PG - Unifying the Kill Chain - Paul Pols

my name is Paul Bowles I'm a principal security expert at Fox IT Dutch cybersecurity company that's part of the NCC group I've been working there as an ethical hacker for the last seven years for doing penetration testing and Red Team testing my most recently I wrote master's thesis about unifying the cyber kill chain which I did in order to analyze and compare and defend against the attacks of a PC 28 also known as fancy bear the reason why I did this because a lot of our clients are using the kill chain by Lockheed Martin Starbuck kill chain but I found it to be incomplete for the type of effects were actually doing so I wanted to extend it

to cover attacks from basically the very beginning to the very end I'm going to explain today how I did that first go into the original kill chain from Lockheed Martin a little bit then explain my research design the case that he said I did into our red team attacks and the attacks of HP 28 and then some of the research results so first for everyone to be on the same page this is my depiction of the security model that's wisely in use in our industry through this day I guess since the 1990s you could call it the Excel security model which basically has this heart perimeter that's defending a very vulnerable inside from the big bad

outside world and the fenders have gotten really good at trying to pierce through this perimeter so maybe a decade or so they would go through a vulnerable web server but nowadays we see most attackers are just piercing through this perimeter through spear phishing attacks so they send an email and they use trusted paths that go right through this perimeter for instance an email if you modify your payload a little bit or if it's something new most antivirus products won't pick it up you can compromise user in that way get access to all the data that they have access to and then use maybe HTTPS or something similar to actual trade it through those trusted paths again and to get that data

and basically this technique is being used by all sorts of attacker so from script kiddies to nation-state actors and the nation-state actors are for me the most interesting and if you want to defend against these types of attacks a lot of people are using the cyber kill train from Lockheed Martin which really focuses on apt so the most advanced end of this spectrum of attackers and their model basically have seven steps which supposedly every attack goes through and their ideas that you can try to defend against each one of these phases so from the top you basically do reconnaissance into your target you weaponize an object you deliver that to your targets and that is

used to exploit the targets install your code which gives you man and control over the system which is like hands on keyboard type access which allows you to get to do the action on objectives that you were originally after so the nice thing about the model is that once you know the different phases of an attack you can map your measures against these phases so Lockheed Martin being a military contractor they think of it in military terminology like detect and denying disrupt etc but you could also define these measures in terms of prevention and detection and response and intelligence which is maybe a more little bit more familiar with in our industry and also the interesting thing

about the model from Lockheed Martin is that it really changes the idea of the balance between attackers and defenders because what you hear a lot is what I call the defeatist adage namely that attackers only have to find one flaw in a really large attack surface and defenders have to do everything right to secure that attack service against defenders and the cyber kill chain from Lockheed Martin really changes this around and it says that attacks are actually multi-faced complex attacks that are progressions through towards the targets and that just one mitigation can stop one of these attacks so it really changes the balance between attackers and defenders now the important thing to realize here is that it really relies on this premise

under the model namely that the adversary must progress through each stage off the chain before it can achieve its desired objective and that just one mitigation disrupts the chain even though the model is very widely used it's not without its critiques so for instance it's been said that the model is disproportionate on an attack timescale because these first six steps of getting an infection inside a target Network may take very little time so hours maybe days and while this last step of the action on objectives may actually take much longer such as weeks or even months another point that has been made is that the model tries to overcome like no thinking like perimeter focus and malware prevention but it

actually has a number of phases that are really determined determined in much of a similar way to what is actually trying to prevent so it's trying to prevent the compromise of the first system beyond the perimeter which is still focusing on the perimeter and also it's targeted towards malware prevention thinking because it talks about weaponization of an object that's being installed on systems etc so what summer said is that because there are also other ways to sort of reach this perimeter initially maybe supply chain attacks or physical social engineering insider threat maybe we should be just conceding this first line of defense conceding that the parameter will be breached and then think how are we going to defend once

that perimeter has been breached so this was a the objective of my research how are we going to do this so this slide basically summarizes like six months of excruciating hard work of my life starting at the very left is the original kill chain from Lockheed Martin and then in the gray to black spectrum you see my literature study so I looked into some blocks from lolly bird and I reiner some scientific work for instance Bryant black hat presentation by Sean Malone also the mitre attack framework I also used that because there who interesting and very structured ways of thinking about the kind of activities that attackers may perform beyond the perimeter and I combined everything from

that Leatrice literature study to make a first hypothesis of what a unified kill chain could look like that could really explain these attacks from the very beginning to the very end so starting from this first hypothesis I then had something that I could use to test in a number of case studies to see if it would work to explain all the behavior that I actually saw in the attack so I did that for three different red team case studies for which I obviously had all the day like the report and the pcaps and everything my original notes and then after refining the model through these red team case studies I used it to test it against the attacks

