Kill chain

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

The term kill chain was originally used as a military concept related to the structure of an attack; consisting of target identification, force dispatch to target, decision and order to attack the target, and finally the destruction of the target.[1] Conversely, the idea of "breaking" an opponent's kill chain is a method of defense or preemptive action.[2] More recently, Lockheed Martin adapted this concept to information security, using it as a method for modeling intrusions on a computer network.[3] This model has seen some adoption in the information security community.[4] However, acceptance is not universal, with critics pointing to what they believe are fundamental flaws in the model.[5]

Kill chain model[edit]

Military model[edit]

F2T2EA

One military kill chain model is the "F2T2EA", which includes the following phases:

  • Find: Locate the target.
  • Fix: Fix their location; or make it difficult for them to move.
  • Track: Monitor their movement.
  • Target: Select an appropriate weapon or asset to use on the target to create desired effects.
  • Engage: Apply the weapon to the target.
  • Assess: Evaluate effects of the attack, including any intelligence gathered at the location.

This is an integrated, end-to-end process described as a "chain" because an interruption at any stage can interrupt the entire process.[6]

North Korean nuclear capability

A new American military contingency plan called "Kill Chain" is reportedly the first step in a new strategy to use satellite imagery to identify North Korean launch sites, nuclear facilities and manufacturing capability and destroy them pre-emptively if a conflict seems imminent. The plan was mentioned in a joint statement by the United States and South Korea.[7][8]

Computer security model[edit]

Intrusion kill chain for information security[9]

Computer scientists at Lockheed-Martin corporation described a new "intrusion kill chain" framework or model to defend computer networks in 2011.[6] They wrote that attacks may occur in stages and can be disrupted through controls established at each stage. Since then, the "cyber kill chain" has been adopted by data security organizations to define stages of cyber-attacks.[10]

A cyber kill chain reveals the stages of a cyberattack: from early reconnaissance to the goal of data exfiltration.[11] The kill chain can also be used as a management tool to help continuously improve network defense. Threats must progress through several stages in the model, including:

  1. Reconnaissance: Intruder selects target, researches it, and attempts to identify vulnerabilities in the target network.
  2. Weaponization: Intruder creates remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities.
  3. Delivery: Intruder transmits weapon to target (e.g., via e-mail attachments, websites or USB drives)
  4. Exploitation: Malware weapon's program code triggers, which takes action on target network to exploit vulnerability.
  5. Installation: Malware weapon installs access point (e.g., "backdoor") usable by intruder.
  6. Command and Control: Malware enables intruder to have "hands on the keyboard" persistent access to target network.
  7. Actions on Objective: Intruder takes action to achieve their goals, such as data exfiltration, data destruction, or encryption for ransom.

Defensible Actions:[12]

  • Detect: determine whether an attacker is poking around
  • Deny: prevent information disclosure and unauthorized access
  • Disrupt: stop or change outbound traffic (to attacker)
  • Degrade: counter-attack command and control
  • Deceive: interfere with command and control
  • Contain: network segmentation changes

A U.S. Senate investigation of the 2013 Target Corporation data breach included analysis based on the Lockheed-Martin kill chain framework. It identified several stages where controls did not prevent or detect progression of the attack.[9]

A variation of the kill chain, developed by SecureWorks includes "development" as the second step. To maximize threat detection, all phases of the kill chain are monitored for threat indicators. During the development phase, threat groups may purchase tools, register domains, and purchase hosts among other activities.[13]

Previous terminology[edit]

The "Four Fs" is a military term used in the United States military, especially during World War II.

Designed to be easy to remember, the "Four Fs" are as follows:

  • Find the enemy – Locate the enemy
  • Fix the enemy – Pin them down with suppressing fire
  • Fight the enemy – Engage the enemy in combat or flank the enemy – Send soldiers to the enemy's sides or rear
  • Finish the enemy – Eliminate all enemy combatants

Critiques of the model as an information security tool[edit]

Among the critiques of this model as threat assessment and prevention tool is that many of the steps happen outside the defended network, making it virtually impossible to identify or counter actions at these stages. Similarly, this methodology is accused of focusing on a "perimeter-based" defensive strategy.[14]

References[edit]

  1. ^ "Kill Chain Approach". Chief of Naval Operations. April 23, 2013. Archived from the original on June 13, 2013. 
  2. ^ Jonathan Greenert; Mark Welsh (May 17, 2013). "Breaking the Kill Chain". Foreign Policy. Retrieved June 30, 2016. 
  3. ^ Higgins, Kelly Jackson (January 12, 2013). "How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack". DARKReading. Retrieved June 30, 2016. 
  4. ^ Mason, Sean (December 2, 2014). "Leveraging The Kill Chain For Awesome". DARKReading. Retrieved June 30, 2016. 
  5. ^ Myers, Lysa (October 4, 2013). "The practicality of the Cyber Kill Chain approach to security". CSO Online. Retrieved June 30, 2016. 
  6. ^ a b Lockheed-Martin Corporation-Hutchins, Cloppert, and Amin-Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains-2011
  7. ^ Sanger, David E. (July 6, 2017). "Tiny Satellites From Silicon Valley May Help Track North Korea Missiles". The New York Times. Retrieved July 7, 2017. 
  8. ^ "06/30/17 - Joint Statement between the United States and the Republic of Korea | U.S. Embassy & Consulate in Korea". U.S. Embassy & Consulate in Korea. 2017-06-30. Retrieved 2017-07-07. 
  9. ^ a b U.S. Senate-Committee on Commerce, Science, and Transportation-A "Kill Chain" Analysis of the 2013 Target Data Breach-March 26, 2014 Archived October 6, 2016, at the Wayback Machine.
  10. ^ Greene, Tim. "Why the 'cyber kill chain' needs an upgrade". Retrieved 2016-08-19. 
  11. ^ "The Cyber Kill Chain or: how I learned to stop worrying and love data breaches". 2016-06-20. Retrieved 2016-08-19. 
  12. ^ http://gauss.ececs.uc.edu/Courses/c6055/pdf/attackpatterns.pdf
  13. ^ "Breaking the Cyber Kill Chain". SecureWorks. SecureWorks. Retrieved 25 January 2017. 
  14. ^ Engel, Giora (November 18, 2014). "Deconstructing The Cyber Kill Chain". DARKReading. Retrieved June 30, 2016. 

External links[edit]