Lockheed Martin “Kill Chain” and its Importance to Incident Response
Malware, intrusion, Trojan-horse, and viruses are the most common threats that the present day networks face. The intrusions and threats have grown in their abilities to cause threats to the host network or the system. With growing technological capabilities, miniaturization of devices and cloud-based application, the threat of network intrusions, hackers, phishing attacks and DoS (Denial of Service) attacks has grown even more. The advancements in technology have ironically given boost ad power to threats as well. A new class of threats being termed as Advanced Persistent Threats (APT) has a surface in the recent past and is posing a real challenge for security solution providers (Hutchins, Michael, and Rohan).
The existing anti-threat mechanisms have relied on software that would run on an automatic basis, identify pre-defined threats and remove them. The major flaw in the current system of threat identification and fixing method was that it relies on the assumption that a compromise of security occurs due to some flaw in the targeted system and that flaw could be fixed. Another assumption that fixing of the threat can only happen after the actual compromise of the system occurs. APTs have been recognized by the United States government and the Information Technology (IT) industry. Advisories, technical alerts have been issued by US-CERT (United States Computer Emergency Response Team) and UK-NISCC (United Kingdom National Infrastructure Security Coordination Center). It was observed by these agencies and its partners that the anti-virus, patching and other conventional methods were not sufficed to bypass or prevent such advanced level threats (Hutchins, Michael, and Rohan).
The Whitepaper provided by Lockheed Martin Corporation provides a model of defense and the strategies for counter-measures of APTs; the proposed model is an intelligence-driven computer network defense model (CDN). This paper analyzes the Whitepaper of Lockheed Martin and presents a summary, evaluation, and understanding of the design study carried out by Lockheed Martin. The relevant studies and work are reviewed and examined from the whitepaper.
Intelligence-driven Computer-Network Defense
The Kill-Chain model is based on the linked practices that identify the threats through a set of indicators, and stages for finding, tracking, assessing, engaging and fixing the threats. APT has the capability that is far more advanced than regular Trojan-Horses, Viruses, and Malware. APT actors can perform zero-day disruption that is not possible to be detected by regular antiviruses and security patches. Handling APT intrusions require a higher degree of evolutionary processes, systems, tools and analysis of the APT responses. An intelligence-driven approach that studies the intrusions of the adversaries to devise a course of action that detects, mitigates and provides a proper response to the threats in each phase. The model described in the Whitepaper of Lockheed Martin Corporation is known as “Kill-Chain” because of the structure that prevents and handles the intrusion. The model enables the defenders of the system to develop mitigation plans against the intrusions and provide guidance for security actions. Kill-chain network defense model prescribes that each phase of the chain must be started only after the earlier phase has been ended successfully with desired results achieved. Even if anyone of the phases is left incomplete the chain gets disrupted (Hutchins, Michael, and Rohan).
The intelligence-driven computer network defense is a strategy that addresses the threats, perceived risks to provide an analysis of the adversaries detailing their capabilities, doctrines, objectives, and limitations. By following the guidelines and phases of intelligence-driven network defense system, it is possible to achieve advantages over the APT adversaries. To resolve the issues of APT intrusions, it is required to have an understanding of the new age intrusions and adjusting the operations based on the success or failure of the operations in each phase. The intelligence-driven prescribes that the defenders of the system must apply their countermeasures faster than the speed at which their adversaries evolve (Hutchins, Michael, and Rohan).
The Kill Chain Model
The Kill Chain Model shows that if employed properly it gives the defenders many advantages over the adversaries of intrusion. The fundamental part of the intelligent model is the indicator that describes the intrusion in an objective manner so as to take corrective actions and measures. The indicators are divided into three sub-categories or types namely Atomic, Computed or Behavioral (Hutchins, Michael, and Rohan).
Atomic Indicators: Atomic indicators are those that cannot be broken down into more small parts, examples include IP addresses, vulnerability identifiers, and email addresses.
Computed Indicators: The computed indicators are those that are derived or computed from the gathered data, the computed indicators include regular expressions and hash values.