of apt 28 so I just want to talk to you a little bit of the results that I had first to give you know if the red team case study this is the first case study that I did here you see how we originally got access to the target Network so basically the domain of the original kill chain from Lockheed Martin just our doing some recon weaponizing Microsoft off offs documents phishing an employee getting them to click on it open the macro execute our code make it persistent on the system to gain access to the target network so this is basically what you're defending against if you're using Lockheed smart and kill chain so what was interesting

to see is what actually happened after we got access to the target Network which is usually called action objectives so this is usually all clustered as one phase and you see that actually there's a lot of potential to defend against these kinds of attack beyond the parameter and that's actually happening within the locus of control of your organization because it's within your network so just to go through it real quick there are like three unique attack paths in here on the left hand side we've compromised the workstation escalate privileges on the workstation got the local admin password were able to use on all other systems that were also using that pass ending up with access to like 200

systems with different kind of users from there also allowing us to bypass the 4i principle and basically be able to modify a billion dollar transaction another half that allowed us to do the same thing was by compromising a server extending that again to gain access to more servers which included one of the service that was used to do these kind of transactions which also would have allowed us to do the same thing and the last one was getting domain admin rights so basically the highest rights that you can get inside the Windows Active Directory and in that way also be able to do all the workstation and server kind of attacks that we did so that this

basically summarizes all three case studies that I looked into each one of these rows or actually the columns is a unique attack path that I identified so you can see there is nine in total and what's interesting to see here again a lot of potential to defend against these kinds of attack after the perimeter is initially breached which is which you can see by looking at the black line another interesting point to see here is that each of these attack paths is unique and that the phases occur in different orders and that sometimes they may be skipped or yeah occur out of their expected sequence

now the reason why that's important to realize is because it falsifies the premise of the original kill chain namely that an attacker must progress successfully through each stage of the chain and that one mitigation disrupts the chain and the adversary now I realize this depiction with 18 phases is actually kind of hard to to grasp so I did my best to make it a little easier to explain to people so I clustered the different phases of these attacks in three columns basically the first one is about gaining initial foot aiming an initial foothold inside the target Network so compromising a system behind the perimeter which is basically the main of the original kill chain after that you

can use that infection to pivot to the internal network and then perform a number of act or phases such as discovery of systems escalating privileges executing code getting access to credentials and using those credentials to perform lateral movement this is basically a game of sort of getting more access and getting more access to systems getting higher privileges and sort of moving like that through the to the network and once you have sufficient access you can use that access to collect data to actual trade the data or to perform target manipulation now target manipulation is a little different it could be compromising the integrity of systems or the availability of systems which could also be an objective even though most

people are in generally focusing on the confidentiality through collection and acceleration and they basically fit do the objectives of the overall attack what was interesting to see is that in one of the attack paps there was actually a segmented Network so as you can see there's an entire extra column in there because we had to first compromise the office environments and then gain access to a stepping stone which allowed us to move to the critical infrastructure segment and once we got there our original credentials that we were able to harvest were no good anymore and we basically had to start anew so the fact that a segment network and isolated the identity and access meant access management system really

forced us as an attacker to make our path much longer so this basically shows how strong of a measure that can be and it also showed how versatile the model was because this is basically from going from here this middle column it was just repeated so it's basically a loop that you can go through for as many segments as you need in order to gain access to your final targets now having created this model I wanted to see obviously how it would hold up against the attacks of real-world apts such as a PT 28 also known as fancy bear maybe you've heard of them they are one of the two actors that was found in the network of the

Democratic National Committee before the elections here in 2016 their attacks have been attributed to the GRU also known as Russia's military intelligence services most recently by a Mueller indictment and the group has been active for quite a while but they have moved from traditional espionage to performing covert influence campaigns in which they manipulate the public opinion and the domestic politics of foreign nations through the collection and release of misinformation so just to show you what these kinds of attacks look like here's the most simple example in which they just fish someone for their credit initials for an externally accessible webmail environments if you fill in your credentials here they can just harvest everything that's available within your

account straightaway which is much easier than the kind of red team attacks that we were just modeling so it's interesting to see from from my point of view another kind of attack is actually much more similar than as the kind of taxi we were doing in which they send the spear phishing email with a malicious Word document the word document actually included two zero day vulnerabilities first one in the EPS format which allowed them to execute code and then another vulnerability in Windows kernel to gain the highest privileges on the system about them to deploy their malware with the highest writes on the windows system if you look at the malware that's being used by a

twenty eight it actually consists of multiple stages a bit more complex than the kind of malware that we were using as a red team basically they have different kind of ways to first inject the malware so either through email or through raw during hall attacks then they have the first stage malware which is basic use for reconnaissance if they find that the target is interesting they can deploy their second stage malware in this way they can sort of shield it from researchers and if it's particularly interesting network they can deploy their pivot malware which allows them to attack other systems in the internal network or use their USB sealer malware to even gain access to air gapped

