockheed authors describe weaponization as “coupling a remote access trojan with an exploit into a deliverable payload, typically by means of an automated tool (weaponizer).” PDFs and documents from the Microsoft Office Suite, cited by the authors as common weaponized deliverables, remain so today. Weaponization will not be detected in real time, since the adversary will create the exploit in an environment they control. However, this step highlights the importance of compiling evidence and using it to make the kill chain more dynamic and responsive. In the delivery phase, security teams may examine file batches for indicators that provide evidence of malicious code and the attackers’ methods. That evidence may become an atomic indicator that can then be used to inform future file scans.
  
  
• Delivery. This stage represents the attack launch. Phishing emails with malicious attachments remain among the most prevalent methods. Delivery could also be initiated at a compromised website (known as “watering hole attack”), or infected flash drives. Since attack methods change frequently, it can be helpful for teams to keep current with authoritative sources, such as the Verizon Data Breach Investigations Report, Mandiant’s M-Trends, and Crowdstrike’s Global Threat Report. Each is published annually and tracks global trends in adversary tactics, attribute varieties, dwell time, and more.
  
  
• Exploitation. In this step, the malicious code is triggered, either by an unintentional action by a legitimate user (e.g., downloading a file with malicious code), or by manipulating an application or operating system feature.
  
  
• Installation. The adversary installs a backdoor or a RAT, or remote access trojan (e.g., Ghost, Back Orifice, Dark Comet, CyberGate). Now established in the host system, the attacker can consider lateral movement and ways to extend their foothold.
  
  
• Command and Control (C2). At this point, an attacker of outside origin (e.g., not an insider threat) must exercise control of the compromised host remotely. To this point, the amount of network evidence available to security teams may be minimal to non-existent, but C2 generally depends on the Internet, and network detection and response tools may detect the adversary’s activity in real time. However, it is also the point at which the adversary may attempt to obfuscate their movements and “blend in” with normal traffic patterns. There is a large and ever-growing number of C2 techniques, some of which have been developed for red team engagements and later appropriated by adversaries for malicious purposes. Well-known C2 examples include Cobalt Strike, Sliver, and Metasploit. Known C2 techniques, toolkits and novel C2 infrastructure are published in collections by security vendors as well as publicly available sources, such as MITRE ATT&CK.
  
  
• Actions on Objectives. Attackers who reach this stage are now poised to exfiltrate data, encrypt files for ransom purposes, destroy or manipulate intellectual property, denial-of-service attacks, or use the infected system as a jump-off point for other objectives. In some of the stealthiest, novel attacks, such as SolarWinds, security teams have no way of detecting any activity before this stage. In such cases, the effectiveness of the response depends on whether or not the organization instrumented the network before the attacker gained access and accomplished their objective.

Why is the cyber kill chain valuable to security teams?

The inherent value of the cyber kill chain goes beyond providing a useful schematic for many cyber attacks. Knowledge of adversary action, the Lockheed authors point out, should create “an intelligence feedback loop enabling defenders to establish a state of informational superiority.” By understanding the methods and becoming familiar with tool marks that may provide evidence of malicious activity. Defender intelligence can also be reinforced through alignment with other feedback loop mechanisms, such as the OODA Loop (Observe, Orient, Decide, and Act), which also repurposes military thinking in terms of cybersecurity.

Malicious cyber actors, like any rational criminals, are seeking a sound return on investment. Rather than spending time and resources on the development of novel tools, they have an interest in recycling successful intrusion methods. Well-known C2 toolkits like Cobalt Strike and Silver are available, and often deployed, by multiple bad actors. Furthermore, particularly nimble adversaries may deliberately leave behind tooling marks associated with an attack method other than what they are using, or another known adversary, to send defenders on the wrong track. (A notable example of this type of false flag was the Olympic Destroyer malware unleashed at the 2018 Winter Olympics).

Like any other security model or tool, the cyber kill chain is not a panacea. What’s more, the level of investigation it entails can be labor- and time-intensive, especially if a security team focuses on indicators that are not relevant to an existing threat, or those related to anomalous, but non-malicious, activity in the network. The quality of network evidence, the context, can often be the difference between effective, resilient threat identification and inefficient, ineffective response.

Security teams who learn by analyzing attack methods, and devising new defenses can impact their opponents’ cost-benefit ratios along with reducing the chance that any one attempt can succeed. To avoid an endless whack-a-mole process, teams need to take the time to monitor and preserve evidence rather than eradicating it during remediation. But they also depend on protocols and contexts that come from utilizing advanced tools and community intelligence.

How NDR supports the cyber kill chain

Network Detection and Response represents an evolution from traditional network intrusion detection systems (NIDS) and other legacy security solutions that made up a perimeter-based defensive approach and were the standard model when the Lockheed team published the paper in 2010. As such, it provides a great deal of information that may contain indicators security teams can use to build evidence of an attack.

At several stages in the sequence, NDR will be more helpful in a forensic capacity rather than a source of real-time intrusion alerts. For example, the weaponization phase does not involve direct engagement between the attacker and target although weaponization may often leave tool marks on malicious code that can be used to bolster the security team’s defenses in the event of a recurrent attack by the same actor. This level of forensics depends on recovering artifacts that can be studied and compared to existing malware collections. In contrast, C2 will often create events that leave fingerprints within authentication, OS, network, and application logs. Defenders using NDR tools can move even faster, especially when using a tool that’s based on Zeek®, Suricata®, and Smart Packet Capture (PCAP), and which passively monitors the network and produces high-fidelity network transaction logs, intrusion alerts, and selective PCAP containing unbiased network metadata.

Importantly, there is no hard-and-fast rule about when different types of evidence may alert a security team to an intruder’s presence and activity. Any step of the cyber kill chain may be an opportunity to passively capture traffic that can be stored and analyzed on a network beyond the adversary’s reach. The network’s historical record is essential to maintaining a defender’s resilience and advantage over a disciplined adversary. Ultimately, the advantage hinges on the quality of information the network detection and response platform generates.

An advanced solution such as Corelight’s Open NDR Platform will continuously monitor and provide visibility across the network creating network evidence that is pre-correlated via a UID (Unique Identifier). Corelight Open NDR can detect attacks even when the traffic is encrypted via proprietary detection techniques such as SSH inferences. Corelight NDR features custom content collections, including C2, DNS exfiltration, and known-entity. These collections are updated constantly to keep pace with the ever-evolving threat landscape and attack methods.

With these tools, malicious east-west (lateral) activity will stand out more clearly, especially when signature-based detection tools are deployed. With advanced anomaly-based detection and behavioral analysis, it is effective at detecting command and control and exfiltration attempts outlined by late steps in the cyber kill chain. Corelight’s NDR also enables extended packet capture (PCAP) data, which can be foundational to remediation and extended forensic analysis by scraping information that transaction logs may not contain.

Corelight NDR combines and pre-correlates Zeek® logs, which produce high-quality, flexible, community-driven network metadata, SmartPCAP for packet capture, and alerts from Suricata, a modern intrusion detection system, to produce high-fidelity network evidence. Corelight’s Open NDR Platform can deliver the rich contextualization that can maintain a virtuous feedback loop in the cyber kill chain—and put defenders on offense.