Behavioral Indicators: The behavioral indicators are a mix of atomic and computed indicators, and they qualify based on the quantity of combination of data logic. It defines the behavior of the intruder and also proving certain atomic indicator data like email addresses, and IP addresses along with an analysis based on the computed logic from the obtained data.
(Hutchins, Michael, and Rohan)
Intrusion Kill Chain
A Kill chain is a method or a systematic process of engaging and targeting an enemy attack. The intrusion kill chain provides a set of processes and steps to counter APT intrusions. There are seven phases to the intrusion kill chain as prescribed by the LM paper. The seven phases of intrusion kill chain are described below.
Reconnaissance: This is the phase where the intrusion mechanism is utilized by hackers and aggressors for obtaining the email addresses or identification of potential targets through various means of website crawling.
Weaponization: Client application data files like PDF, Word, Excel or PowerPoint are used for delivering a Trojan virus into the client’s machine.
Delivery: The delivery of the infected file is done through various mechanisms like Email attachments, USB devices, and websites. These three mechanisms are the most popular payloads used by APT actors.
Exploitation: Exploitation is the stage where the aggressors target the client system by exploiting any of the client’s application program or operating system vulnerability. Exploitation is the phase where the intruder’s code gets triggered, and malicious activities are performed.
Installation: Once the payload is delivered to the client machine the Trojan or the backdoor program is installed on the victim’s machine and creates a consistent environment with the adversary’s server.
Command and Control (C2): APT malware takes a control of the input devices and establishes a C2 command control, that. This C2 command control provides access to client’s targeted local environment.
Actions on Objectives: This is the final phase or key in the intrusion chain where the attackers after going through all the phases are ready for taking action on their planned objectives of creating DoS (Denial of Service) attacks, data exfiltration, and data integrity violations.
(Hutchins, Michael, and Rohan)
Courses of Action Based on Intrusion Detection
The intrusion kill chain provides a model for creating an intelligence actions for the defenders to prevent the sanctity of the system and users to be defended. Defenders can create their action plans for each phase of the intrusion detection, and plan their steps before the intrusion damage could happen. The action stage is the essence of the whole Computer-Network-Defense model to create actionable items. Table 1 shows the action matrix where each phase is mapped with a requisite actions that have been prescribed/defined by the Department of Defense (DoD) information operation doctrine (Hutchins, Michael, and Rohan).
Observations and Results of Intrusion Kill Chain
Lockheed Martin (LM) team for Computer Incidence Response (CIRT) simulated three intrusion attempts at the LM servers and the defenders were able to detect the intrusions of the level of “zero-day” vulnerability. The intrusions simulated common APT tactics of TME (Targeted Malicious Email) with attachments providing backdoor entry to its servers.
In the intrusion attempts an email was sent from a supposedly legitimate individual of American Institute of Aeronautics and Astronautics (AIAA). The email attachment consisted of a pdf document that was designed and prepared to attack and take benefit of a known vulnerability in Adobe software. The malicious PDF file was accompanied by two other attachments, one a simple and harmless PDF document and another a portable installation file. The process was followed by the defenders team and indicators at each level were identified that provided the relevant information for negating the intrusion.
Summary and Conclusion
The advanced threats that present security risks to current systems must be handled in a systematic way. The present conventional methods and processes are insufficient to handle the threats of advanced levels of intrusion. The intrusion kill chain is an effective mechanism for handling such threats by providing the defenders capability, information, and processes. Kill chain presents an understanding of the aggressor’s repetitive nature. The intrusion kill chain model presented in Lockheed Martin whitepaper sets the context for computer espionage. The phases and steps presented in the kill chain model and the action matrix provides a robust mechanism for detecting and managing intrusions.
Works Cited
Hutchins, Eric M., Michael J. Cloppert, and Rohan M. Amin. "Intelligence-driven computer
network defense informed by analysis of adversary campaigns and intrusion kill chains."
Leading Issues in Information Warfare & Security Research 1 (2011): 80.