It’s time to revisit the use of Lockheed Martin’s Cyber Kill Chain as the de facto cybersecurity industry standard for understanding attack cycles, according to Massachusetts-based endpoint security specialist Carbon Black.
The company this week proposed a new “Cognitive Attack Loop” approach, saying it is “no longer helpful to approach cybersecurity linearly”. The company’s chief point: kill chains now need to focus on behavioural understanding, along with tactics, techniques and procedures (TTPs) rather indicators of compromise (IOCs); with prevention,
detection and response feeding each other in an endless loop.
The company proposed the model in a paper dubbed “Cognitions of a Cybercriminal“. It suggests Lockheed Martin’s kill chain details – which details seven phases of a hacker’s attack; from reconnaissance, delivery, all the way up to command & control and other actions – puts too much emphasis on killing attacks as early in the cycle as possible.
While it has received praise over the years from security experts, some have criticised it because the first phases detailed – reconnaissance and weaponisation – are difficult to defend against as they happen outside of an IT team’s sphere of influence. It also reinforces traditional perimeter defence and does little to stop insider attacks.
Carbon Black draws on its own work to inform the proposed model, saying: “We conduct behavioral threat research to discover novel patterns used by attackers. These patterns stretch across the entire scope of the kill chain… allowing us to provide protection against a broader set of threats (malware, fileless, living-off-the-land) without relying on specific pre-discovered IOCs, like hashes or command and control (C2) capabilities that have traditionally been used to detect threats.”
Attackers Now Using “Fileless Attacks, Lateral Movement, Counter Incident Response“
Tom Kellermann chief cybersecurity Officer for Carbon Black said: “I believe we should be looking at this model with a new lens. Attackers have evolved dramatically in recent years by using fileless attacks, lateral movement, counter incident response and island hopping in attacks. Attackers are dynamic and constantly evolving.
Carbon Black has proposed an updated ‘Cognitive Attack Loop’ model based on three phases, the first of which is recon & infiltrate. This is the period when the threat actor is planning the best vector of attack. They are picking a target and may have a toolset ready to use.
The components of this stage of attack involve information gathering followed by social engineering attacks such as phishing or spear phishing.
Carbon Black note that: “This phase is also common in lateral movement and island hopping attacks where an attacker is leveraging execution, command and control already achieved to continue their cycle onto a new target system or organization.”
The second phase ‘maintain & control’ details the lengths that hackers will go through to maintaining the access that they gained into a network and efforts to establish command and control functions allowing them to introduce new attack or obfuscation tools.
The last phase ‘execute & exfiltrate’ aims to help defenders understand how the attacker is trying to execute their end goals and that they may move laterally across the network. This is the point where they will be accessing the final system in order to destroy or steal data. To do this attacker have a dizzying array of methods to gather information such as ‘file access, keystroke logging, screenshotting, camera or microphone access or any manner of data extracted from the target system.’
Carbon Black have proposed that all three phase form a feedback loop, or as they call it a ‘Cognitive Defense Loop,’ which is essentially a three-step cycle that continues to repeat and evolve. The goal is to not just react to an attack, but to be continually deploying tactics, techniques and procedures in a looped manner.
Kellermann stated that: “Cognitions and context help reveal intent. Understanding the root cause of attacks and the way attackers think is paramount to this.”
“To be effective at cybersecurity, we need to get inside the minds of cybercriminals and understand the motivations driving their behaviors. Attackers have “tells,” much like poker players. These “tells” often appear in the data. Defenders can exploit these tells and gain the advantage by understanding the data.”
We need to treat our prevention, detection
and response as a cycle that feeds each other and
makes each other stronger over time and as a result of