networks now this again is a depiction of the unique decks pass that I saw in the apt 28 case study you see two of them so see for one and see for three in which they basically don't even have to this organization operator because they can just attack externally accessible email systems and then there's a couple in which they use all the information that they have to do very targeted spear phishing attacks and in that way compromised the right person straightaway leveraging all the information that they previously gained because their intelligence services and then they can perform their attack like that but there's also a number of ones in which they had to perform additional steps

once they compromised this initial system beyond the perimeter so that could either be because they were unlucky in who they compromised it wasn't the right person they don't have access to the right information or because their attack requires more than what you can do from any individual workstation for instance the TV segment attack has been attributed to them in which they blacked out a TV station which required flashing routers that's something you cannot do with just a spear phishing attack another way to look at the research results is this comparison between the kill chain that I developed and some of the other kill chains that I used in my research so the cyber kill chain from Lockheed Martin

you can see it actually performs quite well at the beginning of these attacks but after that just clusters everything as action on objectives our red team did quite a bit better but generally we stopped short of actually collecting an actual trading data or manipulating critical production systems because clients get a little anxious if you want to attack their critical production systems but it's actually something that would be very good to test because as you can see each one of these different phases as these tactics were necessary to explain the attacks that were performed by a p228 so if you want if you want to know if you can prevent that detect that respond in time then you actually need to allow

red teams to perform these things as well to come back to the balance between attackers and defenders I mentioned these two views actually haven't done my research actually shows that the game between attackers and the felons defenders is much more balanced and either of the other views would portray namely that a successful mitigation in a lair defense strategy by defenders may throughout one of these complex and multifaceted that an attacker might also find another way to get to that target if you mitigate them in any one of those phases so what should you do then well for instance think about how are you going to defend against these attacks because if you know that some of these phases

may be skipped or occur out of sequence maybe you should be focusing on the points that connect different parts of these attacked and chains so if you can create choke points that you know that you can force attackers to go through to pivot through that would be a really interesting target to focus your defense on so for instance if you have a stepping stone that's used for system management purposes that's something that you really want to focus all your efforts on also take into account systems that are dual homed etc which could be used as a path for attackers that's also something that's like high-risk and that you should be focusing your efforts on having

discussed all this here are some of the know sort of extra added values that I'm hoping and to attain with the unified kill chain that I developed so first of all it combines some of the previous research that has been done in one comprehensive model so you have the cyber kill chain from Lockheed Martin you have Mike there's attack framework which are really good in what they do but they only show you part of the total picture so if you want to explain to someone how a complex attack works nowadays neither of these models really shows you the whole picture so I'm hoping that this model will allow you to to explain that to people also it

improves over the scope of the original kill chain which is supposedly should encompasses the whole attack and it improves over the time agnostic nature of the attack framework because the attack framework it includes but it's really interesting to know how they occur in actual attack so if you see one of these behaviors in your network you want to know what should I look be looking at at what happened previously and what should might be looking at that might have happened next also some of more minor points for instance I changed the definition of weaponization a little bit which is very narrow in the definition of the original kill chain if you broaden that a little

bit you can also include things like looking at type of squatter domains may be using that for intelligence purposes another point would be separating exploitation from social engineering so in the original kill chain this is all called exploitation but if your mapping measures against this there's actually a big difference in trying to prevent exploitation of a system and social engineering of your user so one might be patch management as a fix if you're trying to prevent social engineering of your employees obviously patch management is not the thing that's going to save you so if you separate those two it's much easier to think about possible measures to prevent that also what I just mentioned the crucial role of choke

points in these kinds of attacks and another thing that I think it's nice about the model that I created is that it extends and a way in which you can use the attack framework a little bit so the attack framework it focuses on the collection exfiltration of data which is all about confidentiality but obviously we all know in the CIA triad you can also target integrity or availability of systems there's nothing in the attack framework currently that allows you to take that into account so by adding target manipulation you can include that into what you're looking at and also in the final addition that I did was adding a phase called objectives which basically explains more of the

high-level strategic objectives that an actor may be after and if you take that into account then you may also be thinking about the kind of asset that they may actually be after so where is that they distort how are they going to get through that target so that Allah also allows you to think about this problem in terms of attack path that may exist inside your network and then trying to cut off these paths at some point well having said that brings me to the end of my presentation for today if you want to read a little bit more about it I've registered this domain unified kill chain com currently it just redirects to my master's thesis it's a

hundred pages so I don't expect you to read all thing with before the end of the month I intend to publish a white paper which is a little more accessible there may be some blog posts on the subject but they will be all be accessible from the same point well thank you thank you so much Paul [Applause]