What is the Cyber Kill Chain? And How to Use It with Threat Intelligence?
- Many people believe threat intelligence is primarily about identifying attacks before they happen. In reality, it’s much more about raising your organization’s security profile against all incoming attacks.
- Different types of threat actors select targets in very different ways. As a rule, the more specific their targeting process, the harder it will be to collect threat intelligence at the pre-planning stage.
- While threat intelligence can add value at every stage of the kill chain, it’s typically in the form of malicious IP/domain/hash lists and post mortem attack analyses.
- It’s not just about incident response. In order to add maximum value, threat intelligence should be made available across your security function.
- Without context, threat intelligence quickly becomes unmanageable. Ensure you’re providing your threat analysts with the tools they need to operate effectively.
Before you start gathering threat intelligence, you must answer a simple question: “What am I trying to achieve?”
The obvious answer is “an improved cyber security profile,” but if you really want to maximize your return on investment you’ll need to be much more specific.
Cyber security is a tremendously complex operation, with many moving parts, so in order to be maximally useful your threat intelligence program must deliver intelligence that can be used to mitigate or prevent specific cyber attacks.
But cyber attacks are complex affairs in their own right. It’s not simply a case of picking a target and attacking it, the cyber attack kill chain is an established and often lengthy process, with multiple phases.
Threat Actors: An Overview
Before we look at the kill chain, it’s important to have an understanding of threat actor types.
In a previous article, we explained how threat actors can be split into four primary types. During the webinar, however, Konrad went a step further and split threat actors into six categories.
In this case, rather than arranging threat actors by levels of skill or organization, Konrad ordered them by the level of specificity typically involved in their target selection.
On the left-hand side of the image above you’ll see criminals that are all about mass targeting. A low-level criminal actor, for instance, will tend to choose targets almost at random, using mass attack vectors to spread their net as wide as they possibly can.
Even as we move closer to the middle of the scale to consider hacktivists and criminal hackers, targeting is usually based purely on industry or organization type, for example any healthcare organization, or any financial institution.
At the other end of the scale, a disgruntled employee is interested in causing damage to one specific organization. Foreign nations and competitors may cast their net a little wider, but they’re still interested in a very specific set of targets.
So why order threat actors by their target selection, rather than by the level of sophistication normally observed in their attacks? Well, when it comes to gathering intelligence, the way in which threat actors select targets has a huge bearing on the quality and quantity of threat intelligence typically available.
Threat actors on the left of the scale tend to do their targeting right out in the open. Low-level criminals, for example, often discuss their targets through dark web forums, IRC, and even Twitter. In the same vein, hacktivists routinely announce their intended targets through public channels. As a result, collecting actionable threat intelligence is very achievable.
Threat actors on the right of this scale, however, are far more secretive. Disgruntled employees are a prime example of a threat that are hard to identify through external threat intelligence (although monitoring network activity may be effective), as they invariably act alone. Foreign nations and competitors, meanwhile, have their own internal means of communication, making interception functionally impossible.
Of course, that’s not to say threat intelligence is entirely ineffective at identifying threats from these actors. More than one insider has been caught attempting to sell stolen data through dark web markets, and, if you have the expertise, there are ways to predict nation-state attacks with surprising accuracy.
As a rule, though, the more specific a threat actor’s targeting becomes, the harder it will be to gather valuable intelligence on their activity.
The Cyber Attack Kill Chain
The term 'Cyber Kill Chain', a concept and framework in cybersecurity developed by Lockheed Martin, describes the stages of a cyber attack. This model, which has its origins in military terminology, aids security teams in comprehending and countering cyber threats. It delineates the progression of steps an attacker undertakes, from reconnaissance to the command and control phase, to infiltrate a network and access sensitive data.
According to Lockheed Martin Corporation, in their white-paper titled: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains“:
“Through this model, defenders can develop resilient mitigations against intruders and intelligently prioritize investments in new technology or processes.”
Understanding each phase of a cyber attack is critical. This includes recognizing the deployment of malicious code and the execution of brute force attacks. Such knowledge enables security teams to enhance their security controls, vital in defending against both internal and external attacks. This comprehensive approach encompasses protecting against insider threats and ensuring the integrity of perimeter security. Additionally, integrating insights from the Diamond Model of Intrusion Analysis can further refine this understanding, offering another layer of analysis to complement the Cyber Kill Chain framework.
