Cyber Kill Chain (CKK) – APT Interception Methodologies and Advanced Malware Mitigation.
Advanced Malware Mitigation Strategies
We are witnessing an epistemological shift in malware detection & mitigation methodologies. Spearheaded by Lockheed Martin, this initiative proposes a radically new approach – instead of dealing with a malicious attack in its aftermath & reinforcing the infrastructure after incursion has ceased, based computed IOTs and IOCs, LM aims for a circular and highly efficient early-detection and mitigation system that showcases the ever-growing need for an on-site Computer Security Incident Response Team (CSIRT).
The premise upon which Lockheed Martin’s Cyber Kill Chain (CKK) is built has to do with the power play between a potential attacker and the defender. Traditional detection, response, and mitigation models state that the defender has an inherent ‘hitch’ when faced with a potential adversary – the malicious thespian has the element of surprise and will always hold enough information to compromise the defender.
No doubt this statement is true to some degree, judging by how ‘surgical’ in nature Advanced Persistent Threats (APTs) are (and have become), however, this does not preclude the scenario of the defender gaining the upper hand!
Having emphasized the need for (actionable) intelligence and forensics, we have, metaphorically, put CKK on trial. Without a doubt, the outcome is not trivial nor without impact, considering that this army-spun concept may yet pave the way to a veritable threat-hunting Renaissance.
Cyber Kill Chain (CKK) Terminology
(as proposed by Eric M. Hutchins, Michael J. Cloppert, Roman M. Amin, Ph.D. et al)
- Lockheed Martin Kill Chain – eight-phased, advanced detection, mitigation, and response plan based on US Military F2T2E2 (Intrusion Kill Chain) strategy (find, fix, track, target, engage, and assess). Lockheed Martin’s approach proposes the following links: reconnaissance, weaponization, delivery, exploitation, installation, Command & Control (C2, sometimes C&C), action on objective (and lateral movement), and data exfiltration.
- Indicators of Threat (IOTs) and Indicators of Compromise (IOCs) – computed based on pre- and post-attack raw data. LM taxonomy observes atomic indicators (cannot be broken down into smaller parts and retain their meaning regardless of context), computed indicators (derived from data involved in an incursion), and behavioral (composite aggregate between atomic and computed data).
- Delivery mechanisms – methods to deliver malicious payloads into the targeted networks and endpoints. Based on APT dynamic analysis, the most preferred method remains email attack (TME or targeted malicious email), followed by phishing websites, and altered USB removable media drives.
- Action matrix – correlates appropriate counteractions with the kill chain phase.
- Pre- and post-detection counteractions:
- Audit log;
- NIDS+ HIDS+HIPS;
- Firewall access control management;
- DNS redirect;
- AV sweep;
- DEP (Data Execution Prevention);
- Proxy filter (Egress + Ingress)
- Chroot ‘jail’.
- QoS analysis.
- Security controls – a set of actions undertaken by a CSIR team to prevent or stop an attack. Also called the five Ds of CKK: Detect, Deny, Disrupt, Degrade, and D
- Tactical Intelligence – inferences made after discovering & mitigating past incursions. It can also refer to a ‘boots on the ground approach’ – threat & tactical intelligence uncovered through direct means (i.e. hearsay, interrogation, analysis of physical documents etc.). Tactical Intelligence is an inherent part of the CSIRT’s SOP (Standard Operating Procedure), and useful in drafting the department’s TTP (Tactics, Techniques, and Procedures) agenda.
Cyber Kill Chain (CKK) phase description – An in-depth analysis
Lockheed Martin’s approach to threat detection & mitigation incorporates elements from MITRE’s attack/response shell. As opposed to the rather theoretical framework proposed by MITRE, CKK has a more ‘hands-on’ approach, and can easily be integrated into the formulation of a cohesive and proactive cyber-defense strategy, regardless of entity (i.e. SMB, startup, enterprise, intelligence provider etc.).
In anticipation of showcasing the phases that make up the CKK, I want to raise a challenge: will the Cyber Kill Chain be the next paradigm in combating APTs or the computer science equivalent of phrenology? Remains to be seen.
According to LM, the Cyber Kill Chain is comprised of eight phases:
- Command and Control;
- Action-on-Object and Lateral movement;
- Data exfiltration.
