Teach Cyber 2020 logo
May 14, 2021

The Teach Cyber Byte

In this Byte, we have a few announcements and we define the term "Cyber Kill Chain," identify some of the most prominent kill chain models, and look at a recent cyberattack through the lens of the cyber kill chain.

If you enjoyed this Byte, please feel free to forward and share our newsletter! (Please note: if you forward this to someone else and they click "unsubscribe," you may be unsubscribed from the mailing list).

Hey readers....... this is an all-call for guest columns! Colleges can write columns on their program, industry can contribute a niche of cyber security, teachers can feature their program, or anyone can respond to our Bytes and Megabytes.

If you are interested in submitted a guest column article for the Byte or Megabyte, send it our way by emailing Hello@TeachCyber.org.

Teach Cyber Virtual Lounge - May 20, 7:00 pm ET

Teach Cyber is inviting you to the May 20 Virtual Lounge. In this event, we feature Dr. David Raymond and the US Cyber Range/Virginia Cyber Range. If you are curious about what a cyber range is and how to use one in your secondary school cybersecurity course/program/pathway, this event is for you!


"Cyber Kill Chain" (CKC)

The cyber kill chain is a series of steps that traces the stages of a cyberattack from the earliest reconnaissance activities to the end goal of data exfiltration. While cyberattacks are constantly changing and evolving, the kill chain helps cybersecurity professionals understand the tactics, techniques, and procedures (TTPs) that an adversary might use against their target.
Kill Chain (WoW)
CKC models are used to augment an analyst's perspective of an attack by allowing them to think like an attacker. This insight into a threat actor's motives and methods can help combat all levels of cybersecurity incidents and protect organizations against security breaches.

The term "kill chain" was originally used by the military to define the steps a combatant uses to attack its target, all the way from identification to elimination [1]. The model was often used as a method of defense, where soldiers would attempt to proactively "break" an opponent's kill chain ahead of an attack. In 2011, Lockheed Martin co-opted the term to derive the cyber kill chain framework (then called the "intrusion kill chain") [2]. Like the military's model, Lockheed Martin's Cyber Kill Chain defines the phases of many of today's cyberattacks.
Kill Chain
Since the original kill chain's release, organizations have produced many different versions of the framework to address modern security concerns such as insider threats, social engineering, advanced malware, and other innovative attacks. This cyber kill chain developed by AT&T, for instance, is explicitly designed to combat insider threats to an organization [3]. Other approaches, such as the Unified Kill Chain put forward by Paul Pols in 2017, take a less linear approach and attempt to integrate the kill chain phases with the tactic categories of the MITRE ATT&CK framework[ 4].

One of the most valuable benefits of the cyber kill chain model is its ability to leverage the human element of cyberattacks. The original kill chain model was developed as many organizations realized that simple technical controls like firewalls and passwords wouldn't be enough to combat the most advanced cybersecurity threats [5]. Practicing adversarial thinking is a huge component of developing effective controls and promoting better security awareness, and this is where the cyber kill chain excels. Cybersecurity professionals can use the various kill chain models to reduce their organization's risk exposure, disrupt attacks at the various kill chain stages, and minimize the impact of a breach should one occur [6].

There are many different versions of the cyber kill chain model, each attempting to address different kinds of threats and adversaries. For this breakdown, let's use Lockheed Martin's Cyber Kill Chain.



1.) Reconnaissance

Any adversary worth their salt will engage in planning and preparation long before the attack actually begins. This information-gathering phase is known as reconnaissance, and it's when the attacker picks a target, researches it, and looks for vulnerabilities. There are several different reconnaissance techniques, and attackers have advanced tools at their disposal to identify what they need. Whether it's harvesting e-mail addresses for a phishing attack, dumpster diving for sensitive documents, or running a vulnerability scan on a company's network, attackers will use any technique they can to acquire information that can be used to develop a more sophisticated attack in the subsequent kill chain steps.

It's easy to believe that there's nothing an organization can do about an attacker during this stage, but that's not necessarily true. Often, attackers will use open-source intelligence (OSINT) techniques to collect information about their targets shared through sites such as LinkedIn or Twitter. To protect themselves against adversaries at this stage, an organization's effective security posture and awareness program are especially valuable. With the right checks and training in place, an organization could potentially shut down an attack before it even begins. Additionally, proactive network monitoring for uses of tools like Nmap or DirBuster can help spot potential threat actors engaging in reconnaissance.
The recent SolarWinds attack (discussed in detail in the 1/13/21 Teach Cyber Byte) is an excellent example of a sophisticated attack that can be analyzed using the cyber kill chain framework.

A likely Russian Advanced Persistent Threat (APT) group performs sophisticated reconnaissance of SolarWinds and its Orion platform, launching a massive supply chain attack against SolarWind's many prominent clients.

