How attackers sidestep the cyber kill chain

The idea of the was first developed by Lockheed Martin more than a decade ago. The basic idea is that attackers perform reconnaissance, find vulnerabilities, get malware into victim systems, connect to a command-and-control (C2) server, move laterally to find juicy targets, and finally exfiltrate the stolen data.

Attackers can be caught at any point in this process and their attacks thwarted, but this framework missed many types of attacks right from the start. Today it is becoming even less relevant. “The cyber kill chain was a great way to break down the classic steps in a breach,” says Michael Salihoglu, cybersecurity managing consultant at Crowe, a public accounting, consulting, and technology firm. It was also a useful tool for defenders to help them come up with strategies to stop the attacks at each point in the chain.

“It does fall short in the modern age,” Salihoglu says, “and it had some failings at its inception.” For example, the cyber kill chain isn’t as good at helping enterprises defend against new single-step breaches like open Amazon S3 buckets, against DDoS attacks, or against attacks on third parties where there was little or no visibility into what the attacker is doing.

Modern strategies can make companies better prepared to deal with today’s threats, including defense in depth and zero trust.

Why the cyber kill chain is losing relevancy

Many attack types skip steps. Ransomware attacks, for example, include malware installation and lateral movement, but can skip the data exfiltration step unless the attackers are going for a secondary extortion, says Salihoglu.

An unsecured API can allow an attacker to siphon out all the data that the API has access to and is becoming a common attack vector.

Attackers can leverage the criminal economy to skip steps as well. For example, they can buy stolen credentials on the black market and use them to access corporate infrastructure, say, using stolen Amazon or Kubernetes credentials to spin up cryptomining operations.

The most common single-step attack of all: stealing data from unsecured or poorly secured Amazon storage buckets. In January, the entire customer database of the Bonobos men’s clothing store was leaked. The company had stored a backup file in the cloud, and it wasn’t properly secured. “Over 70 gigabytes of customers’ personal information was breached,” says Trevin Edgeworth, red team practice director at Bishop Fox.

The data was accessible over the internet, Edgeworth says. “The hackers’ approach did not require most of the cyber kill chain phases, such as weaponization, delivery, installation or command and control.” The cyber kill chain is optimized for a narrow set of attacks, ones involving malware creation, delivery and installation. “It has limitations when it comes to other types of attacks,” he says.

According to a report released by Ermetic last fall, more than 70% of Amazon environments researchers sampled had machines exposed to the internet and risk factors such as identities that, if compromised, could be used to execute ransomware. In fact, the evolving business model of cybercriminals is a big part of why the cyber kill chain is becoming less effective.

“The business model is much more modularized,” says Dave Burg, cybersecurity leader for EY Americas. “It’s really not vertically integrated anymore.”

Instead, an adversary group focuses on its area of expertise, then sells the results to other players. There’s no longer a single attack composed of multiple linked steps.

How supply chain attacks subvert the cyber kill chain

There’s also been a significant increase of attack activity on third parties, says Burg. Third parties can be compromised to gain access to an enterprise, as happened with the 2013 Target breach and its HVAC vendor, or more recently with the SolarWinds hack.

The breach can happen completely within a third party’s environment. For example, a third-party service provider might have access to financial data, personnel records, sensitive IP, or customer information. “If you don’t have visibility into a third party— because it’s a third party—it creates a great deal of blindness,” says Burg.

Attacks on third parties are not new but have grown dramatically in impact with the rise of APIs, cloud apps, and other integrations. Being able to connect data and services together across corporate boundaries can be powerful and beneficial on the business side. “There’s an enormous amount of interconnectedness we have to have in place today,” says Burg. “But we might not think about protection. It is extremely important to understand how the technology interconnects, how the information is protected in motion, how it’s protected at rest.”

Attackers think in graphs, not chains

The traditional cyber kill chain can give rise to the misapprehension that attackers follow a specific set of steps when going after their targets. That couldn’t be further from the truth, says Trenton Ivey, senior consultant at the Secureworks Counter Threat Unit Special Operations. Ivey heads up a red team. “Attackers don’t follow the rules,” he says.

Instead, attackers try anything that works. If they hit an obstacle, they go around it. They might be after data, or they might be after something else entirely. Instead of a straight line from reconnaissance to target, a successful cyberattack is more like a tree, Ivey says, or like a graph diagram, with nodes and edges, the edges being the paths that attackers follow from node to node.

