On March 5, a ransomware attack managed to hijack patient data at the Hospital Clínic in Barcelona, one of Spain’s most important medical centers. This led to the cancellation of thousands of tests and consultations, the de-scheduling of hundreds of surgeries and the referral of many patients to other hospitals in the city. This targeted cyber-attack, the work of the Ransom House group, took the Clínic back to the analog era for days. In exchange for returning the data, the criminals demanded 4.25 million euros from the Generalitat. How could the attack have succeeded? We would have to know precisely all the phases of its Cyber Kill Chain to find out.
The Cyber Kill Chain concept refers to the life cycle of a cyber attack. That is the set of deployed phases, techniques, procedures and operations so criminals can carry out their purposes. For example, in the case of Hospital Clínic, the objective was to steal and encrypt patient records to extort money from the Catalan executive.
This security incident, which has had a direct impact on the health of thousands of people, demonstrates the difficulty of preventing, detecting and mitigating a targeted attack, as well as the need for cyberintelligence and Threat Hunting professionals to unravel the Cyber Kill Chain of a cyberattack and be able to deal with it successfully.
Next, we will analyze what the Cyber Kill Chain is, what are the seven phases that make it up and its usefulness when it comes to understanding how criminals operate and being able to arm oneself against attacks. And we will do so without quoting Sun Tzu once. We promise.
1. The origin of the Cyber Kill Chain: from military to virtual
The Cyber Kill Chain is a framework developed by the defense company Lockheed Martin. This multinational company has existed for over 100 years and is one of the US Army’s main contractors. Over the years, it has adapted its business model to meet one of the greatest threats that state, companies and citizens face: cyber-attacks.
As part of this process, Lockheed Martin has designed the Cyber Kill Chain, a framework used globally to investigate and prevent attacks against companies and countries. This framework transposes the knowledge and procedures of classic military intelligence to cybersecurity.
We promised not to quote Sun Tzu, but it is clear that the way humans operate during a war has not changed over the centuries. What has changed are the tools and the terrain of combat, but not the logic behind the strategies put in place by both the aggressors and the actors seeking to defend themselves successfully.
Given what we have just pointed out, the Cyber Kill Chain functions as a way of systematizing cybercriminals’ actions when they launch a targeted attack. This systematization helps cybersecurity professionals understand, prevent, detect, combat and disrupt a cyber attack.
The framework is so simple and synthetic that it can be adapted to any cyberattack, regardless of the tactics and techniques employed in the attack. This has allowed it to become a de facto standard, used by Red Team, Cyber Intelligence or Threat Hunting services.
2. Combating advanced persistent threats (APTs)
The Cyber Kill Chain is very useful in addressing targeted attack research. It helps cybersecurity professionals systematize the phases of these sophisticated cyberattacks and categorize the techniques and tactics employed in each phase of an advanced persistent threat (APT).
The APT concept is quite graphic, as it makes visible the three keys to APTs and the criminal groups that implement them:
- Threats. These cyberattacks threaten the organizations against which they are directed. Without an efficient security strategy and ineffective detection and response procedures, the consequences of an APT attack can be devastating.
- Persistent. One of the keys to APTs is that they are difficult to identify. Thus, if the organization against which the attack is directed does not have the appropriate detection mechanisms, the threat can persist for a long period, causing extraordinarily serious damage to the company or institution.
- Advanced. The technological revolution we live through has numerous advantages, but it also entails risks. Innovations are used by criminals to design and implement increasingly sophisticated and complex attacks, combining multiple techniques, tactics and procedures to breach the defenses of a particular company or institution. This makes the arduous task of preventing, detecting and mitigating them even more difficult.
2.1. Resourceful and highly skilled cybercriminal groups
Given their complexity, advanced persistent threats are designed and executed by APT groups with the financial resources and expertise to devise their procedures and techniques.
Moreover, some criminal groups do not target just any company. Still, their attacks are directed against public administrations and large companies to carry out high-level cyber espionage or fraudulent actions, or on other occasions, extortion (remember the attack on the Clínic), which brings them large economic benefits.
