Cyber Kill Chain Reimagined: Industry Veteran Proposes “Cognitive Attack Loop”
The Cyber Kill Chain is dead. Long live the Cognitive Attack Loop. This is the thesis of Tom Kellermann’s (Chief Security Officer at Carbon Black and former cyber commissioner for President Obama) new paper, ‘Cognitions of a Cybercriminal’.
The problem with the Cyber Kill Chain framework created (and trademarked) by Lockheed Martin is that it has a beginning and an end. While this was an accurate reflection of cyber-attacks when it was first devised, it no longer applies, Kellermann says. The burglary approach of cybercriminals to enter, steal and leave has changed to long-lasting home invasion.
The modern cybercriminal does not just leave — he wants to stay, quietly hidden. Breaking the kill chain no longer works; because the criminal is still in the home.
Kellermann’s argument is that defenders need to recognize the new reality and to start thinking about a modern persistent cognitive attack loop rather than a linear attack chain. This in turn recognizes the extent and manner to which elite Russian hacking groups have revolutionized hacking methods over the years since the Kill Chain was devised — partly in response to the Gerasimov Doctrine.
General Valery Gerasimov wrote in 2013, “The very ‘rules of war’ have changed. The role of non-military means of achieving political and strategic goals has grown, and, in many cases, they have exceeded the power of force of weapons in their effectiveness.” The bear doesn’t have to be as fast as the human, he only needs to slow down the human to be as slow or slower than the bear — and this can be done in cyber. This in turn led to a unique relationship between state and Russian hacking groups, each aiding the other so long as the target is outside of Russia.
“Russians have been successful in defeating the US and UK cyber defenses,” Kellermann told SecurityWeek, “because our cyber security architectures were built to defend against the Lockheed Martin Kill Chain. The modern Russian attack matrix is not a kill chain — it is more of a cognitive attack loop.”
The early key differentiators introduced by Russian hackers, he continued, include a secondary C2 on a sleep cycle, sandbox evasion techniques, the use of steganography to deploy secondary payloads, island hopping to compromise a host and leverage further attacks from that host, and more. He gave two examples. The first was the DNC hack. Despite knowledge of the hack, and therefore technically breaking the Kill Chain, the cybersecurity firm brought in to investigate failed to detect the secondary C2 — allowing the Russian hackers to stay in the network right up until the election.
The second example is Turla. “A new technique that the Russians have pioneered over the past year,” Kellermann told SecurityWeek, “is reverse business email compromise, where they commandeer the mail server and very selectively, through the use of machine learning, send out fileless malware against the board and the most senior executives from other companies that communicate with that organization. The newer technique that they are using, and another thing that we should pay attention to, is this construct of island-hopping platforms and essentially access mining in systems and leveraging text files to move laterally. These are all techniques that the Russians are employing.”
While such advanced techniques have been pioneered by Russian hackers, they are being copied by other groups — both private and state-sponsored — around the globe. Now, he writes, “There has been an explosion in the talent behind cyber-attacks. The skills aren’t in a few number of hands anymore.” And for as long as we base our defensive posture on recognizing and breaking an attack chain that no longer exists, we will be handing the advantage to the attacker.
Kellermann’s proposal is that defenders think of incursions more in terms of a loop (which he calls the Cognitive Attack Loop) than a chain. There are three primary phases to this loop: reconnoiter and infiltrate; maintain and manipulate; execute and exfiltrate — but there is no assumed exit. Each of these primary phases has numerous sub-phases, such as privilege, persistence and evasion within the maintain and manipulate phase; and exfiltration, destruction and disinformation in the final phase. But there is no end to this loop. If the attackers have not been detected, they will remain. They could start again at some point in the future — or, in the case of the Russian state/hacker alliance, simply pass the access keys to a Russian intelligence agency.
The attackers’ aim is stealth and persistence; and defenders need to adopt a similar stance. Defenders must not be heavy-handed. If the attackers know they have been detected, they will either hide and wait, or in the worst-case scenario, invoke a burnt earth strategy to hide their purpose and methods before leaving (if they actually do leave).
Key to the new defense is cognition — an understanding of the TTPs and behaviors of the attacker rather than simply looking for IOCs. “For too long we’ve been focused on the bullet,” said Kellermann. “We’ve never taken into account how the sniper took vantage on that person to begin with and why they chose that victim. That’s the part we’ve been missing.” Using the home invasion metaphor, we’ve never asked who owns the white van parked outside the house over the last few nights, or questioned where it has been on other nights.
Understanding behavior and context will provide intent, and from that position defenders will be able to predict actions and contain events before damage is done. Central to this capability is the evolution of the MITRE Att@ck matrix. It has already been hugely beneficial in allowing defenders to be more accurate in their response to the various stages of the kill chain. “But what I’m suggesting,” Kellermann told SecurityWeek, “is it necessitates a new paradigm and stratagem that would dictate how we combine the TTPs, and combine the behaviors to discern intent.”
In this sense, Kellermann’s paper (PDF on the web – local copy here) is a call to action, that he intends to repeat at Black Hat and Defcon. “This is merely a starting point,” he said, “for a new strategy that will be completely intertwined with MITRE Att@ck, but will also allow us to become faster especially in decreasing dwell times and suppressing an adversary without that adversary knowing it. We have been far too loud and far too arrogant in how we conduct incident response in industry.”
“Cognitions of a Cybercriminal”