Monday, August 12, 2013

Cyber Kill Chain: Hope or Hype?

Cyber Kill Chain: Hope or Hype?

The concept of a Cyber Kill Chain was adopted from the military kill chain concept, which describes the stages of an attack. As you might guess, a cyber kill chain does just that, but for cyber attacks. This post will discuss some of the practical issues you will need to consider if you want to implement your own cyber kill chain.

The Basics

There are many resources online (see the References section below) which detail the cyber kill chain concept. Lockheed Martin3 demonstrated how they successfully used a cyber kill chain to deal with attacks against their own network. This work and others will be the basis for this blog entry.

What I want to talk through are some of the thought processes you'll need to consider to realize a kill chain for your organization. The audience for this post is anyone who is new to network and cyber security. While I provide basic treatment of each step in the chain, you will want to research this topic yourself to gain a much better understanding of it.

First off, here is some quick background on me. I have spent the last 13 years of a 20-year IT career building and using log data collection systems, Security Information and Event Management (SIEM) systems, Intrusion Prevention Systems (IPS), Anti-virus software, security event correlation and pattern recognition systems, and others. I have a unique perspective on how to employ such systems and tools to achieve a cyber kill chain effect in an organization. I'd like to discuss each of the steps in the chain and provide my thoughts and guidance on the challenges inherit in each. A common theme you will see throughout is that it comes down to People, Process and Technology. 

Alright, we are now ready to begin discussing the stages!


During this initial stage of the kill chain, the adversary attempts to gain knowledge about your company, employees, physical locations (including offices and data centers). All of this is aimed at identifying, and eventually exploiting, key assets and resources which are of value to you and the attacker. This could be financial records, R&D plans, credit card numbers, etc. So how can you defend yourself against this first stage in the cycle?

The following are some things you can do to mitigate the tactics used by attackers during reconnaissance.
  • Annual Information Assurance (IA) Training: Provide annual training so that your organization understands the basics and importance of IA, security, data loss prevention (DLP), etc. Such training should be mandatory each fiscal/calendar year.
  • Social Media Policy: Many organizations create policies around acceptable use of social media while on company time. Sites like LinkedIn, Facebook, and others can be valuable resources for cultivating both new customers and new employees. In my organization, employees are trained on how to identify possible suspicious behavior on these social media sites, and how to report such incidents to the internal security team. 
  • Physical Security: Don't discount the usefulness of securing your physical offices and data centers with access cards and bio-metrics. Requiring two-factor (or multi-factor) authentication is ideal for allowing access to your most sensitive areas. Make sure you limit the number of people who can access your more sensitive areas, too. Having people who don't really need access to these areas is a risky proposition.
  • Don't Disclose Too Much Information: Depending on the type of business you are in, you may not want to disclose your physical address on your publicly facing Web site. And in some cases, you may not want to have signs pointing to your front door. Some organizations which are in the business of providing network security services might fall into this category. Not disclosing too much can extend to the individual as well. As already mentioned, LinkedIn is a great site for networking. But you will want to limit the information you put out there. For example, if you hold a secret or top secret clearance for the work your organization does, you might not want to advertise this on social media sites.
  • Exterior Defense: Ensuring you have proper security controls, protections and policies in place can help mitigate reconnaissance. Properly reviewing log data from your security devices (Web Application Firewalls (WAF), firewalls and so on) can help reveal unusual behavior. This only works if you are capturing your logs and reviewing them (either with an automated tool or manually) as a regular course of business. Having historical data can also help you discover trends over time which could point to "low and slow" type of behavior and others.
  • Interior Defense: An area that is often overlooked is securing your internal network. In an effort to reduce data loss, many organizations are restricting access to cloud-based file sharing systems like Google Drive and Docs, Dropbox and others, not to mention Webmail services. Another tactic is to ensure your workstations are up-to-date with the latest patches. There are several commercial tools which can help with patch management. Yet another technique is to restrict the usage of USB ports on workstations. This can be both a way to prevent the auto-running of malicious code on thumb drives and also as a means of preventing data loss. Anti-virus software on all systems is a great protection point. Last but not least, you should employ email filtering software to block file types which are commonly used as attack vectors.
  • Log Early and Often: I already touched on this in the Exterior Defense bullet point. This cannot be stressed enough. If you are going to have any chance of thwarting attackers, you need to make sure you have enabled logging on all your security, networking, server, AV, etc., systems. You then need to have a place to collect and analyze these events. While it is outside the scope of this blog entry, you should regularly review your logs and, if your log collection software supports it, perform correlation to find patterns in the data.
  • Incident Response Plan: One of the most critical aspects of thwarting would-be attackers is to prepare and execute and Incident Response (IR) plan. That is, how you identify something has happened and how you deal with it. The SANS organization describes six stages in the IR process5: Preparation, Identification, Containment, Eradication, Recovery, and Follow-up. The cited reference is a good read on the topic. 

