Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Breaking Cyber Kill Chains®

The “cyber kill chain®”1 is a model for framing an incident response/analysis capability that was developed by Lockheed Martin’s Computer Incident Response Team. It is a useful framework for talking about and reasoning about why and how we do things in security. The term “kill chain” is admittedly violent when you consider that we're talking about an environment in which, ideally, nothing of the sort is happening. But the framework is useful, as we shall see. Think of the cyber kill chain as an attack chain, the path that an intruder takes to penetrate information systems over time to execute an attack on a target.

The framework breaks down the stages of a hack as follows:

  • Reconnaissance - studying public information about the target, the target's environment, software mix, practices and software loadout
  • Weaponization - preparing a backdoor and a penetration plan intended to deliver a successful attack
  • Delivery - launching the attack and injecting the backdoor
  • Exploitation - triggering the backdoor
  • Installation - installing the backdoor as a bootstrap and any additional remote access tools
  • Command and Control - use of the tools to establish remote access
  • Actions on Objectives - collecting and exfiltrating information, or other actions against the target

The time to start collecting more information about your network, servers and systems is a couple of months before someone exfiltrates your customer database

By breaking the chain of causality at any point, we avoid the consequences of the subsequent non-events. That's a very powerful concept! And it really argues strongly that our intuitive response to computer security is pretty common sense: doing whatever we can at the early stages of the sequence of events saves us grief later; we are right to put most of our effort into our front-line defenses. Think about it this way: if your anti-virus software is even only 50% effective, that wipes out 50% of the potential problems you might have to deal with later on – at much greater cost.

The cyber kill chain is also a good model for explaining to management why you might want to front-load your blocking efforts. As we look at each stage of the kill chain, we can talk about the various technologies that are available to us and the cost of failure and response at that stage.

Significance of Failure
Stage Cost of Failure
Reconnaissance Zero
Weaponization Zero
Delivery Zero
Exploitation Proactive security
Installation Cleanup
Command and Control Forensic response
Actions on Objectives Business response

It's useful to point at this table and say, “We want to do a few things here, so that we don't get there.”

This also segues nicely into an analysis of what we can do to prepare for things going wrong at each stage of the kill chain. Some of the conclusions may seem a bit counter-intuitive but they're actually more important for all that:

Preparing for Trouble
Stage Preparation
Reconnaissance None – we remain unaware
Weaponization None – we remain unaware
Delivery None – we remain unaware
Exploitation
  • Firewalls
  • Anti-virus software
  • Desktop security
Installation
  • File tamper monitoring
  • Configuration management
  • System monitoring
Command and Control
  • Network monitoring
  • Audit logging
  • Traffic logging
  • Network trace logging
Actions on Objectives
  • Server-level file access monitoring
  • Network trace analysis
  • Event analysis

I've often talked to IT professionals who turn off audit trails and logging on the grounds that they're not going to have time to do any analysis against it so there's no point collecting it. But kill chain analysis tells us that we might need data that can only be collected in advance of something going wrong. The time to start collecting more information about your network, servers and systems is a couple of months before someone exfiltrates your customer database, because (hopefully) you'll have a better chance of figuring out what happened so it doesn't happen again, and so you can shorten your disaster response cycle. If you end up having to call in consultants to unwind a disaster response, you may be able to cut a few zeroes from the right side of their invoice. So even if your ground reality is that you're not going to set up a complete system log analysis capability, you may want to do a needs analysis for tools that you should pre-position, so that they are there when you need them. That's when not if.

By breaking the chain of causality at any point, we avoid the consequences of the subsequent non-events

A complete network monitoring approach is crucial for reining in the time spent dealing with incidents, by providing traffic data and log information, as well as helping detect and track initial outbreaks as they occur. Part of what makes this a hard problem is the need to search backward and forward in time: when you detect that something has gone wrong now, you need to be able to go back in time to see how it happened then, and figure out what else happened between then and now. You stress every aspect of your system, from prevention at endpoints to vulnerability management, up through malware detection, log and event correlation. A product like Tenable’s SecurityCenter Continuous View™ can provide all this functionality. See Ron Gula’s blog post on Identifying the Weakest Links in Cyber Kill Chains for more detail about SecurityCenter's metrics and kill chain dashboards.

The final place where you can use the kill chain model is as an abstract framework for training and assessing your organizational readiness. At each stage of the kill chain, you can hypothesize a reasonably realistic failure, and do a paper-drill assessment to compare your capabilities against what you might want. Don't make the process adversarial; use it as a way of moving into a gap analysis. For example, consider a hypothetical case: one of the engineers left the company and may be going to a competitor (he’s acting squirrelly). Some reasonable questions to ask about this scenario are:

  • Do we have any capability to tell if the engineer took source code?
  • Do we have the ability to retrieve a list of files the engineer may have taken in the last 30 days?

Both of those questions might be answered with improved logging on some servers; check and see whether you currently collect enough information. If you walk through a plausible scenario like this one, it will help you define what you think are reasonable expectations and capabilities — you might decide you need even tighter data controls than just improved logging. But if you just decided a few years ago that “our firewall logs are pretty good,” you may now realize that's not enough.

Walking through a few paper-drill assessments lets you go back to management with some plausible scenarios that aren't FUD (fear, uncertainty and doubt); they're based on “if:then” scenarios and you can reasonably explore the trade-offs that are exposed.

In a previous life, I did incident responses on some fairly significant breaches. When you're called in to help fix a disaster, one characteristic always emerges: many wrong decisions were made in the past. After all, you don't get called in as an incident response consultant by organizations that have top-notch configuration management, network access tracking, server logging, and tamper detection. If you asked, “Do you have the firewall logs?” the response would typically be, “Uh, some of them.” It's a truism that there's never enough data, and the reason that it's true is exposed by kill chain analysis. Eventually you may find yourself in a state where you lack the critical information you need in order to go further. Then what?

1 CYBER KILL CHAIN is a registered trademark of Lockheed Martin Corporation.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training