CyberWarfare / ExoWarfare

A “Cyber Axis of Evil” is Rewriting the Cyber Kill Chain

Survey of Incident Responders Shows That Businesses Needs to Re-architect Cybersecurity

The cyber kill chain employed by advanced adversaries is changing. Defenders need to evolve their defensive strategies to meet the new challenge; and they need to develop silent hunting skills.

A new study from Carbon Black queried 37 incident response firms that use its threat hunting tool to gain insight into what is happening after an attacker has breached the network. “The inspiration for this report,” Tom Kellermann, the author and chief cybersecurity officer at Carbon Black told SecurityWeek, “was, I was tired of seeing reports that are focused on just the vector of attack — how they got in versus how they stay in. There has been a dramatic shift in how cybercriminals operate — they have moved from burglary to home invasion, and we now need to be asking different questions. The adversaries are typically inside networks for months.”

Key statistics from the report picked out by Kellerman include the predominance of Russia and China as adversaries. Eighty-one percent of respondents highlighted Russia, and 76% highlighted China. Thirty-five percent say that the end goal is espionage.

Sixty percent of the attacks involve lateral movement, indicating that attacks are no longer smash and grab incidents — adversaries are now intending to stick around for the long game. This is confirmed by the appearance of incident response countermeasures. Nearly half of the respondents have seen instances of counter-incident response. Sixty-four percent have seen instances of secondary C2 [Command & Control] being used on a sleep cycle during their IR engagements. Thirty-six percent of attackers use the victim for island hopping; that is, as a supply chain attack. And — perhaps worryingly — 10% have witnessed non-ransomware destruction.

“I think the destruction figure is quite worrying if it grows,” Kellermann told SecurityWeek; noting that there are already signs that it is doing so. He suggested three primary motivations: activism (possibly patriotic), revenge (for being discovered), and the destruction of forensic evidence. “There’s a fundamental lesson we need to take away from this,” he said: “we have to become more clandestine and more quiet when we hunt the adversary in our homes. We can no longer shout out, ‘I know you’re in my house; I’ve called the police’. That is exactly what Crowdstrike did when it was responsible for investigating the DNC breach, it was too loud in its incident response which is why the Russians dug and burrowed in deeper and deeper — and that was evidenced in the indictments.”

The biggest single takeaway that Kellermann has from this survey is that the way to counter the new long-term, advanced and evasive incursions is to develop silent hunting techniques. If hunting is too noisy, the adversary will simply burrow deeper, employ incident-response countermeasures, or simply destroy the network and leave.

“This evolution coincides with mounting geopolitical tensions,” suggests the report. “Nation-states such as Russia, China, Iran and North Korea are actively operationalizing and supporting technologically advanced cyber militias.”

Kellermann believes that this new level of attack sophistication is down to the increasing level of nation-state hacking — although the hacking itself may be done by a national militia rather than direct government employees. “We’re seeing cybercriminals act as cyber militias for nation states,” he explained.

Take Russia and the GRU units indicted by Deputy Attorney General Rosenstein as an example. “Those GRU units typically in the past didn’t have any real level of cyber-attack sophistication. The Silicon Valley of cyber-attack sophistication in Russia was St Petersburg — so they called upon great cybercriminals like Alexsey Belan and Evgeniy Bogachev to essentially arm them with the greatest zero-day attack code and exploit kits in addition to showing them how to morph and change their kill chain.” 

The Chinese adversaries are also learning and adapting. “The Chinese,” he said, “having learned from the mistakes of their past, where they never practiced good operational security and they were typically too loud when they broke into networks… well, they’re becoming much more clandestine and much more elegant in the way they attack corporations. Particularly,” he added, “in using island hopping — as evidenced by the Cloud Hopper campaign where they targeted the SMPs of a dozen major corporations in the West. After compromising the MSPs they then leapfrogged into the corporate networks via their cloud infrastructure for the purposes of economic espionage.”

The coincidence of changing and more advanced attacks with the rise of nation state actors is compelling; but suggestions that it is primarily Russia and China is down to the accuracy of attribution.

“This attribution comes from the incident response responders to the survey,” says Kellermann. “These folks typically worked in British or US intelligence or law enforcement communities; and they understand the fingerprints, the TTPs associated with specific threat actor groups, and the modus operandi. Not only that, you can typically see the C&Cs and the secondary C&Cs leveraging back to infrastructure that is operated or controlled by specific entities.”

Kellermann believes there really is — effectively — a cyber axis of evil, primarily comprising Russia, China, North Korea, and to a lesser extent, Iran. The first three have an unwritten operational agreement not to target each other. “None of these three will hack the others, and at the same time they are benefitting from each other’s colonization of wide swathes of the West.”