The Cyber Kill Chain framework is more than just a theoretical construct; it's a practical tool for intrusion prevention systems and a cornerstone in preventing security breaches. Whether it's guarding against cyber kill chain protect strategies or identifying the signs of a cyber kill chain model in action, this methodology equips professionals with the knowledge to thwart cyber attacks. For organizations, it represents a proactive measure against the ever-present and evolving cyber threats, ensuring the robustness of their internal or external attack prevention strategies.
When they consider threat intelligence, most people think about uncovering threat actors’ plans, and foiling incoming attacks before they start. But while that is a highly valuable function of threat intelligence, it’s far from being the only application.
Among other things, threat intelligence offers:
- Information on the latest vulnerabilities
- Threat actor tactics, techniques, and procedures (TTPs)
- Lists of malicious IPs, domains, and hashes
- Indicators of compromise (IOCs)
- Past attack forensics
- Evidence of leaked information
7 Phases of The Cyber Kill Chain Model
In short, threat intelligence is useful not simply for thwarting individual attacks, but for improving your organization’s security profile against all future attacks.
For now, though, let’s assume you are looking to identify and block specific incoming attacks. For a cyber attack to be successful, it will typically need to go through seven discrete stages, and at each of these stages there are opportunities to gather actionable threat intelligence.
1. Target Selection
Before anything else can happen, threat actors must select a target. Naturally, the organization they choose to attack will reflect their motive.
Cyber criminals and criminal hackers, for instance, are almost always financially motivated, and historically have targeted everything from banks and online payment companies to small businesses and sports clubs. At the other end of the scale, state actors will have a very specific set of targets based on the content of their nation’s five-year plan.
As already mentioned, many hackers, particularly low-level cyber criminals, pick their targets in public or semi-public forums. Hacktivists, similarly, tend to announce their targets publicly as part of their agenda.
But whether or not threat actors discuss their targets openly, threat intelligence plays a vital role at this stage of the cyber attack kill chain. As already mentioned, there will be times when you’re able to identify and thwart an incoming attack before it happens, but in all honesty that’s not the primary benefit of threat intelligence.
Instead, threat intelligence can help you understand which attackers are most likely to target your organization, enabling you to prepare your defenses in advance. As a small organization with high employee satisfaction, for instance, you’re unlikely to be targeted by nation states, insiders, competitors, or hacktivists, but very likely to be targeted by common cyber criminals and hackers.
No matter how large your organization, there is always going to be a limit to the resources that can be allocated to security. Understanding the types of threat actors most likely to target your organization is a crucial first step in allocating your security budget.
2. Target Research
During the second stage of the cyber attack kill chain, threat actors attempt to learn as much as possible about their intended target. And as Konrad explained during the webinar, for the most part this process happens in private.
Of course, with some lower-level threat actors, some research may be conducted through dark web forums and IRC channels, and in those instances threat intelligence may provide a valuable early warning. Most of the time, however, threat intelligence will have little to offer during this stage of a cyber attack.
3. Attack Plans
Once a target has been selected and researched, threat actors will select an attack vector. Unsurprisingly, this tends not to be something that happens in the open, making the chances of using threat intelligence to catch an incoming attack at this stage exceedingly minimal.
But, once again, threat intelligence isn’t really about detecting specific attacks. One of its most valuable functions, in fact, is in learning about current threat actor TTPs.
Once you know which threat actors are most likely to target your organization, the next logical step is to use threat intelligence to identify who, when, and how they typically attack. Most threat actors have preferred attack vectors, such as spear phishing or browser attacks, and knowing this can be a huge help when planning defenses and allocating security resources.
Another hugely valuable product of threat intelligence comes in the form of post-mortem analysis of past attacks, which can help your analysts understand exactly how threat actors have conducted successful attacks against similar organizations. For example, threat intelligence can help you understand precisely how the latest malware variants function, making the task of tightening your technical controls much more achievable.
4. Gaining a Foothold
Of course, once all the planning is done, threat actors have a job to do: compromise your network.
To do this, they’ll generally use an initial attack to gain a foothold inside your network. This could, for example, be a phishing attack that tricks a user into downloading malware, or giving up their credentials.
Of all the stages of the cyber attack kill chain, this is perhaps the area in which the most valuable intelligence is available. A powerful threat intelligence capability will provide you with a constantly updating set of IPs, domains, and hashes that are associated with malicious activity, as well as the latest post-mortem analysis of each discrete attack vector.
With all that intelligence at your fingertips, tightening your technical controls to thwart the vast majority of incoming attacks is very achievable, particularly if your analysts have access to a tool that can help them quickly triage potential threats. Even better, if an attack does bypass your technical controls, your incident response team will be armed with everything they need (IOCs, etc.) to identify compromised assets before serious harm is done.
