Saturday, July 2, 2022

Why The Cyber Kill Chain Has Become Outdated: Must-Read

 


In the world of Cybersecurity, after a security breach has happened, there are few key things that have to take place.  First, is that you need to bring your business back up as quickly as possible in a seamless fashion.  This can only happen with a well-planned Incident Response and Disaster Recovery plans.  Then, once there is some sense of normalcy, you will want to conduct a detailed forensics exam to see how it all happened. 

But apart from this, you also want to find the Cyberattacker and/or their corresponding group that did this, and bring them to justice.  But in order to do the latter, you need to have all of the evidence you have in place first, and make sure that they are all admissible in a court of law.  Trying to find out who the exact predator is also known as “Attribution”.

Throughout the years, there have been a number of Fortune 500 companies that have actually created models to get into the mindset of a Cyberattacker.  The ultimate goal of all of this is see what the motivating factor was in launching the attack, and try to trace where they could be in the world, in terms of physical location.

One such company that tried to do this is Lockheed Martin, and what they came up with is known today as the “Cyber Kill Chain”.  The key components of it are as follows:

1)     Reconnaissance:

This is where the Cyberattacker basically targets you as a victim and from there, takes their own sweet time to find out all of your weak spots and backdoors in which they could possibly enter into.  This can range from launching Phishing emails to scoping out third party vendors to engaging in Social Engineering tactics, and even studying the social media profiles of your employees.  The bottom line is that they want to find that very critical week spot and move in.  Heck, even after they move in, they still may not do any damage. For example, they can stick around on the insides for a very long time and move in a lateral fashion to see what more you have in your IT and Network infrastructure.

2)     Weaponization & Deployment:

After gaining entry in, this is the moment in time where the Cyberattacker decides to deploy their malicious payload, which could range anywhere from being a worm, virus, piece of malware, Trojan Horse, etc.  The primary goal here is to exploit as much as possible a vulnerability that was discovered.

3)     Exploitation:

This is where the malicious payload actually detonates.  There are numerous ways that this can happen, such as an employee clicking on a phony link, opening an infected attachment, or simply, the payload could be set to detonate at a specific time and date.  These are technically known as “Logic Bombs”. 

4)     Installation:

Remember, a malicious payload does not always have to detonate.  It could be deployed in a victim’s wireless device in order for the Cyberattacker to gain remote access to it. In this regard, the payload becomes technically a “Dropper”. 

5)     Command & Control:

If a Dropper has been installed, the Cyberattacker will then use this to scope out the device of the victim, and see what is worth targeting.  Keep in mind that they can be internal to your systems for a very long period of time, very often going unnoticed.  But once they are known, they will leave immediately, and the damage will be done.  In this instance, the Cyberattacker will be involved in data exfiltration, and selling your datasets on the Dark Web.

6)     The Action Has Been Taken:

Once again, this is the specific situation if a Dropper has been used.  The very second that the data exfiltration has occurred, this is the moment that the “action has been taken”.  Of course, only a detailed forensics exam can reveal all of this detail, assuming the needed evidence has been collected.

The Kill Chain Model can be seen below:


(SOURCE:  https://www.darkreading.com/attacks-breaches/deconstructing-the-cyber-kill-chain)

My Thoughts On This:

While the Cyber Kill Chain may sound great in theory, the realities of it are that it is probably outdated.  To be honest, many Penetration Testing teams are already taking the mindset of the Cyberattacker, and are engaging in the ethical hacking tests that already follows the path of the Kill Chain. This framework needs to be updated to take into account the Cyber Threat Landscape as it exists today.

The modern Cyberattacker is now very sophisticated and covert in nature, and will more than likely use a Dropper in order to get the maximum for their bang.  Second, the Kill Chain model needs to now take into supply chain attacks, and using third parties to leverage them.  Once again, this is best exemplified by the Solar Winds hack in which the perpetrators deployed a Dropper onto a third-party tool.

From there, they then scoped a sampling of the intended victims, and once they were then satisfied enough, the malicious payload was then deployed, thus infecting thousands of victims in the end.  What can be done to keep up with all of this?  Well, there is one way, and that is making use of a tool called the Security Incident Event Manager, or SIEM for short. 

This will provide your IT Security with alerts and warnings on a real time basis, so that they can be proactive even before Step #2 starts to occur in the Kill Chain Model.  These tools are great for filtering out for false positives.  But this takes human intervention. Many companies complain that they simply do not have the manpower to keep up with all of this.  But once again, this all goes back to the hiring problems that we are seeing today.

So the bottom line, has the Kill Chain Model reached its useful years?  More than likely, yes.  IMHO I think the Cyber industry has more than enough frameworks and models, it is now time to take action as well as automation.


No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...