The first phase of an incursion. A crucial step in ensuring that the malicious action achieves its goal – data exfiltration. Throughout this phase, the attacker will attempt to gather as much information about the target. Recon techniques can vary, depending on the target’s size, cyber-defense strength, the extent of the compromise, an attacker’s goal:
- Website crawling (mailing lists, social media engineering, domain name information, hosting company, website historical information).
- ‘Fingerprinting’ – an info-gathering technique that helps attackers determine the target’s OS system. Fingerprinting is done by transmitted altered packets to a target system and analyzing how the target interacts with them. Example of Fingerprinting: Time-to-Live, Window Size, DF (determines if the OS has set the ‘Don’t Fragment’ bit), and TOS (Type of Service).
- Port scanning – lists all open ports on a target system.
- DNS enumeration – a technique that usually employs an automated tool (i.e. DNSenum) to located all DNS servers and records associated with an entity, such as a company.
- ‘Sniffing’ – recon technique used to capture, analyze, and monitor packets as they are passing through a network. Sniffing is achieved via specialized tools. Type of info gathered with a sniffing tool: DNS traffic, chat sessions, router config, passwords (Telnet and FTP), web and email traffic.
Antivirus is no longer enough to keep an organization’s systems secure.
Thor Foresight Enterprise
before they reach your system.
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Automatic patches for your software and apps with no interruptions;
- Protection against data leakage, APTs, ransomware and exploits;
The second phase/link of CKK is weaponization – appending a malicious payload to a remote access trojan or variation. The trojan itself has exploitation capabilities. However, without the dissemination vector, it cannot possibly avoid detection. Weaponization is often achieved by employing automated tools. Concerning delivery, research reveals that the most common delivery payload medium is a client app data file such as Microsoft Office document (.docx, .xls) or pdf.
Case study – Bank Security’s Excel Weaponization via the Metasploit1) SMB delivery module.
Bank Security’s case study proved that even something as an innocuous an MS Excel document can be transformed into an exploit that fends off most inline-AVs. The case study showcases the way a malicious payload can be downloaded and executed on a machine, by embedding it in VBS macro.
Abstract: a module that contains a custom or ready-made code is loaded into Metasploit. The module is configured to exploit windows/smb/smb_delivery. Once the command is executed, the appropriate malicious Dynamic Link Libraries files are loaded. The target’s ID and .dll must also be specified. Once the config stage is over, the exploit command can be run. A Meterpreter reverse shell will be opened on the victim’s machine (this will be done after the meterpreter_reverse_tcp is set in place).
A command exploitation line will be generated. This must be run on the victim’s machine. Pasting it in the Run window will trigger detection by AV. Weaponization is achieved by embedding a malicious server-generated command line in an Excel VBS macro. Once the user opens the excel sheet, the command line will be automatically executed in the background, triggering the exploitation.
For additional details and full technical documentation, please refer to this on Excel weaponization.
The third phase of the Cyber Kill Chain refers to the vectors used to deliver malicious payloads. Malware phenomena observations have revealed that the prominent delivery vectors are: email attachments (see phishing), malicious websites, and infected USB thumb drives. RDP (remote desktop protocol) is also gaining traction among malicious actors.
Once the malicious payload(s) has been delivered, the attacker will attempt to remotely identify and exploit vulnerabilities. More than often, malicious actors take advantage of OS vulnerabilities, but applications can also be targeted, especially those that haven’t been updated, patched or are running an unstable/experimental build.
In some cases, even some OS or system features will trip the exploit’s auto-execution code. This is one of the reasons why patching has gained traction among system administrators and cyber-crime researchers. Heimdal Security’s internal data has revealed that frequent patching can eliminate up to 85% of all attack vectors.
During the exploitation phase, the attacker will attempt to compromise additional systems and/or accounts by gaining admin-type rights. There are various ways through which attackers can gain such rights, the most ‘popular’ method being the so-called brute force attack.
Other vectors can be sought: unsecured credentials repositories, unencrypted network traffic, files that contain plaintext credentials. The appropriate countermeasure is to deploy an automatic rights escalation and de-escalation to streamline the process and contain an infection in case of an intrusion.