5. Reach Objectives
It’s important to understand that tricking a user into downloading malware doesn’t automatically grant a threat actor access to your network. At this stage in the kill chain, assuming their attack is successful, the threat actor achieves a minor compromise of your network, perhaps by taking control of a terminal or user account.
This stage of the kill chain is largely reliant on your technical controls, which should already have been tightened based on past attack forensics and other related intelligence. If you haven’t been able to identify and block the attack at stage four, though, you’ll need to focus on network activity to spot the attack before it goes any further.
Once again, using threat intelligence to identify malicious activity will add tremendously to your chances of quickly separating false positives from real threats, but only if you employ a tool that can take the brunt of the work out of analysts’ hands.
6. Command and Control (C2)
Many cyber attacks, and particularly those that rely on malware, rely on a process called “command and control.” The malicious payload, once it has gained a foothold within the target network, sends communications back to a server owned (or compromised) by the threat actor.
The reason for this is simple: While malware is designed to exploit specific vulnerabilities to compromise a target, it usually isn’t pre-programmed to act independently once the infection has taken place. Instead, threat actors make use of C2 servers to remotely control their infection and achieve their end goal.
Once again, threat intelligence has a role to play in blocking these communications. New servers are constantly being identified as malicious, so if you have an effective threat intelligence capability and routinely monitor network activity there’s a strong chance you’ll be able to block an attack if it gets to this stage.
7. Actions on Objectives
Once a threat actor has the access they need, it’s time for them to do the deed they came for. Depending on the type of actor, this could be anything from stealing funds, to destroying data, to committing espionage.
Realistically, if an attack gets to this stage, it’s going to be difficult to prevent it. With that said, post-mortem analysis of past attacks can help you to identify anomalous behavior, which alongside honeypots and darknets may be enough for your incident response team to contain the threat before too much damage is done.
Equally, if data or sensitive assets are stolen, threat intelligence can often provide an early warning system by alerting you when they turn up for sale on dark web markets. There have been many such cases where organizations have successfully worked with law enforcement to prevent these sales, which can drastically limit the damage caused by a successful attack.
Real-life Use cases for the Cyber Kill Chain Model
A comprehensive study conducted by Glorin Sebastian from the Georgia Institute of Technology, utilizing the Lockheed Martin Cyber Kill Chain model, revealed critical insights into several high-profile data breaches. This research meticulously traced the stages of these breaches, from reconnaissance to the final actions on objectives, offering a detailed understanding of how each attack unfolded and the key vulnerabilities exploited. The analysis covered the following breaches:
- Equifax Breach (May 13 - July 30, 2017): This breach, caused by delayed patching of a known vulnerability in Apache Struts, led to the compromise of personal data of millions.
- Target Breach (November 2013): A supply chain attack that began with a phishing email to a vendor, leading to the theft of credit card information from over 110 million customers.
- Yahoo Breach (Late 2014): Stemming from a spear-phishing attack on an employee, this breach compromised at least 500 million user accounts, making it one of the largest breaches in history.
- Sands Casino Attack (February 2014): A politically motivated attack by nation-state actors, exploiting a vulnerability in a test version of the casino’s website.
- Atlanta & Not Petya Case (March 22, 2018): This ransomware attack, using the SamSam virus, significantly disrupted the city of Atlanta's IT infrastructure.
Sebastian's research uses these breaches to demonstrate the practical application of the Cyber Kill Chain model in cybersecurity. Each case highlights different aspects of cyber threats and the importance of comprehensive security strategies across various stages of an attack.
Context is King for Security Teams
If this article achieves nothing else, hopefully it will at least clear up one common misconception: That threat intelligence is all about catching cyber attacks during the pre-planning phase and preventing them altogether.
In reality, the value of a powerful threat intelligence facility can help to defend against every threat actor type, and adds value at every stage of the cyber attack kill chain.
But there’s one more important ingredient, and without it no amount of threat intelligence will enable you to achieve the results described in this article.
Without context, threat intelligence quickly becomes an unmanageable stream of threat alerts that you’ll never have time to monitor.
What you need, then, is a product that can quickly analyze incoming alerts, remove the vast majority of false positives, and highlight only the threats that pose a danger to your organization.
Recorded Future delivers contextualized threat intelligence in real time, enabling you to dramatically reduce your organization’s cyber risk. Using machine learning and natural language processing (NLP), our engine gathers data from an unrivaled breadth of open and dark web sources, and combines it with our unique knowledge base of historical threat data to provide relevant, contextualized threat intelligence.
This article was originally published on April 6, 2017, and last updated Feb. 5, 2024.