the unified kill chain - cyber security academy ... the unified kill chain designing a unified kill

Download The Unified Kill Chain - Cyber Security Academy ... The Unified Kill Chain Designing a Unified Kill

If you can't read please download the document

Post on 25-May-2020

3 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • The Unified Kill Chain Designing a Unified Kill Chain for analyzing,

    comparing and defending against cyber attacks

    Author: Paul Pols

    Student ID: S1806084

    Date: December 7, 2017

    Supervisor: Pieter Burghouwt

    Second Reader: Jan van den Berg

    Institution: Cyber Security Academy (CSA)

    Initial Foothold: Compromised System

    • Reconnaissance

    • Weaponization

    • Delivery

    • Social Engineering

    • Exploitation

    • Persistence

    • Defense Evasion

    • Command & Control

    Pivoting Network Propagation: Internal Network

    • Discovery

    • Privilege Escalation

    • Execution

    • Credential Access

    • Lateral Movement

    Access Action on Objectives: Critical Asset Access

    • Collection

    • Exfiltration

    • Target Manipulation

    • Objectives

  • PAUL POLS – THE UNIFIED KILL CHAIN

    p a g e 2 | 104

    Abstract Organizations increasingly rely on Information and Communication Technology (ICT), exposing them

    to increasing risks from cyber attacks from a range of threat actors. The term Advanced Persistent

    Threats (APTs) is used to refer to particularly capable threat actors, that are typically backed by

    nation-states. To raise their resilience, organizations can model APT cyber attacks using Lockheed

    Martin’s Cyber Kill Chain® (CKC) or ethical hacking assessments by Red Teams. The modus operandi

    (MO) of APTs does not necessarily coincide with these models, which can limit their predictive value

    and lead to misaligned defensive capabilities and investments.

    In this thesis, a Unified Kill Chain (UKC) model is developed that focuses on the tactics that form the

    consecutive phases of cyber attacks (Table 1). A hybrid research approach is used to develop the

    UKC, combining design science with qualitative research methods. The UKC is first developed through

    literature study, extending the CKC by uniting improvements that were previously proposed by other

    authors with the tactics of MITRE’s ATT&CK™ model. The UKC is subsequently iteratively evaluated

    and improved through case studies of attacks by Fox-IT’s Red Team and APT28 (alias Fancy Bear). The

    resulting UKC is a meta model that supports the development of end-to-end attack specific kill chains

    and actor specific kill chains, that can subsequently be analyzed, compared and defended against.

    Table 1 - Overview of the development of the Unified Kill Chain (UKC)

    C yb

    er K

    ill C

    h a

    in ®

    ( C

    K C

    )

    La lib

    er te

    N a

    ch re

    in er

    B ry

    a n

    t

    M a

    lo n

    e

    M IT

    R E

    A TT

    & C

    K ™

    U K

    C a

    ft er

    li te

    ra tu

    re s

    tu d

    y

    U K

    C a

    ft er

    R ed

    T ea

    m C

    1

    U K

    C a

    ft er

    R ed

    T ea

    m C

    2

    U K

    C a

    ft er

    R ed

    T ea

    m C

    3

    U K

    C a

    ft er

    R ed

    T ea

    m K

    C

    U K

    C a

    ft er

    A P

    T2 8

    C 4

    & K

    C

    # Unified Kill Chain

    1 Reconnaissance 1 1 1 1 1 1 1 1 1 1 1

    2 Weaponization 2 3 3 3 2 2 2 2 2 2 2

    3 Delivery 3 5 5 6 3 7 7 3 3 3 3

    4 Social Engineering 5 6 6 11 5 3 3 4 4 4 4

    5 Exploitation 6 8 8 14 6 5 4 5 5 5 5

    6 Persistence 8 14 9 18 8 6 6 5 6 6 6 6

    7 Defense Evasion 18 18 14 16 10 11 8 6 7 7 7 7

    8 Command & Control 18 5 7 9 8 8 8 8 8

    9 Pivoting 11 13 11 9 9 9 9 9

    10 Discovery 14 10 10 11 11 11 10 10

    11 Privilege Escalation 17 14 14 10 10 10 11 11

    12 Execution 18 12 12 14 14 14 12 12

    13 Credential Access 15 13 12 12 12 13 13

    14 Lateral Movement 16 17 13 13 13 14 14

    15 Collection 8 15 17 17 17 17 15

    16 Exfiltration 16 15 15 15 15 16

    17 Target Manipulation 16 16 16 16 17

    18 Objectives 18

  • PAUL POLS – THE UNIFIED KILL CHAIN

    p a g e 3 | 104

    The literature and case studies show that the traditional CKC is perimeter- and malware-focused and