System admins waste 30% of their time manually managing user rights or installations.
which frees up huge chunks of sys-admin time.
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
During the fifth phase, the malicious actor will attempt to gain a foothold (maintain persistence). This can be achieved by dropping a remote access trojan inside the compromised system. The malicious actor can choose to install a backdoor or take advantage of an existing one.
Command and Control (C&C)
Once the presentation has been established, the attacker will attempt to tie in the compromised host to a command and control (C&C) server. This will allow the attacker to execute data exfil-specific commands. There are some limitations – the interaction is mostly manual, leaving very little room for automation. However, recently observed APTs may employ machine learning techniques to increase their efficiency and decrease the risk of successful detection.
Action-on-Object & Lateral Movement
After completing phase one through five, the intruder can now move unhindered through the system and achieve his goal – ‘jailbreaking’ sensitive data. In some instances, the attacker would compromise a target in order to reach a higher value (hop-pointing). During this phase, the malicious actor will also attempt to move deeper inside the network or tap into even more resources (i.e. credentials repositories, databases, etc.).
Action-on-object and Lateral Movement would be very difficult if not impossible without obfuscation. Despite not being a phase on its own, the attacker has to ‘cover his tracks’ in order to avoid detection. Obfuscation can be achieved through various means: binary padding, code-signing, file deletion, process hollowing, distorting timestamps, etc. In APT campaigns, malicious actors are capable of absconding their actions to such a degree that data exfil is detected too late along the chain to deploy any type of countermeasures.
The final phase of LM’s Cyber Kill Chain: fraudulent data exfiltration and subsequent monetization. The malicious actor will typically attempt to remove sensitive data from the compromised systems and/or networks through various means: changing or scrambling encryption protocol, data compression, exfil over a hidden or unsupervised protocol, and even exfil over a physical medium (i.e. USB removable media, portable data storage devices, etc.)
Even with all the key countermeasures taken out of action, detection may still be possible. To avoid this outcome, malicious actors will launch a Denial-of-Service attack in order to draw the attention of the cybersecurity team on site. This more of a distractionary action, with minimal impact on the company’s system or network. DoS attacks include resource hijacking, service stop, network denial of service, or total system shutdown.
Strategizing incident response
The Cyber Kill Chain is a dynamic and intuitive model that describes the behavior of a malicious actor in his attempt to penetrate an infrastructure for the purpose of data exfiltration. Although not a solution on its own, CKK can provide an insightful glimpse into the mind of a cyber-criminal and aid the CSIR team in formulating ‘kill’ phase-based actions.
The counter-actions proposed by Lockheed Martin’s action-matrix are phase-sensitive and have been modeled after the US Military’ F2T2E2 system.
In the introduction, I’ve mentioned something about the five Ds of CKK (Detect, Deny, Disrupt, Degrade, and Deceive). Let us take a closer look at how to devise an appropriate strategy based on the associate kill phase.
The counteractions in this phase are Detect & Deny. Detection can be achieved via web analytics, while Deny uses Firewall ACM.
Appropriate counteractions: Network Intrusion Detection (NIDS) on Detection and Network Intrusion Protection on the Deny.
Possible counteractions: User Vigilance on Detection, proxy filtering on Deny, In-live AV sweep on Disrupt, and queuing on Degrade.
Possible counteractions: HIDS on Detection, Patch on Deny, and Data Execution Prevention (DEP) on Disrupt.
Possible counteractions: HIDS on Detect, “chroot” jail on Deny, and secondary AV sweep on Disrupt.
Command & Control
Possible counteractions: NIDS on Detect, Firewall ACM on Deny, NIPS on Disrupt, Tarpit on Degrade, and DNS redirect on Deceive.
Possible counteractions: Log review on Detect, Quality of Service on Degrade, and Honeypot on Deceive.
CSIRT is a must, regardless of company size or profile. Second-generation malware is more insidious and viral compared to their distant cousins and simple AV solutions are simply not designed to detect & mitigate this type of incursions.
CKK is not a panacea – implementing this detection & mitigation model does not preclude malicious data exfil and system compromise. As always, vigilance (and well-managed cybersecurity grid) is the key to prevent any future incursions.