Attackers Have Compressed and Accelerated the Cyber Killchain

Regardless of the methods or exploits used for a cyber attack, every attack is comprised of a variety of phases. The seven phases of a cyber attack—dubbed the “cyber killchain”—also provide a framework for identifying suspicious or malicious behavior and blocking or stopping an attack. Unfortunately, attackers have found ways to accelerate the process—effectively compressing those seven phases down to three. Traditional approaches to detecting and stopping attacks are ineffective against this compressed model. Organizations need to be aware of the new Modern Cyber Killchain and how to effectively defend against it.

The Cyber Killchain

First, let’s look at the traditional cyber killchain model. The model was originally developed by Lockheed Martin for military purposes. It is used to describe the tasks or steps an adversary must complete in order to mount a successful attack and complete their objective. Understanding and recognizing the various phases of the killchain provides an opportunity to disrupt the process and thwart the attack.

The seven phases of the cyber killchain are:

1. Reconnaissance: Harvesting email addresses, conference information, etc.
2. Weaponization: Coupling exploit with backdoor into deliverable payloads
3. Delivery: Delivering weaponized bundle to the victim via email, web, USB, etc.
4. Exploitation: Exploiting a vulnerability to execute code on victim’s system
5. Installation: Installing malware on the asset
6. Command / Control: Command channel for remote manipulation of victim’s system
7. Action: Accomplished with “hands on keyboard” access

With a standard attack that follows this cyber killchain model, you have a variety of corresponding opportunities to interrupt or contain the attack.

• Detect: determine whether an attacker is poking around
• Deny: prevent information disclosure and unauthorized access
• Disrupt: stop or change outbound traffic (to attacker)
• Degrade: counter-attack command and control
• Deceive: interfere with command and control
• Contain: network segmentation changes

 

Accelerating the Cyber Killchain

While analyzing data for the Alert Logic’s recent cybersecurity report, researchers at Alert Logic observed that—in many cases—attackers have modified the traditional cyber killchain. The first five phases (Reconnaisance, Weaponization, Delivery, Exploitation, and Installation) have been compressed into a single action—speeding up the process of compromising a system and significantly decreasing the opportunity for an organization to detect the attack or respond effectively.

The Critical Watch Report explains, “This approach by adversaries to leverage pre-defined, weaponized packages against known vulnerabilities represents the most significant change in the cyber killchain since it was defined. Across the attack data analyzed, Alert Logic saw this technique used in 88 percent of cases. This compressed model renders the standard methods of detecting and interrupting an attack ineffective. Instead, the attack response must shift from detect and deny to disrupt, degrade, deceive, or contain.”

Adapting Security to Deal with the Modern Cyber Killchain

The value of analyzing data and identifying emerging trends and evolving attack techniques is that it provides the necessary insight for organizations to adapt accordingly. Attacks that accelerate and compress the cyber killchain don’t mean that cyber attackers have won and there’s no point in fighting anymore. What it does mean is that many traditional cybersecurity tools and techniques are rendered useless and organizations have to adopt a new approach to cybersecurity that can effectively identify and respond to attacks that don’t follow all seven phases of the cyber killchain.

You no longer have time to Detect, Deny, Disrupt, Degrade, Deceive, and Contain. While you’re trying to Detect and Deny, the attack has already moved to the Action phase. You have to compress the way you detect and respond to threats to match the way attacks have been compressed. The Alert Logic Security Lifecycle focuses on three things: Assess, Detect, and Respond.

For more about the changes in the cyber killchain, the state of threat detection in general, and guidance to help you improve and adapt your security, check out the Alert Logic Critical Watch Report.