Why the ‘cyber kill chain’ needs an upgrade

One of the most popular models for analyzing cyberattacks doesn’t focus enough on what to do after adversaries break into networks successfully, which they inevitable will do, Black Hat 2016 attendees were told this week in Las Vegas.

“Every attacker will become an insider if they are persistent enough,” says Sean Malone, a security consultant who spoke at the conference. “We need to operate under a presumption of breach.”

MORE: 'Mayhem" wins $2M first prize at DARPA Cyber Grand Challenge

He’s critical of a popular defense scheme called the cyber kill chain that defines seven steps attackers must take in order to succeed: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions and objectives.

The problem with it is that it assumes a traditional perimeter defense where a firewall is the main impediment to intruders. But that is no longer the case, so organizations must beef up defenses within that perimeter, Malone says.

The New Cyber Kill Chain

That means adding more steps, which are actually the same set only this time preceded by the word internal, so the kill chain becomes internal reconnaissance, internal weaponization and so forth. Internal exploitation, for instance, might include privilege escalation, lateral movement within the network and manipulating individual targeted machines.

During internal reconnaissance, adversaries have access to a single user’s workstation and will data-mine it for local files, network shares, browser history, and access to wikis and Sharepoint. The objective is to figure out how that machine might help map the network and enable moving to more valuable assets.

At each stage of the internal cyber kill chain, security architects should figure out what tactics, techniques and procedures (TTP) adversaries are likely to use and then set up defensive TTPs. In the case of Internal exploitation that might be patching fully, including development and test systems, and installing effective endpoint protection products.

Each of the attack phases once inside a victim’s network can take anywhere from minutes to months, including a final wait time when an attack is in place and ready to go. But note that the attacker will hold off for the optimal time to launch in order to get the most impact, Malone says.

Reconnaissance and weaponization might each take months. It’s hard to disrupt weaponization because it takes place offline at the attacker’s sites. But defenders can take steps to harden their systems and applications so weaponization is more difficult, Malone says. This might also include introducing false devices on the network – obfuscation – to make the task harder.

This new kill chain extends into what happens in recovery after a successful attack is carried out. Corporate cybersecurity teams need to have a plan in place for dealing with reporting breaches, contacting law enforcement, dealing with adverse publicity and the like. Each of these steps should be thought through with a plan and personnel in place to deal with them, he says.

The larger goal is to build a more resilient enterprise. It won’t stop all adversaries, but it will stop more. One of the objectives is to prepare good defenses at every step of the kill chain in order to slow down attackers and make it more and more costly to continue.

“You have to ask what would you do if the adversary has access to the internal corporate network, usernames and passwords, all documentation and specifications of the network devices, systems, backups and applications,” Malone says.

Attackers have goals, he says, and are willing to expend a certain amount of resources to achieve them. If defenders can boost the cost – whether monetary, personnel or time – above the value the attackers expect to reap, then they can succeed more often, Malone says. It’s an economic model based on the premise that no defenses will be perfect.

BLACK HAT: How to make and deploy malicious USB keys