3. The seven steps of the Cyber Kill Chain
As software and hardware have a life cycle, so do targeted attacks. The Cyber Kill Chain is used to understand this life cycle and to unravel what actions are carried out in each of the phases a cyber attack goes through until it achieves its objectives.
The Cyber Kill Chain serves as a roadmap for cyber intelligence and Threat Hunting professionals to investigate how criminals operate and to adapt a company’s or government’s security strategy to detect, prevent and respond to advanced persistent threats.
How do the best-trained and most resourceful criminal groups operate? They start by recognizing their victim and end up carrying out their malicious actions.
3.1. Reconnaissance
The first phase of the Cyber Kill Chain focuses on initiating the preparation of the targeted attack. To do this, the criminals extensively research the company or institution they wish to attack. This phase aims to establish the targets that can be breached to gain access to the organization.
Hence, during surveillance, the criminals carry out the following actions:
- Collect the email addresses of professionals in the company or public administration since email is a basic work tool and one of the main attack vectors.
- Track the profiles of professionals on social networks to employ some social engineering techniques.
- Collect information about the company or institution that could be useful in the next phases of the Cyber Kill Chain, such as public contract awards.
- Discover servers accessible from the Internet that can be attacked.
During the reconnaissance phase, criminals exploit the lack of cybersecurity awareness that many professionals and companies suffer from.
Awareness and training are essential to prevent cyber-attacks and hinder their implementation.
3.2. Armament or preparation
This phase honors the military origin of the Cyber Kill Chain and revolves around a key issue for any army: the need to arm itself before launching a war.
If we abandon the language of war, this phase revolves around preparing for the cyber-attack.
To do this, the criminals:
- Define the attack vectors (insecure credentials, Social Engineering, exploitation of vulnerabilities…) based on the information collected and analyzed and the vulnerabilities detected.
- Obtain or design the malware to be used.
- Develop implants and backdoors and prepare the command and control infrastructure to be used in the targeted attack to maintain persistence on the victim.
In this phase, criminals define and prepare their weapons, i.e., the techniques they will use to launch the cyberattack and achieve their objectives: customized malware, documents that execute a specific payload when opened, phishing…
3.3. Distribution or delivery
The preparation for the cyberattack is complete, and it is now time to launch it against the target company or administration. Lockheed Martin differentiates between two distribution scenarios. On the one hand, the delivery of the malware is controlled by the criminals, as is the case when attacking web servers directly.
On the other hand, distribution is initiated by the target, for example, by opening a link from an email or social network that leads to a malicious website or by accessing an infected file via email or a USB stick.
In this second scenario, social engineering and the cyberintelligence knowledge and methodologies of the criminal group play a crucial role.
If the malware distribution is successful, the bad guys will be able to infiltrate the structure of the targeted organization and thus proceed with the next step of the Cyber Kill Chain.
As in the previous phases, during the transmission of the attack, the criminals take advantage of problems with employee awareness and training. If the personnel can identify security risks, they will not proceed to download or open a potentially dangerous file or access an unknown website.
3.4. Exploitation
This phase of the Cyber Kill Chain aims to gain initial access to the organization’s systems. To do this, a vulnerability in the software or service must be exploited, or a human vulnerability, either through ignorance or recklessness.
Zero-day exploits, i.e., exploiting vulnerabilities that have yet to be publicly disclosed, are particularly effective since there are often inadequate security measures to detect and stop them.
As we pointed out earlier when discussing distribution, exploitation can be triggered directly by criminals, as in attacks on server vulnerabilities, or by victims, as happens when a worker downloads and opens a malicious file that came in an email.
Do members of the organization realize at the time that the file they have opened contains malware? Often not, as APT groups implement measures to hide the attack, increasing its potential impact on the organization.
Without going any further, in the case of the Hospital Clínic ransomware attack, it is believed that the attackers were already inside the organization since Thursday, three days before the encryption and hijacking of patient records took place. However, they managed to remain undetected by the security mechanisms.
3.5. Installation
Exploitation immediately leads to installation. Criminals install backdoors that enable persistence to maintain the access obtained for as long as possible.
They often manage to establish communication between the internal and external systems to remain undetected on the endpoint and increase the impact on the organization. To do this, criminals can employ a wide variety of techniques.
