The threat of cyber attacks on computer networks and data grows simultaneously with technology development. To defend a network, professionals and analysts should constantly monitor and regularly fix the system’s vulnerability. It is also essential to predict possible future adversary campaigns aimed at ultimate data exfiltration or data integrity violation. With the emergence of so-called Advanced Persistent Threats (APTs), the traditional incidence response methods proved ineffective. APT is an attack campaign in which one or a group of intruders gain access to the network to maintain a long-term, illicit presence (Lord, 2018).
The latter is needed to fulfill the objective of data mining and theft. Such intrusions often remain undetected by conventional security measures such as defense-in-depth, antivirus, and firewall solutions. For that reason, Lockheed-Martin’s scientists introduced an intrusion kill framework that helps defend computer networks by breaking down attacks into progressive phases (Hutchins et al., 2011). The main idea behind it is to respond early to the attack instead of focusing on post-compromise phases and effects.
The framework consists of separate steps of an APT campaign: reconnaissance (search for system vulnerabilities), weaponization (creation of remote access weapon), and delivery (weapon transmission). It also requires exploitation (malware program in action), installation (backdoor), command and control (seizure of administration rights), and actions on objective phases (encryption for ransom or data exfiltration) (Hospelhorn, 2020). It seems that for computer scientists, all pre-compromise stages of attack are more attractive due to their decisive role in the successful prevention and mitigation of APTs.
The incidence response approach is deemed ineffective since analyses and defense action often comes too late (Installation and C2 steps). On the contrary, Hutchins et al. (2011) suggest focusing on analysis and detection efforts up the kill chain following all intrusion phases. Naturally, APT and data manipulations become possible only if the adversary manages to pass successfully all the mentioned stages one after another. The defenders have a chance to use intruders’ persistence for their own sake as the former will re-use infrastructure and tools due to economic reasons.
What is more, the kill chain helps to collect information on unsuccessful attempts and reveal new exploits, avoiding any security damages. For instance, if an adversary used a known indicator by sending a targeted malicious email, the latter would be blocked and data theft prevented at the delivery stage (Hutchins et al., 2011). Nevertheless, further analysis of email and targeted chain may give insights on a new backdoor or exploit presence. It limits the success rate of future intrusions going undetected just because of different delivery. Thus, this method allows defenders to set courses of action along the chain, early detect vulnerabilities, mitigate future attacks, and enjoy a tactical advantage over intruders.
The authors also reveal other primary reasons to focus on pre-compromise effects, those before the exploit phase. There are fewer indicators available for exploitation, installation, and C2 that increase the Advanced Persistent Threat’s chances to remain unnoticed by the system (Korolov & Myers, 2018). The adversary may apply a different installer or backdoor that will overcome available mitigations. Hence, defenders’ top priority is to prevent the compromise itself. For that reason, the early phases are more critical and receive more attention from the scientists in the article. The cyber kill chain is an essential security and management tool helping to enhance system defense gradually.
References
Hospelhorn, S. (2020). What is the Cyber Kill Chain and how to use it effectively. Varonis. Web.
Hutchins, E. M., Cloppert, M. J., & Amin, R. M. (2011). Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues in Information Warfare & Security Research, 1(1), 113-125.
Korolov, M., & Myers, L. (2018). What is the cyber kill chain? Why it’s not always the right approach to cyber attacks. CSO. Web.
Lord, N. (2018). What is an Advanced Persistent Threat? APT definition. Digitalguardian. Web.