Cyber Attack Models: What are they?
Attack models describe the structure of an attack in phases. They provide a means to conceptualize the different aspects of an attack. However, it is important to understand that not all attacks must complete all phases to be successful. In fact, many attacks iterate recursively through the phases of an attack model. Kill Chain is a military term used to describe the structure (or phases) of an attack. In a military context, the process is described as find, fix, track, target, engage, assess (F2T2EA): find adversary targets suitable for engagement; fix their location; track and observe; target with suitable weapon or asset to create desired effects; engage adversary; assess effects. Scientists at Lockheed Martin used this concept to develop the Cyber Kill Chain. It was described in a paper presented in 2011 at the 6th Annual International Conference on Information Warfare and Security (Intelligence-Driven Computer Network Defense…). Some people love it — others, not so much. Regardless, it has become an almost standard framework which others have altered or extended in different ways. Let’s do a high-level fly-over, examine some of the criticisms, and then take a look at a couple of variants!
Cyber Kill Chain
The Cyber Kill Chain consists of seven phases as show in the following diagram (from DarkReading):
For further information on these phases, I recommend that you read the Lockheed Martin paper. Detractors of the Cyber Kill Chain point to a few areas as evidence of its shortcomings. I understand the criticisms, but I’m not in complete agreement with them. However, that’s not to say that the Cyber Kill Chain is perfect.
Limited Operational Impact over Initial Phases
You may hear that, as a defender, there is little or nothing you can do about the first two or three phases.
Reconnaissance, the first phase of an attack, cannot always be detected, but you can make an attacker’s job harder. Perform your own recon by monitoring various social media outlets, et al, and eliminate valuable sources of information when possible. Your own recon should also utilize threat intelligence sources. Threat actors do not always maintain perfect silence; sometimes they even openly announce attacks. Either way, ‘forewarned is forearmed’ as the saying goes.
The weaponization phase is similar. An attacker will attempt to identify a weakness (‘vulnerability’) and then formulate a method of attack (‘attack vector’) to exploit that weakness. Remember, we are managing risk, which is comprised of a series of factors. The classic equation is:
Risk = Threat * Vulnerability * Impact
Many want to add likelihood to the equation, but that is really just ‘vulnerability * impact’ in my opinion. Why do we mention this in the context of weaponization? If you know where your vulnerabilities are, you also know what an attacker may target and how they may attempt to exploit a weakness. Reducing the number and types of vulnerabilities, along with making the ones you can’t mitigate harder to reach (eliminating attack vectors), all results in reduced attack surface and overall risk. And that makes an attacker’s job harder. But, but, but, you say… yes, I know, the human.
This leads us to the third phase: delivery. Delivery may be a single action or it may involve compound methods. While some attacks initially target computers, networks or applications directly, many simply target people in the beginning. This is because social engineering is effective. Education has to be a key part of any information security program, but as humans are imperfect, this will always be an effective means to delivering weapons to targets — until we can teach machines to better protect us from ourselves.
Focus on Malware and Intrusion / Perimeter Defense
Another area of complaint is that the Cyber Kill Chain is centered on malware, almost to the exclusion of all other attack vectors, and that it would have us myopically focus on perimeter-based defensive strategies. What about social engineering and remote access attacks that do not involve malware? What about insider threats? While I understand the rationale, I think it may be unfair. It is important to understand that the delivery, exploitation, and installation phases have the sole purpose of establishing a persistent foothold in the victim’s environment. Social engineering is simply targeting a weakness with exactly that in mind, regardless of what attack vector is used to reach that vulnerability. Is not an e-mail message that plays on human curiosity a form of social engineering, just as much as littering parking lots with USB thumb drives, or phone calls asking someone for information or to get them to do something as an unwitting participant in an attack? Of course! These phases ask us to examine all ingress and egress pathways to determine how an attacker might attempt to leverage some heretofore unconsidered vulnerability. The attack on Target Corporation first involved the compromise of a supplier with remote access. That attack most certainly involved malware; then once inside the Target environment, malware on Point-of-Sale devices was delivered. Attack models may be applied recursively to describe complex attacks. And they do not need to start at any particular point in the chain. An insider does not need to establish a persistent foothold in the environment — he or she is already there! But after that point, insiders, just like external threat actors, will move laterally either by virtue of access they already have or attempt to garner in the same way as an external threat actor. All threats, if undetected and permitted to continue, will eventually become insider threats.
