Cyber security starts here - attack surface and the kill chain

Submitted by media on Wed, 03/21/2012 - 14:24

A network security breach of any kind consists of a series of events that lead to un-authorized access, dissemination of material, or degradation of critical information systems.  It is important to consider the behavior and methods that an attacker may employ to breach your network.  Attackers will leverage anything that presents itself such as a gullable end user, mis-configuration, or a vulnerable system service that is not patched or secured.


The attack surface for many organizations has grown in both dimension and complexity in recent years.  Not only do users have multiple devices including desktops, laptops, tablets and data connected phones, but they also have social media accounts and a whole online presence that increases an organization's considerations when trying to protect network assets.  Network breaches can come from both outside actors and disgrutled employees or contractors.  Intrusion detection and intelligence systems need to consider both inside and outside threats. 


As a means of understanding the key stages of an attack, the currently promoted Cyber Kill Chain offers a model worth investigating.  Cyber Kill Chain is a coined model for combating active network intrusions.  The phrase was introduced by Lockheed Martin, and they have showcased its use to contain a real cyber attack.  Understanding the kill chain model helps actively coordinate and defend against Advanced Persistent Threats.  An advanced persistent threat is considered to be any threat that is sustained with driven objectives by the attacker to thwart security measures and embed malicious code to control or otherwise infiltrate a network. 


The Cyber Kill Chain model identifies 7 phases of an attack.

1.  Reconnaissance  - is the initial phase where attackers gather information about the network, users and even customers to determine and identify targets.  The attackers are doing research with their findings in order to plan the next phase.

2.  Weaponization - is the phase in a network breach when attackers use their gleamed knowledge of the network to develop a payload which consists of an exploit and a backdoor or trojan.  A trojan refers to a backdoor software which gives the attacker direct access to the internal network.

3.  Delivery - is the phase when an attacker transmits the cyber weapon to the targeted network.  Often times this delivery exploits a user or user system with fairly simple means, such as a fishing email or usb device.

4.  Exploitation - is the phase when the transmitted cyber weapon exploits a targeted host or system.

5.  Installation - refers to the phase when this weapon has leveraged the exploit to install their backdoor into the targeted system.  This phase is completed successfully gives the attacker a virtual persistent presence inside the network.

6.  Command and Control - refers to the beacon or check-in function of the installed backdoor program which allows the attacker to control the compromised host.

7.  Actions on Objectives - is the final phase when an attacker performs their originally sought after objective such as stealing information.


Being able to understand this process helps determine where to put the right resources and effort into stopping and preventing further progress of an attack.  Threat intelligence products and services are necessary to break the attack chain and give visibility of the attackers methods.