    as such fails to cover other attack vectors and internal attacks paths. The case studies falsify a crucial

    assumption underlying the CKC model, namely that attackers must progress successfully through

    each phase of the deterministic sequence of the CKC. The observation that attack phases can be

    bypassed affects defensive strategies fundamentally, as an attacker may also bypass the security

    controls that apply to that phase in doing so. Instead of focusing on thwarting attacks at the earliest

    point in time, layered defense strategies that focus on phases that are vital for the attack path or that

    occur with a higher frequency are thus expected to be more successful.

    The UKC provides insights into the ordered arrangement of phases in end-to-end cyber attacks and

    covers diverse attack vectors, by uniting and extending existing models. The UKC offers a significant

    improvement over the scope limitations of the CKC and the time-agnostic nature of the ATT&CK™

    model. Other improvements over the existing CKC and ATT&CK™ models include: explicating the role

    of users by modeling social engineering, recognizing the crucial role of choke points in attacks by

    modeling pivoting, covering the compromise of integrity and availability in addition to confidentiality

    and elucidating the socio-technical objectives of threat actors. These insights support the

    development (or realignment) of layered defense strategies that adopt the assume breach and

    defense in depth principles.

    Figure 1 – An attack path abstraction for a segmented network based on the Unified Kill Chain

    The UKC is utilized to analyze and compare attacks by Fox-IT’s Red Team and APT28 to improve

    threat emulation and to raise organizational resilience against APT28 attacks. The comparison shows

    that the tactical MO of these actors converge in their attack paths within internal networks of

    targeted organizations. Red Team assessments are thus thought to be particularly well suited to test

    the resilience of organizations against this part of APT28’s potential attack path. Notable divergences

    were also identified, which signify the potential to improve the predictive value of Red Team

    assessments, for example by performing action on objectives (Figure 1).

    As the reliance of organizations on ICT continues to grow, and APT cyber attacks continue to rise in

    number and in force, the risks for organizations and societies as a whole increase at an accelerating

    pace. The UKC attack model can be used by Red Teams to improve their threat emulations and by

    defenders to develop and realign their defense strategies in their attempts to decelerate this

    dangerous trend.

    Keywords — Attack Modeling, Attack Simulation, Threat Emulation, Cyber Kill Chain®, MITRE

    ATT&CK™, CORAS, APT28, Fancy Bear, Pawn Storm, Sednit, Sofacy, Strontium, Red Team, Tactics,

    Techniques, Procedures, Design Science, Assume Breach, Defense in Depth, Unified Kill Chain.

    Initial Foothold: Compromised System

    • Reconnaissance

    • Weaponization

    • Delivery

    • Social Engineering

    • Exploitation

    • Persistence

    • Defense Evasion

    • Command & Control

    Pivoting Network Propagation: Office Environment

    • Discovery

    • Privilege Escalation

    • Execution

    • Credential Access

    • Lateral Movement

    Pivoting Network Propagation: Critical Infrastructure

    • Discovery

    • Privilege Escalation

    • Execution

    • Credential Access

    • Lateral Movement

    Access Action on Objectives: Critical Asset Access

    • Collection

    • Exfiltration

    • Target Manipulation

    • Objectives

  • PAUL POLS – THE UNIFIED KILL CHAIN

    p a g e 4 | 104

    Table of Contents

    1 Introduction ..................................................................................................................................... 7

    1.1 Conceptualization and Contextualization ............................................................................... 7

    1.1.1 Societal Dependence on Cyberspace .............................................................................. 7

    1.1.2 Constructs of Technical and Cyber Risk ........................................................................... 8

    1.1.3 Mitigation of Technical and Cyber Risk ........................................................................... 8

    1.1.4 Advanced Persistent Threats (APTs) ................................................................................ 8

    1.1.5 APT Threat Modeling ....................................................................................................... 9

    1.1.6 Ethical Hacking and Red Teams ...................

Recommended

View more >