The key is to remain inconspicuous to avoid being detected by the organization’s security mechanisms and protocols.
During this phase, tactics such as privilege escalation to gain access to more relevant and confidential areas and information or lateral movement play a key role.
3.6. Command and control
Installed malware and backdoors allow the bad guys to remotely manipulate their victims, taking control of the systems. This means that criminals can remotely launch malicious actions to steal credentials, get hold of confidential information or install other types of programs such as spyware or ransomware.
Two-way communication channels are used between the inside and the outside, often relying on HTTP or DNS to get to the outside.
The command and control phase allows the attackers to reach the final step of the attack: implementing actions against the organization.
3.7. Actions
The last phase of the Cyber Kill Chain is purely executive and focuses on achieving the mission objectives:
- First, obtain user credentials to launch future attacks.
- Escalate privileges to obtain top-secret information.
- Hijack data.
- Exfiltrate confidential information.
- Destroy the organization’s systems.
- Corrupt data or alter it in an imperceptible way…
The bad guys’ actions are aimed at damaging the company or administration they have targeted. And the consequences can be devastating, depending on the effectiveness of the security systems and the ability to detect criminal actions in the shortest possible time and to have the right tools and personnel to interrupt them and restore normality as soon as possible.
4. Cyber Intelligence and Threat Hunting to unravel and cut the Cyber Kill Chain
In describing the seven phases of the Cyber Kill Chain, we have focused on unraveling the actions criminals take to complete the life cycle of a cyber attack. But what about defenders? Can’t they do anything to cut the Cyber Kill Chain and prevent an attack from succeeding? Of course, they can. Cybersecurity professionals can act throughout all phases of the attack lifecycle and prevent the bad guys from being able to move from one phase to the next until the final actions are carried out.
In this fight to cut the Cyber Kill Chain, two core areas play a key role in the fight against advanced persistent threats: cyber intelligence services and Threat Hunting services.
Cyber intelligence professionals are key to investigating a cyber attack during its first three phases: survey, preparation and distribution. After all, criminals develop cyber intelligence actions during these steps of the Cyber Kill Chain: research and information gathering, detection of attack vectors and vulnerabilities, and design of social engineering techniques to distribute malware…
While Threat Hunters have the knowledge and the most appropriate methodologies to detect attacks at the Endpoint or Identity level, they play an essential role in the last four phases of the Cyber Kill Chain: exploitation, installation, command and control and actions. Proactive Threat Hunting services focus on tracking the presence of advanced cyber threats in an organization’s networks and systems:
- Investigating undetected compromise scenarios.
- Analyzing activity on endpoints and servers.
- Detecting threats based on compromised hypotheses and telemetry queries.
4.1. Reconnaissance: What information are the bad guys looking for?
It isn’t easy to detect a cyberattack in its initial phase. However, logs of visits to company websites can be collected to detect browsing behaviors that are associated with APT groups’ reconnaissance tactics and procedures.
It should also be noted that cyber intelligence professionals can, in turn, conduct surveillance of criminal groups known to launch advanced persistent threats. In this way, it would be possible to detect how they operate in this initial phase, what type of information they collect and what targets they focus on.
It should also be noted that although the Cyber Kill Chain cannot be cut in this initial phase, the data obtained during the survey can be analyzed a posteriori, and useful conclusions can be drawn.
4.2. Weaponization or preparation. Stripping down the malware used in APTs
In warfare, when a state employs a new weapon it initially manages to surprise its opponents. However, when they are able to analyze how it works, understand how it is manufactured and devise strategies to mitigate its effects, its devastating potential diminishes.
This is the same when it comes to combating APTs. Again, analysis of the malware used by the bad guys is essential to prevent future attacks and optimize the ability to detect and mitigate these malicious programs.
Cyber intelligence services make it possible to trace a chronology of malware, know when it was designed and in which cyberattacks it has been used, and inventory the most common malware used by APT groups.
All this wealth of intelligence information is used to adapt a company or institution’s security strategies and mechanisms to the most innovative techniques.
In addition to the programs used by criminals, it is important to investigate the attack vectors and vulnerabilities used by APT groups to achieve their objectives. Why? To increase their defense by fortifying the organization’s weak points.
