Lockheed Martin Cyber Kill Chain® – Something Old and Something New
I’ve learned that just because no one has written about something to extol its virtues or to pan its deficiencies, doesn’t mean that the thing in questions isn’t popular, widely used and deeply revered.
Think about French Fries. What’s better than a perfect French fry? But no one writes about them. Such is the case with Lockheed Martin’s Cyber Kill Chain® method . In a conversation with Leo Taddeo, Chief Security Officer (CSO) for Cryptzone and former Special Agent in Charge of the Special Operations/Cyber Division of the FBI’s New York Office, he indicated that many, perhaps even most government-related entities are disciples of the model. And Leo would know; at the FBI, Taddeo led cyber investigations, surveillance operations, information technology support and crisis management overseeing high profile cases including Silk Road, Blackshades and JP Morgan.
So why write about it now? Are we finally at a point where its usefulness is waning? Some critics believe that the model is too focused on the perimeter. Last August, Giora Engel wrote in a Dark Reading article, “The Cyber Kill Chain model, as sexy as it is, reinforces old-school, perimeter-focused, malware-prevention thinking.”
Is he right, or does the model naturally extend to non-perimeter stages of the attack cycle, like reconnaissance inside the network, lateral movement inside the network and exploitation? In Taddeo’s view, organizations can embrace the Cyber Kill chain knowing that it is not limited to advocating the use of tools at the perimeter.
Applying the Cyber Kill Chain beyond the perimeter
Let’s take it apart a bit and see how his thinking applies. The first phase described by Lockheed is: “Reconnaissance – Research, identification and selection of targets, often represented as crawling Internet websites such as conference proceedings and mailing lists for email addresses, social relationships, or information on specific technologies. In the Course of Action Matrix, Lockheed suggests web analytics to detect compromises and Firewall ACL (Firewall access control lists) technologies to deny compromises (pg. 5 in the Lockheed white paper). What if, instead of Firewall ACL, users of the model were advised to consider a solution that dynamically hides everything on the network – segments, hosts, and services – unless a user is specifically authorized to see them based on their device attributes and user context (where they are, what time, device hygiene, etc.) thereby preventing lateral movement inside the network and any chance of exploitation.
In the second phase, Weaponization, which is described as coupling an exploit with a backdoor into a deliverable payload, it would be difficult for a cybercriminal to accomplish any weaponization against what they have no reconnaissance around. Put differently, if visibility of and access to resources is appropriately restricted, i.e. no lateral movement within a VLAN is allowed, then weaponization cannot occur.
The third phase, which includes the delivery of a weaponized bundle to the victim via email, web, USB, etc. could all but be eliminated by chaining multiple contextual and strong authentication methods together to validate, control, and audit all user access to protected resources.
You get the idea. At each phase of the Cyber Kill Chain, newer technologies are able to prevent actions to further cause harm. Even with stolen privileged user credentials, and in situations where multi-factor authentication isn’t initiated, access will be restricted to the point that cybercriminals will likely get frustrated and seek another less-protected target at the earliest phase in the chain.
The closer to the beginning of the chain you can stop an attack, the less costly and time-consuming the cleanup will be
The key thing to keep in mind is that, according to Lysa Myers in a CSO article, the closer to the beginning of the chain you can stop an attack, the less costly and time-consuming the cleanup will be. If you don’t stop the attack until it’s already in your network, you’ll have to fix those machines and do a whole lot of forensics work to find out what information they’ve made off with.”
The key here again is to focus on restricting access to applications and resources, allowing users (whether third-parties, employees using BYOD or on-premises employees and contractors) access to only those applications and resources completely necessary to do their jobs. Also, make all other assets completely invisible to each user, on a session by session basis. The identical access rules ought to persist regardless of where (on-premises, private or public cloud-based) resources are located.
By applying newer technologies to defend beyond the perimeter, the Cyber Kill Chain is still a relevant methodology for protecting against today’s advanced cyberattacks which are often mounted from inside the once well-defined and easy to secure perimeter walls.
To learn more download our latest white paper After the Perimeter: How a ‘Segment of One’ Simplifies and Improves Security.
1 CYBER KILL CHAIN is a registered trademark of Lockheed Martin Corporation.