The Lockheed Martin Cyber Kill Chain is a popular model in information security. The model illustrates the typical cyber attack. Like the CIA triad, the Cyber Kill Chain is a fundamental concept that helps people understand what motivates security professionals. Understanding it and being able to explain it makes us more effective at our jobs.
Here’s an explanation of the Cyber Kill Chain, along with a couple of examples, one real, and one imagined.
Problems with the Lockheed Martin Cyber Kill Chain
The Cyber Kill Chain is controversial, but it need not be. I think most of the controversy around it is due to not explaining it fully, or people trying to be contrarian, like the people who argue against the CIA triad.
The controversy is that not all attacks follow the Cyber Kill Chain exactly.
Don’t think of the Cyber Kill Chain as a playbook or a recipe. It’s a list of components, or a list of ingredients. There will be times when an attacker carries out parts of it out of order. There will be times when either opportunity or necessity drive an attacker to repeat parts of it. And there may even be times when part of it is unnecessary because someone already did that part for them. Would we fault a burglar for not opening the door if someone already left the door open?
As blue team defenders, we don’t have to obsess over whether every attacker does things in the same order every time. They don’t. The Cyber Kill Chain is a list of processes we need to disrupt in order to make ourselves more difficult to breach.
I don’t personally buy into the argument that the Lockheed Martin Cyber Kill Chain is a flawed model. I even specialize in disrupting the component of the model that’s most likely to be optional. I’ve had very good success in my career getting buy-in from the rest of the IT organization on security initiatives by whiteboarding the model and showing what parts of it the initiative disrupts.
Components of the Lockheed Martin Cyber Kill Chain
There are seven stages to the Lockheed Martin Cyber Kill Chain. I will present them in their optimal order, but an attack doesn’t have to carry the stages out in the same order in order to be successful. For example, once an attacker is inside a network, they may find multiple opportunities, so they may repeat parts of the middle multiple times. It’s a list of ingredients, not a recipe.
It’s also possible for parts of it to be social or kinetic, not necessarily digital. Watch the old Robert Redford movie Sneakers sometime and try to apply this model to what they’re doing. You’ll be surprised how well it fits.
Reconnaissance is casing the joint. It’s what my local bank vice president thought I was doing the time she called the cops on me. This stage is learning what you can about the organization so you can plan your attack. By looking at their job postings and Linkedin profiles of current and former employees, you can learn what technologies a company uses. You can also piece together the social hierarchy, in case you have to use a social engineering attack to get in.
Actually, let’s run through a hypothetical situation. I’ll put my darkest gray hat on and let’s talk about how Bad Dave would go about hacking a company, and how Good Dave could prevent it.
Bad Dave has a theory that the company he doesn’t like is bad at patching, because most companies aren’t great at deploying Adobe updates. Bad Dave finds a job opening, and he decides to apply for it to get his code running in the network. And at this stage of the game, there’s very little Good Dave can do about it. People overshare on social networks all the time, but this stage doesn’t require oversharing. Bad Dave just needs to know they have an opening, and then he needs to know whether they use Windows PCs or Macs, so he can move on to the next stage of the Lockheed Martin Cyber Kill Chain.
Weaponization is putting together the components of the attack. In my example, Bad Dave pulls together an appropriate exploit for Adobe Reader, writes up a convincing-looking resume and cover letter, and puts the exploit in the resume.
Good Dave could prevent this by making sure Adobe Reader is up to date, especially in the HR department. Better yet, he could convince HR to use the PDF viewers built into modern web browsers, so Bad Dave’s attack bounces off. This forces Bad Dave to try exploits for Reader, Chrome, Firefox, and Edge in hopes that one of them works.
This is effective but not 100%. When I was a sysadmin, my 100% up-to-date network still got breached, because someone social engineered their way in. They convinced one of our developers to load a keylogger onto his system, then grabbed his credentials when he logged into my network and marched right in.
Delivery is just what it sounds like: delivering the weapon to the victim. In Bad Dave’s case, it’s applying for that job and attaching the resume. In the case of my former developer, it was the red team sending him the keylogger and chasing it with a phone call.
About the only way Good Dave can disrupt this is by filtering content from strangers. Conventional antivirus won’t detect the payload in the resume if Bad Dave did a reasonably good job. Routing attachments through a device like a FireEye is one effective way to disrupt this. Converting the attachment to another format, ideally plaintext, can be another way to disrupt it.
Exploitation is getting the weapon to detonate. In Bad Dave’s case, it happens by getting HR to open that resume. In the case of my former developer, it was convincing him to open that e-mail attachment that contained the keylogger. Once this happens, the payload is running on the system, and the attacker gains a foothold in the next stage.
Installation is just installing malware on the target, so the attacker can get back in. This is the most controversial component of the Lockheed Martin Cyber Kill Chain, because it’s not always possible. Some devices don’t allow you to install software on them because they lack writable storage. In that case, an attacker has to jump to another system, and potentially repeat the process.
An attacker may skip this stage since writing a file to disk leaves evidence behind. Some attackers choose just to work out of memory.
Limiting permissions will cut down on installation, but that’s one reason attackers increasingly skip this step.
Command and Control
Command and Control is establishing a way for the malicious process to communicate back to the attacker. This often takes the form of presenting the attacker with a command prompt on the victim’s system.
This can also be a difficult stage to disrupt. Limiting outbound communications is the best you can do, but this can have adverse effects on the end user experience. Just like most things, disrupting in the early stages tends to be more effective and less expensive in terms of monetary and human cost.
Actions on Objectives
This is the final stage of the Lockheed Martin Cyber Kill Chain. At this point, the attacker has a command prompt on the victim’s system or some other way to communicate with the victim’s computer and interact with it. At this point the attacker can look for interesting data and attempt to steal it, or the attacker may look for other more interesting systems, and repeat parts of the model as necessary to move around.
At this stage, a defender can only limit the damage. Collecting event logs can make it possible to detect attacks in progress. Network segmentation can limit how much the attacker can move around. Limiting outbound ports and filtering those ports can potentially limit the attacker’s options for getting data out of the network. Working from home and using cloud-based services and limiting or eliminating VPN connections back to the corporate network can also limit how much data an attacker might be able to reach.
Why the name Cyber Kill Chain?
The kill chain is a military model describing the structure of an attack. The terminology is a bit odd for those of us in the private sector, but we can understand the concepts. Our tax dollars paid for this concept, so we might as well use it to do our jobs more effectively.