Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.

For the best experience please use the latest Chrome, Safari or Firefox browser.

Cybersecurity Kill Chain

A Structural Analysis of Cyber Attacks and Defense

W. Brandon Martin

  • Welcome
  • Thank you to ISSA for the opportunity and the attendees for providing the venue
  • Conversational invitation

About Me

All opinions are my own and do not necessarily represent any one else’s view.

family at disney
  • Raised in a barn - cliché that doesn't make a whole lot of sense
  • Brace yourself for memes. - A couple reasons
    • If you're bored, you'll hopefully get a chuckle every 3 or 4 slides and wake yourself up.
    • Memes are a way to communicate with a diverse audience
    • Memes teach us about ourselves.
    • After all, this is a talk about security beyond the cliché.

The Next 45 Minutes

01 - Background & Overview

Borrowed from Military Language

  1. Find: Locate the target.
  2. Fix: Fix their location; or make it difficult for them to move.
  3. Track: Monitor their movement.
  4. Target: Select an appropriate weapon or asset to use on the target to create desired effects.
  5. Engage: Apply the weapon to the target.
  6. Assess: Evaluate effects of the attack, including any intelligence gathered at the location
context is important

Two Risk Prerequisites

prereqs are important
  • The Kill Chain doesn’t start without both.
  • Vulnerability may be broader than you’re thinking – Before EternalBlue, people had relaxed about the SMB protocol as a vulnerability on their internal network
  • Means is changing landscape – information about vulnerabilities and exploits gets published faster and faster.
  • Motive can also be tricky.
  • Sometimes we pretend our threats are coin operated. They may be seeking
    • notoriety,
    • retribution
    • irrational motivation we can’t predict.
  • Opportunity points us back to the vulnerability. They have to have something they can exploit and that’s where we meet the information security Kill chain.

It's a Model

  • Lockheed Martin 2011
  • Recon – Pen Test Feedback
  • Weaponizatoin – hard to stop.
  • Delivery if you can stop delivery, you break the kill chain
  • Installation – this dates back to when persistence was important

02 - Real World Kill Chains

WannaCry - May 2017

Kill Chain Phases Adversary Actions Defensive Response
Recon Realize people use windows and don’t patch. Apply patches faster.
Weaponization Download Shadow Brokers exploit dumps. NOTHING
Delivery SMB internet traffic; propagate inside. Manage perimeters including mobile workstations.
Exploitation “Eternal Blue” = instapwn Heuristic AV and network restriction
Installation Code execution is code execution. [Monitor for launching at boot]
Command & Control Kill switch drama, counter attacks Control Egress Traffic
Action on Objectives Encrypt and ransom victim’s data. Pull out the backups
  • As of 14 June 2017, after the attack had subsided
  • total of 327 payments totaling $130,634.77 USD (51.62396539 XBT) had been transferred
  • Great Britain National Health Service, deutsche bahn
  • 200,000 Victims
  • 300,00 Affected system

Equifax - Sept 2017

Kill Chain Phases Adversary Actions Defensive Response
Recon Read the weekly CVE report. Inventory versions. Hide the version from the attacker.
Weaponization Reverse Engineer Patches. Nothing
Delivery Interact with Equifax’s public REST service. Web Application Firewall Input Sanitization
Exploitation Struts de-serializes crafted payload. Process Monitoring
Installation Code Exec is code exec. Process Monitoring
Command & Control [Shell to the internet] Restrict Egress Traffic
Action on Objectives Search for sensitive data. Exfiltrate. User/Entity Behavior Analysis (UEBA) Data Loss Prevention – threshold
Vulnerability published in March, exploited in September Equifax.

Operation WireWire – June 2018

Kill Chain Phases Adversary Actions Defensive Response
Recon Social Media profiling / password guessing Training / password complexity; MFA
Weaponization Look alike domains; filter bypasses / Pretext development. Email filters / unusual activity monitor
Delivery Send the email / Get the attachment through. Email filters / spam & phishing flags
Exploitation Social engineering wire-transfer authority. Process
Installation Check the bank account. Try to recall the wire transfer.
Command & Control Transfer funds to another bank. Go after the sketchy bank.
Action on Objectives Enjoy a drink on the beach. Generate resume.
  • 74 arrests in the U.S. and overseas, including 42 in the U.S., 29 in Nigeria, and three in Canada, Mauritius, and Poland.
  • seizure of nearly $2.4 million
  • the disruption and recovery of approximately $14 million in fraudulent wire transfers
  • Note that wire transfer authority… We don’t often think of them as a privileged user.

03 - Practical Application

Scenario 1 - Is My Hair on Fire?


hair on fire kill chain stops on 3
  • Loaded gun locked in a safe doesn’t shoot anyone.
  • Am I saying don’t patch? – NO.

Scenario 1 - Adobe Acrobat Review

Kill Chain Phase Questions to Ask
Recon Is there anyway to stop the adversary from knowing about the issue or your environment?
Weaponization Can I learn how to exploit the vulnerability on youtube?
Delivery Can the adversary get the exploit into the vulnerable system?
Exploitation Can I detect or prevent the exploit. Will Application Whitelisting or my AV prevent this? Will exploitation gain an adversary anything?
Installation Can the attack sustain a reboot? Can they repeat the attack?
Command & Control Can I detect their command and control? Will I respond to it?
Action on Objectives If your SIEM practice is strong, you might have a good story to tell.
Have you considered other employeers?

Scenario 2 - Is My Hair on Fire?

Yes, your hair is on fire!

hair on fire kill chain green

Scenario 2 - Adobe Acrobat

Kill Chain Phase Think through it
Recon Adversary knows you have old versions of Adobe, or nothing to lose by being wrong.
Weaponization The wannabe hacker’s are racing to publish the youtube.
Delivery Job function requires opening untrusted PDF’s.
Exploitation Adobe is famous for giving up a shell. Maybe your Process monitor would block it?
Installation Do the users have administrative privileges? (otherwise regaining a lost foothold seems dicey?)
Command & Control User Networks are notoriously hard to egress filter. Can your firewall detect the anomaly in time?
Action on Objectives Maybe consider a different job code?

Counter Kill Chain Strategy

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself, but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. -Sun Tzu

counter counter
  • Sun Tzu and Xzibit
  • Sun Tzu - All warfare is based on deception; Appear weak when you are strong, and strong when you are weak.
  • CSC#1 - Inventory and Control of Hardware Assets
  • CSC#2 - Inventory and Control of Software Assets
  • CSC#3 - Continuous Vulnerability Management
  • CSC#4 - Controlled use of Adminstrator Privileges
  • CSC#5 - Secure Configuration
  • CSC#6 - Maintenance, Monitoring, and Analysis

04 - Challenges to the Model

Sometimes good enough is…

  1. The model hasn’t seen conceptual revisions since 2011
  2. Several variants, e.g. Phishing Kill Chain, but no traction
  3. Doesn’t reflect iterative nature of advanced attacks
  4. Biased towards malware attacks
  5. Bottom Line – it’s getting the job done.
good enough

Mitre Attack Framework

mitre matrix
Malware – Insider threats, Denial of Service… not all action on objectives require all steps

05 - Defense in Depth

How do you know your controls work?

06 - Questions

clever questions