Weaponization, Delivery, Exploit and Installation

At this stage in the chain the attacker prepares to use tools, exploits, social engineering and other techniques to gain access to the asset or assets they have discovered.  The point of this stage is to get access to critical resources via cyber weapons which will eventually lead to Command and Control (C2).

Command and Control (C2)

This phase in the chain is the prize as far as the attacker is concerned. Once attackers have C2 in your environment they can start using your systems to do nefarious things. Desktops and other computers can be used to "phone home" to receive instructions on what actions to take, not take, etc. The worst part is that machines which have been taken over can lie dormant for long periods of time, thus making the detection and cleanup efforts very difficult. In an effort to avoid exposure and detection, the interloper might try to cover her tracks by deleting files on servers, changing configurations, etc.

How do you combat such ruthless tactics? If you are implementing the things discussed in the Reconnaissance section, then you are already on your way. An additional thing you can do is employ a Host-based Intrusion Detection System (HIDS). A HIDS can monitor the internal state of a system and detect changes in the file system, files, binaries, etc.

Establishing scheduled maintenance change windows to networking devices, servers and other critical infrastructure is also a good tactic. Most devices will generate a log message when a configuration parameter is changed (Cisco IOS is very good about this for example). If you begin receiving change log messages outside of your maintenance window, it might be time to start investigating.

Another very good policy to follow is to disallow administrator privileges on user workstations. This combined with patch management software means that users will always have the latest patches and updates to applications, while minimizing the risk of introducing viruses, trojans, etc.


Here is where things get real. The attacker is now at the point where he or she has the access needed to begin doing the things they want. Data theft, denial of service (DoS), excessive resource consumption on servers, and other things. In order to gain entry to targets, attackers may use several (or many) systems in your environment. This behavior is an attempt to jump from one machine to the next to get at the target, observe company behavior, or even distract you from the fact that an attack is underway.

An interesting point which needs to be observed is that which is discussed in the Akami blog on the DDoS Paradox4. It's a great, short read but is worth keeping in mind. Assuming you are able to detect that fact that a cyber criminal is in the Action stage of the cycle, your likely response will be to bolster your defenses via active response, e.g. putting more restrictive firewall rules in place, turning down switch ports, etc. All of this is well and good, but it can come at a price. You can end up reducing bandwidth to your critical publicly facing infrastructure. If you also have traditional network monitoring in place, you can monitor, in realtime, the impact of making such changes to your infrastructure.

The Real World

So how does the 'real world' achieve success with a cyber kill chain? As you have probably guessed, combating cyber attacks takes a multi-pronged approach. You have to collect log data, correlate it with other sources of information and hopefully have enough intelligence to take action. The DoD has its way of dealing with this as does the private sector. The two are not really that disjoint since we are talking about detecting the same threat.

Here are few concluding thoughts/remarks.

  • Stopping threats as early as you can in the cyber kill chain will minimize your overall risk to exploitive behavior
  • Enable logging and alerting on all your security, network, and server systems
  • Point your machine-generated logs and events to a system capable of collection, correlation, analysis and reporting
  • Embrace the People, Process and Technology paradigm
  • Seek out help if you don't have the resources and/or budget to do this on your own. Searching for 'MSSP' on Google can provide links to companies who can help you manage your environment


Hopefully this blog was enlightening. There is hope in thwarting attackers provided you have people, process and technology in place to help mitigate each stage of the cyber kill chain. I'd love to hear feedback from you on how you've solved this problem, what challenges you overcame, etc. If you just want to expand on areas I touched on, then please feel free to do so.

Lockheed Martin Cyber Kill Chain paper:


  1. Excellent job here. Thank you for making the time to write.

  2. Great article Kevin! A couple of questions:
    Is the log analysis process automated or does it require human effort/analysis? Given the extent of devices connected to DOD networks, is it feasible to collect enough log data to gain a complete picture? Even if this picture can be generated, do we have the capability and/or manpower to detect all instances of "unusual behavior"?
    Food for thought: Recently my device was audited by my organization’s IA department. They found multiple vulnerabilities on my machine and referred me to the IAVM patch site to acknowledge alerts and install certain patches. One thing I noticed was that the majority of the IA alerts that were detected on my laptop didn’t have a patch; the IAVM site simply wanted stated that the vulnerability was “unresolved”. Given the massive amount of vulnerabilities and the extent of devices connected to our networks, is network security even possible?

    1. Thank you, Josh. Nowadays the analysis is automated, provided an organization has the know-how to install, configure and use some sort of open source or COTS system. The manual piece comes into play when the results of automated analysis point to something which needs manual investigation.
      As for the security question, it's a minute-to-minute moving target. As I mentioned in the Recon section of the post, if an organization does most of what is described there then they are doing a pretty good job. There is no silver bullet. It's a mutil-layered problem which requires people, process and technology to be in-sync and constantly evaluating how all three are interacting with each other.