4.3. Distribution or delivery: How are attacks launched?
The Cyber Kill Chain launch phase provides information on how criminals distribute their malware: email, social networks, and direct attacks on perimeter services…
Gathering information on the distribution strategies employed by APT groups can be very useful to cut the Cyber Kill Chain at this stage or strengthen its security measures.
For example, if sending an infected file via email is a common procedure in this kind of attack, an email filtering system can be set up to detect dangerous documents.
Criminals know that intelligence is key to success. But, are companies aware of the importance of having cyber intelligence services in place to understand how the early stages of the APT Cyber Kill Chain work?
4.4. Exploitation. Stopping zero-day exploits
Zero-day vulnerability exploits require advanced techniques and knowledge to stop them. Therefore, it is vital to have proactive Threat Hunting services capable of detecting and stopping these attacks by continuously scanning the organization’s systems for TTPs and Threat Indicators.
Likewise, it is also important to restrict unnecessary privileges and implement bastion guides at the endpoint to make it more difficult for the attack to succeed.
4.5. Installation. Auditing installation processes
As we pointed out when addressing this phase of the Cyber Kill Chain, bad guys install implants to establish communication with the outside. Therefore, the best way to detect an attack during this phase and thus cut off the Cyber Kill Chain at this step is to detect malicious executions, such as loading suspicious DLLs, process injection or UAC bypassing, among many other techniques.
Suppose artifacts involved in the installation process can be recovered. This opens up the possibility of studying them employing sandboxing and reverse engineering techniques, thus gaining valuable knowledge about the malware in question and optimizing detection and response processes.
4.6. Command and control. Blocking communication with the outside
The Command and Control phase is the last phase of the Cyber Kill Chain before the attackers’ actions materialize. This means it is the last chance of detection by a company’s security teams to break the chain.
What can defenders do?
Discover the infrastructure and artifacts deployed by the bad guys, through a thorough analysis of available malware and telemetry, among other sources. Control network communications, establishing, for example, the use of proxies for web traffic, detection of beaconing patterns or even traffic restriction based on allow listing, among many other approaches.
The key lies in putting in place an effective detection system to identify suspicious patterns in external communications.
The more sophisticated the threat and the greater the concealment capabilities of the offenders, the more difficult it is to detect the presence of intruders on the network. This requires a team of Threat Hunters highly specialized in APT threat detection.
4.7. Actions. Detect and respond immediately
If, unfortunately, the final stage of the Cyber Kill Chain is reached, it is essential to detect the actions being taken by malicious actors as soon as possible and have mechanisms in place to respond to the attack and end it.
Security controls must detect data exfiltration, lateral movement of attackers and illegitimate use of credentials in the shortest possible time. When managing a security incident, time is money.
Any comprehensive security strategy must have an incident response procedure that precisely establishes the role to be played by each actor in the organization and takes into account how the incident is to be managed from the communication and legal points of view.
Finally, it is essential to carry out a complete and accurate damage assessment by cybersecurity professionals with experience in this work.
5. If you can’t beat the enemy… start by understanding it.
Why resort to Sun Tzu when we have the popular saying at our disposal? It is commonly argued that if you can’t beat the enemy, the best thing to do is to join him. Unfortunately, in the case of cyberattacks, this option is not possible for obvious reasons. However, we can turn the saying around and affirm that to defeat the enemy that attacks us, we must begin by understanding how he operates and what tactics, techniques and procedures he employs when designing and implementing a cyberattack.
Even if the Cyber Kill Chain cannot be broken before the bad guys achieve their goals, much valuable information can be collected, systematized and analyzed to investigate how the most advanced cybercriminal groups operate.
By studying the Cyber Kill Chain of cyber-attacks, patterns common to many of them can be identified, and the ability to prevent and detect specific groups and different actors using similar methodologies and techniques can be improved.
In short, the Cyber Kill Chain highlights the importance of improving the resilience of organizations against advanced persistent threats and targeted attacks. Otherwise, they are exposed to damage affecting business continuity, resulting in financial losses, damage to corporate reputation and major legal consequences.