Linked by one Chain: Kill Chain-stages of cyber attacks and how to prevent them

[Father]

Complex, targeted cyberattacks don't suddenly appear out of nowhere. Each of them has several stages: from preparing and collecting information to causing damage. Understanding the anatomy of a cyberattack is essential for identifying threats and building a defensive strategy. There are several models that describe the sequence of actions of intruders, in the article we considered one of them — Cyber Kill Chain.

What is the Kill Chain?​

Kill Chain is the process by which cyber attacks are carried out. The "kill chain" model describes the actions of attackers, including the earliest stages of the attack-espionage and planning-to the final goal.

Sergey Polunin
Head of the Infrastructure IT Protection Group at Gazinformservis

A Kill Chain defense strategy should be based on understanding exactly how hackers operate, not in theory, but in practice. Behind each stage of Kill Chain is a specific set of hacking techniques and techniques that can be countered through technical and organizational measures. Moreover, all these techniques are perfectly described, the only question is to study them in detail and apply them in practice to counteraction measures.

The concept of Kill Chain was described for the first time in 2011 and became widespread among the information security community. However, experts saw shortcomings in it, for example, the model does not take into account an attack from within, so it is not universal. Later, more advanced versions of the attack model were proposed on its basis: MITRE ATT&CK and The Unified Kill Chain.

Information security personnel should know the Kill Chain model and take it into account when building a security strategy. This will help the organization to notice the actions of intruders in time and choose the right technologies to stop the attack.

Stages of the Kill Chain​

The Kill Chain consists of seven links. After completing all the stages, the attackers start the path along the chain again, only in the corporate network. Keep in mind that the number of steps during an attack may decrease or increase, for example, when removing traces of activity becomes an additional last step.

Milestones in the traditional chain of cyber-murders:

1. (Reconnaissance) Foreign intelligence service. The attacker selects a target and collects information about it: studies the specifics of the industry and data on the organization's activities, selects methods and technologies for the attack.
2. Weapons (Weaponization). At this stage, they choose, purchase, or create their own attack tools. The weapon can be not only malware, but also web applications or various vulnerabilities in files. Attackers can also create mailboxes, social media accounts, and phishing sites.
3. (Delivery). Payload delivery Malicious content gets to the victim's device, for example, when they download a file, visit a fake website, or use an infected USB stick.
4. (Exploitation) Infection. Malware is deployed on the device.
5. (Installation) Installation. The program is embedded in the system, masquerading as other processes and opens remote access. Additional utilities can be installed.
6. (Command and Control) Getting control. The attacker gains access to the victim's device and gives commands on what actions should be performed.
7. (Actions on Objectives) Performing a target action. At the last step, malicious actions are performed — information theft, encryption and data substitution, etc.

Semyon Rogachev
Head of the Incident Response Department at Bastion

In our experience, attackers are most often detected at the following stages: Delivery, Installation, Command and Control, and Actions on objects.

At each stage, you can take protective actions: determine whether an attacker is present on the network, prevent unauthorized access and disclosure of data, stop outgoing traffic, interfere with network management, segment the network, and so on.

Konstantin Mushovets
Director of USSC-SOC, USSB

Let's go through all the stages of the chain. Consider an attack option by an external attacker located outside the perimeter of the attacked organization. At the intelligence stage, effective solutions are perimeter security tools: NGFW, IDS/IPS, ASM, etc. It is important to find vulnerabilities and potential entry points before the attacker and take the necessary measures. You can also use solutions of the honeypot class to detect intelligence.

At the stage of payload delivery, effective solutions will be sandboxes, mail antivirus gateways, and endpoint solutions (to prevent delivery using USB media). We must not forget about Security Awareness in order to maintain the necessary level of staff readiness for phishing. Also, at this stage, it will be useful to track the presence of TI content (IoC) in security events.

At the stage of installing malware, the actions of an attacker will help detect and prevent various endpoint solutions (antivirus, EDR, etc.). Given that the subsequent stages assume that the attacker is already inside the attacked infrastructure, prompt actions to detect it become extremely important.

At the command and control stage, suspicious activity can be detected by pre-configured monitoring of information security incidents (SIEM, EDR, NTA, etc.). Attackers often move laterally during an attack to gain additional advantages. Internal network segmentation, correct configuration of access differentiation between segments, hardening and vulnerability scanners will help to complicate its actions in this case.

At the last stage, it is no longer the application of specific security measures that is important, but the operational actions of the blue team team to localize and neutralize the incident.

The first stages of the Kill Chain model take place outside the protected network, so it is difficult to detect the actions of intruders. In addition to technical tools, it is necessary to conduct information security training for employees and check whether they report suspicious activity.

The Kill Chain model in an organization's security strategy​

In companies, the Kill Chain model can be used to build a defense strategy, simulate threats, or evaluate the performance of SOC specialists. The earlier attacks are detected, the better the defense is built. Statistics showing the distribution of detected and neutralized attacks at different stages of the chain will help you analyze information security weaknesses.

Kai Mikhailov
Head of Information Security at iTPROTECT

The main recommendation is to approach the implementation of a defense strategy at each stage of an attack, but in practice, organizations immediately face a financial issue. Fortunately, for companies of any size, there are practices for building defense strategies in which attacks are cut off not only at the initial stage, but also at a later stage, with a rational use of security tools. Many systems can work at several stages (NGFW, Anti-APT, security scanners, etc.). Activity at some other stages can be neutralized by correct settings of IT systems or Open-source tools.

A single model can be used to analyze, compare, and protect against end-to-end cyberattacks from modern persistent threats. But it is important to note that the traditional Kill Chain, consisting of 7 links, is not suitable for modeling an internal threat, so information security experts recommend using its extended version.

Semyon Rogachev
Head of the Incident Response Department at Bastion

Initially, Cyber Kill Chain was implemented in 2011 as an attempt to break down the attacker's actions into stages using cyber intelligence knowledge. Since then, there have been other ways to describe an attacker's actions and divide their actions into stages. If the reader is looking for a defense strategy based on the Cyber Kill Chain, it is better to look at its extended version, since it contains a more detailed breakdown into stages and describes the attack as several cycles, which is closer to real life, or MITRE ATT&CK. Both options are not without drawbacks, but they allow you to describe the actions of attackers in more detail, and understand at what stages of the attack it is possible to detect their actions.

When building protection at each stage of an attack, you should pay attention not only to the implementation of technical tools, but also take other security measures. For example, perform penetration testing to detect vulnerabilities.

Conclusion​

The Kill Chain is an important tool for understanding the mechanisms of cyber attacks and their prevention. By analyzing the stages of cyber attacks from start to finish, you can better understand the strategies and tactics of attackers.

Vladimir Aryshev
STEP LOGIC Integrated Information Security Project Expert

To protect against the Kill Chain, it is necessary to build a comprehensive security system that will provide layered protection against the maximum number of attack vectors.
Comprehensive protection includes such aspects as perimeter protection, endpoint protection, network activity monitoring, incident analysis and response, regular updating of systems and security tools, as well as training users in information security skills.
This approach allows you to create a number of layers of protection, each of which is a barrier to an attacker and increases the chances of detecting and preventing attacks at any stage of the Kill Chain.

Understanding the Kill Chain helps you develop better defense strategies, improve security measures, and respond to threats quickly and efficiently.