Know Your Enemy: Notes on the Lockheed Martin Cyber Attack Chain
Dealing with computer security in the 21st century is like waging war.
There are groups and individuals who are actively targeting computer systems and despite what you would like to believe, there is no reason in the world why your system should not be on their list.
Information at Risk:
Every organization, even for profits and government agencies has information worth stealing or compromising:
- Payroll Information: Perfect for identity theft.
- Client Lists: For sale to your competition and an excellent source for Spam.
- Financial Account Numbers: Useful for fraud and gaining access to your accounts.
An organization is even more at risk if their systems contain:
- Proprietary Information and Trade Secrets
- Production Schedules
- R&D documents
According to a 2014 study by the Ponemon Institute, a Cyber Security think tank, 43% of US companies were victimized by cyber-attacks involving a significant volume of data, in excess of 1,000 records. This constitutes at least a 10% increase over similar attacks in 2013, and all indications are that the trend will continue upward.
What is the Cyber Kill Chain?
The concept of the Cyber Kill Chain developed by Lockheed Martin Security, is based on a similar military concept outlining the steps an enemy will take to launch an attack. By knowing how the enemy will try to compromise an installation, you have a better chance of creating an effective defense.
The idea behind the Cyber Kill Chain is to provide a format to use when creating security policies and designing intelligent security software used to detect and deflect the attacks when they come.
In the Lockheed Martin model, any Cyber-attack can be broken down into 7 basic steps. The idea is that knowing this, a security team can devise ways to stop the attack with minimum damage and compromise.
Step 1: Reconnaissance
As in any hostile engagement, the attacker must know the ‘the lay of the land’, or where the target is the most vulnerable to attack or infiltration.
Cyber attackers will research their target using public documents and the organization’s on line presence to get information on:
- Domains and Service Providers: This can be used to look for exploits that can connect the attacking system to its target.
- Staff Names: The attacker can use social media information and social engineering to find out additional information or to discern an individual’s login credentials.
- Computer Infrastructure: To an experienced hacker, the way that an organization’s system interacts with the outside world can indicate what kinds of operating and security systems are being used.
Direct defense at this level is difficult as there is usually no way of determining that an attacker is interested. The best defense is to:
- Institute strong password protocols
- Educate staff on the dangers of social engineering
- Assess each system for vulnerabilities
Step 2: Weaponization
Once the attacker has determined where and how to make the initial breach, an attack plan must be devised, the goal of which is to gain access to a system on the target network. This can be done using
- Password Attacks: By using staff lists, an attacker can begin to try and gain access using to the systems. Information gleaned from social media and social engineering can be used to limit the password search.
- System Exploits: Listing the weaknesses of any systems in the target’s infrastructure.
There is no real defense at this step other than what is recommended in Step 1.
Step 3: Delivery
In this step, the attacker will try to execute the plan devised in step 2.
- Make sure that all system operating systems are up to date and all security patches are installed. This will limit the exposure to exploits.
- Make sure that passwords are strong and changed regularly. Monitor login attempts.
- Make sure that the network (routers, switches, repeaters) are secured and up to date.
- Install security software where possible.
Step 4: Exploitation
Once connected to the system, the attacker will attempt to exploit a weakness to install malware. This can be:
- Gaining a system login via a cracked or discovered password.
- Exploiting security gaps in normal services such as email or messaging.
- Exploiting known system backdoors.
- Make sure that all backdoors and default passwords are eliminated.
- Eliminate any services or applications with known vulnerabilities.
- Monitor logs and statistics for unusual activity.
While it is easy to sit back and rely on your various service providers for security, statistically, that is not a good move. According to a 2016 report by Symantec, in 2015, an estimated 75% of all legitimate web sites had unresolved exploits and vulnerabilities. Not only did this put the web sites at risks, it also endangered people using the sites.
A CNN Tech Report for the same period noted more than 317 million new attack programs were developed and released, which means that security systems need to deal with nearly a million new kinds of attacks every day. This underscores the need for security programs and procedures that can defend against unknown threats.
Step 5: Installation
Once the system is breached, the attacker will install the malicious software (a bot, worm, Trojan or other application designed to penetrate the system).
- Watch for unusual communications between systems which would indicate malware moving from server to server.
- Check file dates on executables, looking for new files.
- Turn on and review run logs whenever possible.
Step 6: Command and Control
At this step, the installed software will attempt to gain access to secure systems and channels.
- Make sure that critical systems are locked down as tight as possible.
- Check access in and out against known malicious domains.
Step 7: Actions on Objective
Once established, the malicious applications will move on to the objective:
- Extracting information
- Damaging existing data
- Creating a spam engine
In many attacks, this is this first point where the attacker can be detected. Unfortunately, that means that damage is already being done.
To detect the attack, monitor cross system communications and disk usage.
Once found, the attacking software will need to be detected and the channels of attack closed down.
Once an attack has reached stage 7, there are options for a response, as the attacker will have left a trail that can be used to initiate defensive protocols against future attacks and, when possible, a legal action against the attacker.
Clearly detection is the most important element once an attack has reached stage 6 or 7, as the more time the malware has to work, the more damage can be done.
A case in point: According to a 2014 Information Age post, The Dairy Queen corporation was attacked on or before August 1, 2014, not even a year after the publicized 2013 breach of retailer Target’s data systems. In this case, the breach continued to rampage through the servers of 395 new stores over the course of 66 days. Actual detection times of each attach ranged from 24 days to more than 2 months.
Still, the best defense, in this case, is a good defense. Excellence in system security is the best way to prevent malicious attacks.