Detecting Bad Actors Early in the Kill Chain
Disrupting the kill chain before attackers reach their goal
Cybersecurity borrows a lot of terms and tactics from the military, and kill chain is one such term used to describe the steps an attacker takes to perform a breach. Malware attacks are among the most prevalent threats that enterprises face, and there are several different stages of intrusion activity that occur throughout the attack life cycle. Security practitioners need to be well-versed in the steps of the kill chain to identify threats early in the process.
Steps in the Kill Chain Process
Oftentimes, an attack begins with a phish. According to Humphrey Christian, VP of product management at Bay Dynamics and Luke LeBoeuf, principal security consultant, hunt ops research and development at Micro Focus, the kill chain process consists of these six steps:
- Reconnaissance Phase: The attacker establishes initial contact with the organization and begins to identify weak points for attack and vulnerable assets worth attacking.
- Weaponization Phase: An attacker is able to deliver the payload, often applying an existing exploit to a known vulnerability or creating a tailor-made exploit focused on the specific weaknesses of the identified targets.
- Exploitation Phase: The malware gets activated on a target system. After the attacker has exploited the target environment, they can usually maintain persistent access.
- Execution Phase: Once connectivity is established, the attacker starts navigating and exploring what they have to determine what sorts of devices are running and where files are located.
- Command and Control Phase: The attacker begins taking action, establishing communication outside of the organization’s network to set up a control channel (C2). The bad actor is essentially “at the terminal” for that system.
- Exfiltration Phase: The data has left the building. This phase is the ultimate goal of the attacker who begins to move the data or documents of the network.
From a defender perspective, threat hunters need to be able to detect nefarious actors long before they reach their goal. So what stands in the way of stopping the attack early on?
Obstacles to Early Detection
The execution phase of an attack often leaves some kind of digital trail or marker. “A threat hunter can arrange those markers over time to piece together the tools, tactics, and procedures utilized by an attacker against target asset(s),” said Roberto Sandoval, manager, worldwide strategic solutions, security intelligence and operations consulting at Micro Focus.
Part of the problem with early detection is that the tools used in each of the phases capture different information, making it difficult to connect the dots, Christian said. The goal for analysts is to know what they should prioritize, which require both automation and human beings who are able to make determinations.
One issue is that those tools are siloed and the pieces of the puzzle don’t fit together to reveal the full picture. Existing in a state of constant investigation creates a lot of noise alerts that often don’t clearly represent a kill chain.
“What is identified as a problem here for this silo doesn’t have the context of how it fits in with the entire kill chain pattern,” said Christian. “Aggregating data doesn’t tell the whole story. Threat hunters need to know what they are looking for.”
Resources are also limited, and some organizations are not investing to expand the hunter skill set. “Hunters’ skills need to be expertly honed across security domains in order to recognize the nuances of abnormal traffic and behavior that could be missed by traditional tools,” said LeBoeuf.
Stop Right There: What Most Disrupts the Kill Chain Process
Disrupting the kill chain at any phase and preventing a loss of data is considered a success, but bringing a criminal down at the command and control (C2) phase is the most critical stage to disrupt according to LeBoeuf.
On one hand, it’s the last opportunity to defend an organization’s environment and protect its applications, data and users before allowing the attacker to execute their objective. Additionally, “Disruption at C2 forces the attacker to modify their behavior and look for another way to achieve their objective,” said LeBoeuf. Blocking the command and control phase and forcing a change in attack tactics provides more information about the attacker and their objective.
Prioritizing the Hunt and the Hunter
Many organizations who have advanced in the maturity posture have begun to rethink how they approach security. “Most organizations are at a maturity level where they understand the problem, and they are ready to move to the next phase. They are moving from a ‘go hunt for the cases and react’ mode to a risk-based approach to cybersecurity.” Christian said.
That’s an important shift in the collective mindset because successful threat hunting has to be a proactive process. When hunters are able to reduce the dwell time between compromise and detection by shifting the focus to identifying indicators of an attack, they can be more proactive in their response.
“Well-funded attackers have the leisure of time to help them understand an organization’s vulnerabilities so that they can craft something that could sneak past traditional monitoring or detection tools,” said Sandoval.
When hunters are able to hear the harmony in the noise, they can analyze the behaviors of an attacker throughout the steps of the kill chain and use what they learn to better protect the organization.