USING AN

EXPANDED
CYBER KILL CHAIN MODEL
TO INCREASE ATTACK
RESILIENCY

SEAN T MALONE
@SEANTMALONE
WWW.SEANTMALONE.COM

WWW.FUSIONX.COM
PRESENTER BACKGROUND

• 10+ Years in Offensive Information

Security

• 4 Years of Adversary Simulation

with FusionX

• Executing Realistic Attack

Simulations – and Responding
When it’s NOT a Drill

2
AGENDA

• Legacy Cyber Kill Chain Model

• The Expanded Cyber Kill Chain Model
- The Internal Kill Chain
- The Target Manipulation Kill Chain
• Understanding the Stages of a Sophisticated Attack
• Using the Expanded Model to Build a Resilient Enterprise

3
LEGACY CYBER KILL CHAIN MODEL
• Harvesting email addresses, conference
Reconnaissance information, etc.
• Coupling exploit with backdoor into
Weaponization deliverable payload
• Delivering weaponized bundle to the victim
Delivery via email, web, USB, etc.
• Exploiting a vulnerability to execute code
Exploitation on victim’s system

Installation • Installing malware on the asset

• Command channel for remote

Command & Control (C2) manipulation of victim
• With “Hands on Keyboard” access,
Actions on Objectives intruders accomplish their original goal
From http://cyber.lockheedmartin.com/solutions/cyber-kill-chain 4
LEGACY CYBER KILL CHAIN MODEL

“The Cyber Kill Chain model, as sexy as it

is, reinforces old-school, perimeter-
focused, malware-prevention thinking.”
- Giora Engel, Deconstructing The Cyber Kill Chain,
Dark Reading 2014

“Excellent for [external] attacks, “In today’s environment, every

but doesn’t exactly work for cyber attacker is a potential
insider threats.” insider.”
- Patrick Reidy, Combating the Insider Threat at - Matt Devost, Every Cyber Attacker is an Insider,
the FBI, Black Hat USA 2013 OODA Loop 2015

5
 LEGACY CYBER KILL CHAIN MODEL
“Perimeter Breach Kill Chain”

• Harvesting email addresses, conference

Reconnaissance information, etc.
• Coupling exploit with backdoor into
Weaponization deliverable payload
• Delivering weaponized bundle to the victim
Delivery via email, web, USB, etc.
• Exploiting a vulnerability to execute code
Exploitation on victim’s system

Installation • Installing malware on the asset

• Command channel for remote

Command & Control (C2) manipulation of victim

Actions on Objectives
• With “Hands on Keyboard” access, GAME
intruders accomplish their original goal OVER ?
6
Example Target Manipulation Objectives:
• Financial Theft
‒ Modify queued wire transfers to redirect payments
• Reputation Impact and Loss of Market Share through DoS
‒ Disable all company workstations
• Disable Infrastructure in Preparation for Kinetic Attack
‒ Quickly cycle smart electric meters to overload grid
• Provide Propaganda Support for Coup Attempt
‒ Hijack television broadcast
• Cause Terror in Regional Population
‒ Change concentration of chemicals added to water supply
THE EXPANDED CYBER KILL CHAIN MODEL

LEGACY CYBER Breach the Enterprise

KILL CHAIN Network Perimeter

INTERNAL KILL Gain Access to

CHAIN Target Systems

TARGET Manipulate Target Systems

MANIPULATION
KILL CHAIN to Achieve Objective

8
THE EXPANDED CYBER KILL CHAIN MODEL
LEGACY CYBER KILL CHAIN
External External Command & Actions on
Weaponization Delivery Installation
Reconnaissance Exploitation Control Objectives

INTERNAL KILL CHAIN

Common to Most
Internal Internal Ent. Privilege Lateral Target
Objectives Reconnaissance Exploitation Escalation Movement Manipulation

TARGET MANIPULATION KILL CHAIN

Objective-Specific Target Target
Weaponization Installation Execution
Reconnaissance Exploitation
9
10
ALTERNATIVE: SPIRAL MODEL

11
ALTERNATIVE: TREE MODEL

X X

Origin X Objective

X X

12
UNDERSTANDING THE STAGES OF A
SOPHISTICATED ATTACK

13
INTERNAL RECONNAISSANCE

Internal OBJECTIVE TIME REQUIRED

Reconnaissance
Data mine available systems
INTERNAL KILL CHAIN

Internal and map the internal 1 to 2+ Weeks

Exploitation
network and vulnerabilities
Enterprise
Privilege
Escalation
OFFENSIVE TTPS DEFENSIVE TTPS
Lateral
Movement • DOMEX of local files, • Prevent: Granular resource
network shares, browser authorization
Target history, wiki/SharePoint • Detect: Behavioral changes
Manipulation • Light service probing from this IP & user account

14
INTERNAL EXPLOITATION

Internal OBJECTIVE TIME REQUIRED

Reconnaissance
Exploit information and
INTERNAL KILL CHAIN

Internal vulnerabilities on internal 2 Days

Exploitation
systems
Enterprise
Privilege
Escalation
OFFENSIVE TTPS DEFENSIVE TTPS
Lateral
Movement • System vulnerabilities • Prevent: Patch & vuln.
• Web application management (including dev
Target vulnerabilities & test systems)
Manipulation • LLMNR/NBNS Spoofing • Detect: Endpoint protection