Russia and North Korea are particularly close. “Both Russia and North Korea are counteracting economic sanctions imposed by the West with cybercrime against the financial sector,” he said. “North Korea itself has become much more adept and sophisticated with their cyber-attacks as they are mirroring the Russian kill chain, and they are using more and more exploits and more and more custom malware. Just as the North Korean missile systems are typically based on Russian missiles, so you have the same amount of tech transfer in cyber capabilities.”

He sees no reduction in cyber-attacks from any of these countries, and expects South China Sea tensions and the potential for global trade wars to simply exacerbate the problem. “In fact,” he said, “the new group Hidden Cobra  has been quite prolific — you just don’t hear much about them because the financial institution victims are trying to keep this conversation quiet. But Hidden Cobra is the greatest testament to the advancement of cyber capabilities in North Korea.”

Nor does he exclude Iran from this group, pointing out that as long ago as the Stuxnet issue, it was Russia that Iran turned to for, and received from, cyber assistance. There are even suggestions that Russian experts analyzed Stuxnet and returned it to Iran in the form of the original Shamoon malware used against Saudi Aramco.

But Kellermann doesn’t think an understanding of the source of the attacks is an important as an understanding of how they are being operated. “I really think that the indications of counter incident response are the powerful statistics; and that 36% of the attacks are not directed against the initial victim — basically, after they’ve done stealing from you they’re going to use your network to target people that trust you. That has to be something we are acutely aware of and cognizant of in how we structure business partnerships, and in how we secure our information supply chain going forward.”

He feels that the U.S. is currently suffering under an Administration that is not sufficiently focused on cyber security. “Not only does the US not even have a Cyber Czar, but this Administration has not taken cyber security seriously — as evidenced by the rapid retirement rate of professionals who would have been lifers under a different administration. I am incredibly concerned that we’re dealing with an adversary that has already colonized wide swathes of British and American infrastructure, and we’re really fighting someone from the inside out.”

He believes that the real message coming from this survey of incident responders is that business needs to re-architect its cybersecurity. “We need to change the architectural model away from a castle-like structure and more towards that of a prison, where we can force the adversary to be resourced constrained, where we inhibit their capacity to move laterally and we hunt them and monitor them without them knowing that we’re doing so. That’s the type of environment we need to migrate to — I call that environment ‘intrusion suppression’.”

To achieve this, he believes that business must move to silent hunting. “This could be done with iron boxing, modern whitelisting, next gen AV that includes endpoint detection and response, and deception technology. Hunt tools need to be more widely deployed. Memory augmentation should be employed, and adaptable authentication based on the level of risk can enforce 2 or 3 factor authentication with a biometric live challenge/response, all depending on the level of risk. Existing outward-facing network defenses are largely failing. The modern network has really evolved to cloud and mobility which makes the security of the endpoints paramount, and the capacity to record and monitor all activity on the endpoints is absolutely quintessential to success.”




Breaking the Cyber Kill Chain


In some ways, an attack against an organization is similar to a house made of cards; removing one card can cause the whole thing to collapse.

This concept can be applied to the cyber kill chain framework created by Lockheed Martin that describes the phases of an attack. Disrupting any of these stages can be enough to thwart, or at least slow, a hacker. While security experts have been talking about this for years, recent high-profile breaches have underscored the importance of thinking not just about preventing attacks, but also ways the damage attackers can do can be limited or caught when an attack is underway.

“Depending on their skill set, budget, and risk tolerance, each security team will take a different approach to the kill chain,” said Mark Nunnikhoven, Trend Micro’s vice president of cloud and emerging technologies.

“Some are great at minimizing their footprint which makes it hard for the attacker to weaponize what they’ve learned during reconnaissance,” he said. “Others are great a detection and focus on the catching the attacker during the exploit or install phases. Regardless of the approach, every security team is trying to make it so the attacker must spend more time and energy on the attack than the return they get.”

In a recently issued report, the security firm Aorato outlined what researchers believe are the various stages of the attack on Target. The firm notes the attackers’ main method of penetration was via stolen credentials as opposed to exploiting vulnerabilities, with the initial compromise being used to get access to a Target application for vendors. Then, the attackers exploited a vulnerability in the Web app and executed code on the application’s server.

From there, the report states, they searched for relevant targets to propagate to by querying Active Directory from the Web application’s server. The attackers then stole the access token of an account with Domain Admin privileges and used it to create a new Domain Admin account in Active Directory. Next they propagated through the network to relevant computers.

In the report, researchers noted the attackers used malware when no relevant legitimate tool existed that could be used for their purpose, such as for scraping the memory of the point-of-sale process. Rather than try to stay invisible using rootkits or other malware, the attackers relied on disguises – adding bogus user accounts, masking the malware files they did use with the names of legitimate files and using tools like Remote Desktop and PsExec to run processes on various machines remotely.

