In the world of cybersecurity nefarious acts are often caught after the exploitation of systems has occurred. Depending on the gravity of the exploitation, it can lead to thorough investigations that may be operational (within an organization), criminal, and tort (recovery of financial damages). The findings of the investigation can lead to an assessment that gets to the root cause.
Lockheed Martin developed a cyber kill chain methodology that helps to distinguish correlation from causation. The methodology can provide a framework for intuiting threat behaviors, actors, and tools. In a sense it is comparable to a premortem. Whereas a postmortem reviews and discovers causes of damage after the successful attack, the premortem helps to prevent the attack from ever being successful.
If the defender disrupts any of the first six steps of the cyber kill chain, they can prevent the success of the attack.
Step 1: Reconnaissance
The adversary is seeking to:
- Conduct research to understand the targets that help them achieve objectives
- Collect email addresses
- Identify employees on various social media platforms
- Collect public domain information
The defender should:
- Attempt to detect the reconnaissance
- Analyze website visitor logs
- Tune systems to alert for browsing techniques tied to reconnaissance
- Create defenses that mitigate ease of reconnaissance
Step 2: Weaponization
The adversary seeks to:
- Automate the malware and exploit into a payload
- Create a distraction document to be consumed by victim organization
- Create a backdoor bypass to target system
The defender should:
- Conduct holistic malware analysis including how the malware was formed
- Analyze when the malware and associated payload was created
- Collect and connect metadata
- Identify advanced persistent threat (APT) campaigns
Step 3: Delivery
The adversary seeks to port the malware to target via:
- Compromised websites
- Social media
- Auxiliary/external storage devices
The defender should:
- Analyze delivery media
- Understand the roles and responsibilities of protectors
- Understand intent of the attacker
- Collect artifacts (web logs, email, etc.) for reconstruction
Step 4: Exploitation
The adversary seeks to:
- Gain access to victim system via exploit of vulnerability
- Execute adversary- or victim-triggered exploit
- Maintain vulnerability openness (software, hardware, or human)
The defender should:
- Foster environment of awareness/training/testing for employees
- Develop secure source code
- Conduct frequent and competent vulnerability scanning and penetration testing
- Implement least privilege/need-to-know
Step 5: Installation
The adversary seeks to:
- Install persistent backdoor to compromised systems
- Make the malware environment look normal
The defender should:
- Appropriately apply NIDS/HIDS and NIPS/HIPS
- Understand privilege level of malware
- Know timestamp of malware creation
- Verify certificates of all signed software
Step 6: Command and Control (C2)
The adversary seeks to:
- Establish two-way remote control of infrastructure
- Establish C2 channels via web, DNS, and email
- Own complete infrastructure
The defender should:
- Discover C2 infrastructure
- Create fewer paths into infrastructure
- Proxy all traffic
- Create DNS sink holing and name server poisoning
Step 7: Actions on Objectives
The adversary seeks to:
- Collect user information
- Enact privilege escalation
- Collect and exfiltrate data
- Destroy and corrupt systems
The defender should:
- Have adequate detection mechanisms
- Establish incident response playbook
- Deploy forensic agents
- Detect data exfiltration