It is true that the Act-on-Objectives phase is very broad and may in fact comprise the most complex parts of the attack, but certainly the most time. It may be modeled as distinctly different. I do agree that we must adopt a mindset that we are already compromised and must find a better balance between prevention and detection.
Raytheon Kill Chain
Since the Cyber Kill Chain is trademarked by Lockheed Martin, but the idea caught on, others developed variations to use as a means to demonstrate their products and capabilities. I’ve seen Raytheon’s Websense marketing presentations use the following modified kill chain diagram:
This model aligns closely with the Cyber Kill Chain, with a few differences. Weaponization and Delivery are mostly combined in the Lure phase, with one aspect being separated out as the Redirect phase. This is largely because this model relates to one particular delivery vector (using a website), where as the Cyber Kill Chain does not and notes three popular methods (email attachments, websites, and USB removable media). There are a couple of other noteworthy components though.
After the exploit kit scans the victim’s system and finds a vulnerability (existing or zero-day), a so-called dropper file is installed on the system. This is the attacker’s initial beachhead in the environment. The dropper file may be single- or two-stage — that is, it may immediately deliver all of the tools the attacker needs, or to make it less likely to be detected, it may download those tools when it is activated. That may occur immediately, or it may remain dormant for a long period of time. Once it is successful in the Call Home (Command and Control) phase, the attacker is connected to the infected system and delivers additional malware and commands.
This model makes the assumption that the goal an attack is data theft. While that may be true in most attacks, it is not necessarily true in all attacks or it may not be the only goal. For example, the Sony attack certainly involved data theft but ultimately it exhibited destructive intentions.
Gartner’s Cyber Attack Chain Model
In August, 2014 Gartner released research aimed at helping practitioners balance countermeasures across all phases of an attack and assisting in gap analysis. I like this model — it removes the two early phases of the Cyber Kill Chain for which it is difficult to achieve significant (although still some) operational impact, and it expands AoO (Act on Objectives) into three phases — Privileged Operations, Resource Access, and Exfiltration.
Although the paper, “Selecting Security Monitoring Approaches by Using the Attack Chain Model” is not publicly available (subscription required), we can learn from Gartner has published to consider how this model might be effectively applied.
A key concept in information security is “defense in depth.” Controls are never 100% effective, so we overlap them. However, many enterprises over-react to issues and engage in what I call “expense in depth” instead. Gartner describes this accurately:
Clients often approach security monitoring from a specific driver, rather than from a larger perspective. This is no surprise, because they are generally trying to address a specific regulation, risk pain point or deal with an incident that just happened, and focus on what is the best and most cost-effective solution for that alone. But this path is dangerous, because it can lead to leaving large gaps in some areas and overspending in others — in part due to a focus on differences, rather than commonalities, in threats and attacks.
They also point out that it is counter-productive to attempt to absorb, deploy and operationalize more than your organization can reasonably achieve. It’s better to be competent with the basics than to be mediocre everywhere.
As with the previous model, exfiltration is not a given, and Gartner acknowledges this: “Sabotage needs no exfiltration, and snooping or corporate resource misuse can be done without making electronic copies of data.”
The Cyber Kill Chain paper provides an approach to understanding how controls affect various phases of an attack with its “Courses of Action” by using the actions of detect, deny, disrupt, degrade, deceive, and destroy from DoD information operations (IO) doctrine. However, I find this attack model particularly useful as a means of organizing and understanding how your security monitoring controls fit together, especially given the last three phases.
Cyber attack models provide us with a means of decomposing an attack into discrete phases. These in turn can be used to conduct post-intrusion analysis to better predict and avoid future attacks. By understanding the tactics, techniques and procedures (TTPs) of an attacker, we learn how threat actors operate and have the means to evaluate our defensive posture and develop strategic courses of action to eliminate gaps.
Next time we’ll look at a fictitious attack, walk through the Cyber Kill Chain along the way, looking for places to align monitoring controls but more importantly, identify indicators that you might not have considered before!