“Traditional security tools focus heavily on malware and miss these kinds of compromises,” said Chris Morales, practice manager of architecture and infrastructure at NSS Labs. “Companies need to provide continuous monitoring of internal systems looking for anything that is a deviation from normal system behavior. This means using a big data analytics system for analysis beyond a traditional SIEM as there is quite a bit of information to collect. Any abnormal behavior can be considered an indicator of interest and needs some level of investigation.”

The Target attackers used a staged approach to propagation, the report explains. First, they obtained a foothold on a new system through a manual connection (e.g. RDP) to assess its value. If they decided it was valuable, they upgraded their grip to a persistent one by adding a service to the target system backdoor or adding a backdoor.

In the case of retail breaches, the short-lived nature of attacks makes hiding in plain sight an attractive option for attackers, said Tal Be’ery, vice president of research for Aorato.

“For a short-lived campaign hiding in plain sight can be considered as a good enough camouflage from the attacker’s PoV [point of view], as the risk of detection is relatively small due to the current state of security measures and the relatively short campaign time,” he explained.

The Aorato report recommends organizations monitor and profile user access patterns, and utilize multi-factor authentication to protect sensitive systems. As an attacker’s first step begins with reconnaissance, the report also recommends keeping an eye out for signs of recon – with particular attention being paid to any change in LDAP queries. Other advice includes segregating networks, limiting user privileges and monitoring for the creation of new privileged user accounts.

When it comes to preventing data exfiltration, McAfee EMEA CTO Raj Samani said an organization’s firewall should monitor outgoing traffic against a list of known bad IPs, so that if a system internally is communicating with this system, it can be identified as an indication of compromise. Beyond this, organizations should also consider some form of network-based data loss prevention that will analyze outgoing traffic to determine whether it is indeed authorized to leave the environment, he said.

“The problem with disrupting the kill chain is that while it may eliminate the discovered breach, you don’t know where else a problem exists,” Morales said. “It needs to be done, but not in a manner obvious to the attacker. It might alert the attacker their presence is known allowing them to modify an ongoing attack for further evasion. The trick is to constrain the ability of the attack to cause any damage transparently to provide time to learn about the attacker while also identifying any further infections.”

“I have spent up to two weeks doing this,” he added. “It involves putting the infected systems into a sandbox where nothing gets hurt and more data can be collected. This should gather enough intel to identify all infected hosts and applications using some form of internal analysis tools.

In the end, the earlier an organization can disrupt the kill chain, the better.

“Since APT style attacks generally follow the stages of the kill chain, understanding and identifying these phases can help you to predict the attacker’s next move and put effective defenses in place,” said Lauren Barraco, product manager of AlienVault.”

*This story was updated to mention Lockheed Martin developed the Cyber Kill Chain framework.




Background: “Kill Chain”

The term kill chain was originally used as a military concept related to the structure of an attack; consisting of target identification, force dispatch to target, decision and order to attack the target, and finally the destruction of the target. Conversely, the idea of “breaking” an opponent’s kill chain is a method of defense or preemptive action. More recently, Lockheed Martin adapted this concept to information security, using it as a method for modeling intrusions on a computer network.

Computer scientists at Lockheed-Martin corporation described a new “intrusion kill chain” framework or model to defend computer networks in 2011. They wrote that attacks may occur in stages and can be disrupted through controls established at each stage. Since then, the “cyber kill chain” has been adopted by data security organizations to define stages of cyber-attacks.


A cyber kill chain reveals the stages of a cyberattack: from early reconnaissance to the goal of data exfiltration. The kill chain can also be used as a management tool to help continuously improve network defense. Threats must progress through several stages in the model, including:

  1. Reconnaissance: Intruder selects target, researches it, and attempts to identify vulnerabilities in the target network.
  2. Weaponization: Intruder creates remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities.
  3. Delivery: Intruder transmits weapon to target (e.g., via e-mail attachments, websites or USB drives)
  4. Exploitation: Malware weapon’s program code triggers, which takes action on target network to exploit vulnerability.
  5. Installation: Malware weapon installs access point (e.g., “backdoor”) usable by intruder.
  6. Command and Control: Malware enables intruder to have “hands on the keyboard” persistent access to target network.
  7. Actions on Objective: Intruder takes action to achieve their goals, such as data exfiltration, data destruction, or encryption for ransom.

Defensible Actions:

  • Detect: determine whether an attacker is poking around
  • Deny: prevent information disclosure and unauthorized access
  • Disrupt: stop or change outbound traffic (to attacker)
  • Degrade: counter-attack command and control
  • Deceive: interfere with command and control
  • Contain: network segmentation changes