2.) Weaponization

It's in this stage that an adversary develops their attack. For example, the attacker might infect an inconspicuous file such as a Microsoft Word document or PDF with a specifically-crafted piece of malware. If Understanding the weaponization phase is always important and even more so when the attacker manages to find a zero-day (Unit 5, Lesson 8) in their target's software.
The attackers identify a vulnerability in Microsoft's authentication protocol to gain access and compromise SolarWinds' Microsoft Office 365 account.

3.) Delivery

Next, the intruder transmits their malware payload via a specifically-chosen medium, such as a phishing e-mail or the distribution of an infected USB near the target's office. The adversary's goal in this step is to use their payload to breach the target system and establish a foothold. In addition to their payload delivery, an attacker might launch a simultaneous attack such as a DDOS to distract their target's security team and bypass normal defensive measures.
The APT then uses the authentication protocol vulnerability to obtain account credentials and access the SolarWinds software build system.

4.) Exploit

This is the phase when the payload is executed or the target vulnerability is otherwise used to gain access to a company's network and systems. After exploitation, an attacker will likely have access to considerably more information than they did from the outside looking in. This information paves the way for future, more sophisticated attacks and establishing permanence on the target network. Ensuring that all installed software is up-to-date with the latest security patches, that devices have anti-virus programs installed, and that networks are properly segmented are all important defensive measures that can protect against this stage of the cyber kill chain.

5.) Installation

In this step, the malware installs a backdoor or other ingress accessible to the attacker, doing their best to hide their actions on the system. The attack will be considerably more effective if the target is unaware of the threat. Once an attacker has open access to a system through a backdoor, the intruders will be able to install more tools, modify system data and settings to compromise their target's integrity and availability, and continue to establish permanence and further footholds.
The attackers replaced one of the software (C#) files that is compiled and combined in the process to build new versions of software updates. These updates grant the attacker significant access to systems and networks using the SolarWinds Orion software.

6.) Command & Control

After gaining system access, the attacker will use command and control techniques to acquire persistent access to the target's systems or network. To continue attacks against their targets, the attacker's software on infected systems must occasionally "call home" to the attacker's devices for instructions or exfiltration. This process gives attackers a large toolbox to manipulate their target system, but it also allows defenders to notice abnormal activities on the network during threat hunting exercises.
Code for a backdoor was inserted in this C# file. The backdoor is capable of transferring files, disabling services, and rebooting machines. The code also performs lateral movement operations, such as installing Cobalt Strike components.

7.) Actions

Finally, the actions on objectives stage is when an intruder engages in "end goal actions," such as data theft and modification or denial of service. In addition to executing their attack, adept intruders will also often take time to confuse and slow down the security and forensics team by clearing logs, deleting metadata, and leaving behind misleading trails. The most sophisticated attackers could even modify all relevant logs and data to make it appear as though no attack is underway. An attacker's motivations vary greatly depending on the threat actor, so it's difficult to nail down the attacker's specific techniques. This is why this stage of the kill chain is so broad--and why collecting threat intelligence to answer this question is so important.
Finally, the APT uses their access to SolarWinds and companies that use SolarWinds Orion to access and exfiltrate sensitive data and software such as proprietary red team tools used by FireEye.
Explore real-world applications of the cyber kill chain in the "Intro to the Challenge of Cybersecurity" course, Unit 7, Lesson 3 (free to registered users). In this lesson, students will be exposed to the Lockheed Martin Cyber Kill Chain in order to analyze the kill chain’s value for adversarial thinking. Additionally, students can refer to Unit 2, Lesson 2 to see how adversaries like Advanced Persistent Threats (APTs) use the stages of the cyber kill chain to launch long-term, sophisticated attacks against companies and organizations.

To learn more about cyber kill chains and compare different implementations of the cyber kill chain, check out the models implemented by these organizations:
[1] Velimirovic. (2021, January 21). What is a Cyber Kill Chain? PhoenixNAP Blog.

2] Lockheed Martin. The Cyber Kill Chain. https://www.lockheedmartin.com/en-us/ capabilities/cyber/cyber-kill-chain.html

[3] DeGonia. (2020, March 13). Cyber Kill Chain model and framework explained. AT&T Security Essentials Blog. https://cybersecurity.att.com/blogs/security-essentials/the- internal-cyber-kill-chain-model

[4] MitigateCyber. (2019, March 17). The Unified Kill Chain: Part 2. MitigateCyber Blog.

[5] Spitzner. (2019, May 31). Applying Security Awareness to the Cyber Kill Chain. SANS Security Awareness Training Blog. https://www.sans.org/security-awareness-training/ blog/applying-security-awareness-cyber-kill-chain

[6] BeyondTrust. (2020, December 18). Cyber-Attack Chain. BeyondTrust Glossary.
Teach Cyber 2020 logo