The key is not to focus on any one specific attack path, Ivey says, but to identify all the edges and remove unnecessary edges or create bottlenecks.

Updating the cyber kill chain

One answer to the cyber kill chain’s weaknesses is the MITRE ATT&CK framework, which is much more detailed and includes more than 200 different activities that attackers might be engaged in. “It’s a great way to think about the different types of actions an attacker can perform,” says Ivey. “It defines many of the most common choices the attacker has and forces defenders to think more broadly. I think it’s a great solution and that’s the one we use for most of our references internally.”

“Everyone is using the MITRE framework,” says Salihoglu. “It’s an encyclopedia of all the methods the attackers are going to use to attack your network. There’s a lot of power behind it.” It includes many of the attack methods that would be hard to spot with a traditional kill chain-based approach to security, including attackers going after S3 buckets, denial of service attacks, and supply chain compromise.

Instead of one kill chain, there are now many kill chains, Salihoglu says. It’s not perfect, and attackers are always coming up with new attack methodologies. “But a lot of breaches we know about have come through failures to protect against existing techniques in the MITRE ATT&CK framework,” he says, “and if you are responding to everything in the MITRE framework then it’s unlikely, even with a zero day, that someone is going to cause you a huge loss.”

Another evolution of the cyber kill chain is the unified kill chain, which combines elements of both the Lockheed Martin cyber kill chain and the MITRE ATT&CK framework. The unified kill chain was created by Paul Pols based on research he did on modeling the Fancy Bear attacks.

The unified kill chain goes into more depth than the traditional kill chain, but unlike Mitre’s ATT&CK still retains a focus on the order in which attackers do their steps. As a result, it is an improvement on both, says Mike Saxton, director of federal threat hunt and digital forensics and incident response at Booz Allen Hamilton. “This is much more useful as the tactics are broken down into techniques, and the techniques are broken down into sub-techniques,” he says. “It’s constantly being updated and revised, including mitigations and detections so cyber teams can stay a step ahead of threat actors.”

Zero trust better able to adapt to new attack methods

When it comes to adapting to new attack methods, the most common approach is to go to zero trust, says Crowe’s Salihoglu. “It’s everyone’s favorite buzzword,” he says. “Just slap zero trust on it and it will solve everything.”

It’s a great idea in theory but hard to achieve in practice, Salihoglu says. Still, moving to a zero-trust philosophy helps enterprises leave behind the classic castle mentality that underlies the cyber kill chain.

In that mindset, once someone got through a company’s perimeter, they had almost free reign of a company’s networks. “You’re basically a citizen and you can do anything you want,” says Salihoglu. “There’s a hard shell and a soft underbelly.”

Zero trust helps shift this thinking, so that every application, every data source, is now its own castle. It is a clear defense against traditional cyber kill chain attacks. Zero trust makes it more difficult for attackers to gain an initial foothold, to move laterally in an organization, and to get into the company’s crown jewels.  “I think it’s a great way to build up your security,” Salihoglu says.

Using the cyber kill chain to get inside the attacker’s head

The traditional cyber kill chain shouldn’t be thrown out completely, says Tom Gorup, vice president of security and support operations at cybersecurity vendor Alert Logic. It can be very useful when doing threat modeling.

Say, for example, a company has sensitive data in an S3 bucket. How will the attacker find out about it? How will they compromise it? How will they get the data out? “Understanding the kill chain helps you step through that process,” he says. “You have to go back to threat modeling to understand where are the risks, where are the potential weaknesses, and use the kill chain as a scenario of how the attacker would step through it.”

Then security measures can be imposed to make sure that attackers can’t follow those steps. For example, if attackers can find the credentials they need by looking at the way an application is coded, then a solution could be to make sure that hard-coded credentials are never used in applications.

“A threat actor will still need to establish command and control as well as actions on objectives of moving laterally and exfiltrating,” says Graham Myers, senior cybersecurity manager at Capgemini. It might feel like the cyber kill chain doesn’t apply, especially when, say, much of the attack takes place with a third party. “But the chain is still the valid framework of analyzing these threats,” he says.  Security teams need to expand their models to include the possibility that suppliers or source code have been compromised.