15
ENTERPRISE PRIVILEGE ESCALATION

Internal OBJECTIVE TIME REQUIRED

Reconnaissance Leverage compromised
INTERNAL KILL CHAIN

accounts and trust

Internal 1 to 3 Days
Exploitation relationships to gain a high
level of privilege
Enterprise
Privilege
Escalation
OFFENSIVE TTPS DEFENSIVE TTPS
Lateral
Movement • Kernel / system vulns. • Prevent: Run as least-
• Pass-the-hash & Mimikatz privilege accounts; use good
Target • Unprotected SSH keys security hygiene
Manipulation • Creds in configuration files • Detect: Behavioral analytics

16
LATERAL MOVEMENT

Internal OBJECTIVE TIME REQUIRED

Reconnaissance
Pivot through compromised
INTERNAL KILL CHAIN

Internal systems into restricted 4 Hours

Exploitation
network zones
Enterprise
Privilege
Escalation
OFFENSIVE TTPS DEFENSIVE TTPS
Lateral
Movement • Target virtualization, backup, • Prevent: Segmented security
config management layers zones at all layers
Target • Layer SSH proxy tunnels to go • Detect: Behavioral analysis of
Manipulation deep successful login events

17
TARGET RECONNAISSANCE

Target OBJECTIVE TIME REQUIRED

TARGET MANIPULATION KILL CHAIN

Reconnaissance

Map & understand objective-

Target 1 Week to 3 Months
Exploitation specific systems

Weaponization

OFFENSIVE TTPS DEFENSIVE TTPS

Installation • DOMEX of Vendor
documentation, internal
Execution
training, source code
• Standard admin utilities
• Prevent: Restricted access to
documentation &
specifications
• Detect: Access patterns

18
TARGET EXPLOITATION

Target OBJECTIVE TIME REQUIRED

TARGET MANIPULATION KILL CHAIN

Reconnaissance
Gain access to target systems
Target via trust relationships or new 1 Hour
Exploitation
vulnerabilities
Weaponization

OFFENSIVE TTPS DEFENSIVE TTPS

Installation • Default credentials, EOL
systems, vendor backdoors
Execution
• Trust relationships with
central authentication system
• Prevent: Change defaults &
segregate authentication
• Detect: Endpoint protection
and behavioral analytics

19
WEAPONIZATION

Target OBJECTIVE TIME REQUIRED

TARGET MANIPULATION KILL CHAIN

Reconnaissance Develop platform-specific

malware to subvert target
Target 1 Week to 3 Months
Exploitation systems & business
processes
Weaponization

OFFENSIVE TTPS DEFENSIVE TTPS

Installation • Duplicate target environment
in a lab
Execution
• Extract, decompile, and
reverse proprietary software
• Prevent: Harden/obfuscate
applications to make
reversing difficult
• Detect: N/A - working offline

20
INSTALLATION

Target OBJECTIVE TIME REQUIRED

TARGET MANIPULATION KILL CHAIN

Reconnaissance

Deploy custom malware to

Target 1 Hour
Exploitation target systems

Weaponization

OFFENSIVE TTPS DEFENSIVE TTPS

Installation • Patch or replace scripts,
binaries, and configurations
Execution
• Tamper with detective
controls
• Prevent: Application signing
• Detect: File integrity
monitoring, redundant
processing systems

21
EXECUTION

Target OBJECTIVE TIME REQUIRED

TARGET MANIPULATION KILL CHAIN

Reconnaissance
Activate malware to subvert
Target target system operation, 1 Second
Exploitation
with material consequences
Weaponization

OFFENSIVE TTPS DEFENSIVE TTPS

Installation • Wait for optimal timing
(market or geopolitical)
Execution
• May be all at once or slow
damage over time
• Response controls – have you
war-gamed this?
• Breach insurance may help
mitigate impact

22
BUILDING A RESILIENT ENTERPRISE

23
THE RESILIENT MINDSET

EVERY CONTROL
WILL FAIL
If the adversary has access to:
• The internal corporate network
• Any username and password
• All documentation & specifications
What would you do differently?
24
THE CYBER DEFENSE THRESHOLD

Response Controls
Detection &
Threshold of Defender Success
Prevention Controls

(For a Given Adversary Sophistication)

Time Required for Adversary to Time Required to Detect

Achieve Objective and Eradicate Intrusion
25
CHANGING THE ECONOMICS

Safe Zone
Value to Adversary of (Negative Adversary ROI)
Defended Asset ($)

Level of

Adversary Investment ($)

Sophistication
=
Level of Adversary’s
Investment
Danger Zone
(Positive Adversary ROI)

Strength of Defenses (Prevention + Detection)

26
 FINAL THOUGHTS,
QUESTIONS, AND DISCUSSION

SEAN T MALONE
@SEANTMALONE
(SLIDES AVAILABLE AT) WWW.SEANTMALONE.COM
27