Lockheed-Martin researchers have developed a method of analysis, which helps to analyze cyber attacks like the ones deployed by criminals against the US branch of the multinational Target department-store chain, and the ones by state actors against such targets as foreign enemies or competitors, breakaway republics, or destabilizing religious groups.
Similar methods are used by the NSA at the behest of DHS and DOJ against domestic targets including mainstream (but non-incumbent) political parties and campaigns, and are probably used by authoritarian, totalitarian and police states worldwide to monitor opposition elements. All these cyber attacks can be analyzed within the Lockheed Martin framework, which is called Kill Chain Analysis.
Lockheed Martin’s essential concept is that there are certain steps that must be executed to conduct any cyber attack. Each of these steps is dependent on the one immediately before it, and all the ones before that. Interrupting or disrupting any of these steps, in other words, “breaking the kill chain,” conclusively interrupts, disrupts, or prevents the cyber attack. Here are the steps graphically, from a US Senate Commerce Committee report on the Target intrusion.
My word, these look a lot like the steps of a combat mission – with a couple of very interesting exceptions. They are also a little bit shortsighted, in a way that suggests LockMart’s “Kill Chain” comes from analyzing only failed and exposed cyber attacks.
The Steps that Derive from Combat Operations Planning
Reconnaissance, the phases of Delivery and Exploitation, Command and Control, and Actions on the Objective correspond more or less closely to phases used in planning a combat operation, whether a stealthy reconnaissance or a violent seizure of terrain.
- Reconnaissance here encompasses not only the usual military meaning of the word, but also the deeper disciplines of target acquisition and target analysis. In Special Forces, we make a hair-splitting distinction between “study” (which is an ongoing, never-stops, day-and-year-in-and-out analysis of a potential target or operational area) and “assessment” (which is “study” gone live once the man or team is on the ground). It’s important to revise those parts of analysis that were developed by stand-off methods with the “ground truth” that is only available when you put eyes on target. (Note that stand-off methods that are not entirely trustworthy include not only your entire palette of technical means, but also any all-indigenous or not-directly-controlled human sources or reconnaissance teams).
- Delivery here parallels the process of infiltration (as the term is used by SOF) rather closely. In physical combat operations, delivery is usually constrained by logistics, and can have a great influence on the outcome of operations. The D-Day invasion, for one example, was delivery on a staggering scale. Moving into the cyber world, logistics becomes somewhat less of a constraint; you don’t need thousands of ships and tens of thousands of troops to land your virtual beachhead on the enemy’s computer network.
- Command & Control here is a distinct step, which it isn’t in the world of physical combat. Instead, in physical-world operations, command-and-control is less of a step than a continuous process at multiple levels throughout the entire operation. Indeed it’s more of a principle; the four principles drummed into students at Ranger school are, “Planning, Reconnaissance, Control and Security.” While techniques are almost infinitely variable, failure at any of the principles is likely to produce mission failure. In cyber war, command-and-control has a much narrower remit. Failure of command-and-control as defined here would leave the exploit package sitting passively on the target server, or at least on an interim target, but with no way to control it: the veritable Chinese rover of malware.
- Actions on Objective in the world of physical combat is the most important phase of an operation, and the one whose success is the objective of all the other phases, and a primary determinant of mission failure or mission success. In the Target breach, for example, the attackers succeeded in pilfering millions of credit card details. Mission success!
The Steps that Differ from Combat Operations Planning
The phases of Weaponization, Exploitation and Installation have no direct parallel in combat operations planning, although you can find parallels in special operations and especially in espionage and counterespionage planning.
- Weaponization here describes suiting the attack modality and technology to the target, and implies that the exact weapon used in the cyber attack is practically a bespoke weapon, crafted to fit the target and its vulnerabilities and defenses. While this is done to some extent in combat operations, the difference is the limited number and types of tools in the combat commander’s toolbox. He might have mechanized and armor battalions in his toolbox, and so everything is going to be attacked with that particular hammer and chisel.
- Exploitation here is simply the “turning on” of the weaponized and delivered exploit. If it has a parallel in combat operations, it may be the process of triggering a “be prepared to, on command” mission. In the physical world, such a mission might be triggered by explicit communication such as a radio message or transmitted proword, or by the combination of elapsed time and absence of a cancellation message. The same sort of thing can be programmed into a stay-behind weaponized exploit: “Go off on 15 April unless we’ve told you not to.” But this is seldom a significant part of a physical combat operation, and doesn’t rate its own phase. Note that in the cyber world, the possibility of multiple exploit triggers (primary being an explicit instruction, secondary being a certain date, or a certain number of ticks on the host systems clock, for examples) means that this can a hard phase of the Kill Chain to disrupt. (And the potential presence of primary/secondary/tertiary exploitation instructions hints at another deep possibility: cyber threat planners can plan to defeat countermeasures).
- Installation here has no parallel at all in military operations. It is somewhat analogous to the intelligence process of persuading a would-be defector to remain as an agent-in-place. Intelligence agencies would rather have a spy in place, sending current information, than a source sitting in a debrief tank spilling sources and methods that the adverse party is frantically moving to protect once they learn of the defection. Even if the adverse party is clueless about the defector, his information begins to grow stale on Day 1 and loses much of its value very rapidly, depending on the dynamics of the target.
What’s interesting about these is where in the cycle they occur. In the combat military, your stuff is normally weaponized long before your target is selected. While the same may be true for the lowest level of cyber attackers, the so-called “script kiddies,” who assemble attack tools from toolkits and building blocks, sophisticated criminal attackers and the Advanced Persistent Threat emanating from foreign intelligence agencies have the resources and motivation to craft bespoke tools for a specific attack.
Towards a More Comprehensive Kill Chain
We suggested, above, that the nice LockMart graphic and the LockMart steps were a bit shortsighted, and what we mean by that is that they wrap up with actions on the objective. A well-planned combat operation never stops there, but considers the next steps, which depending on the operation may be withdrawal or exfiltration (for patrols and raids) or consolidation to hold territory, or further advance. Wrapping up with actions on the objective is a bit like a mountain-climbing team with no plan beyond achieving the summit. (Every climber knows that the most hazardous phase of the climb is the descent). Moreover, the cyber intrusion may have many different purposes. For some purposes, the intrusion itself is the objective; say, if Anonymous is trashing somebody’s website. But for others, since the intrusion’s objective is something beyond the intrusion itself, there needs to be a plan for withdrawal, disengagement, or end game of some kind.
Since some of the authors of the original Lockheed Martin concept are clearly familiar with combat operations planning, it will be interesting to find out why they did not include this in their kill chain analysis concept. In any event, a truly well-executed breach of Target, for example, would have ended not in discovery that at least 40 million customer credit and debit cards had been compromised, and 70 million customers’ other data has also been stolen, but in a stealthy withdrawal, leaving Target’s somnolent supposed network guardians unaware that they’d been victims of an epic raid.
Note that we originally intended to review some of the findings of the Target investigation itself, which is dependent on news reports (and being the sort of news reports that depend entirely on anonymous sources, they may be entirely false or fabricated by the reporters) and on analyses reported in public by security researchers like Dell Labs and the excellent Brian Krebs. But given the length of this discussion of doctrinal points, we thought it best to stick to the single subject. (Some of you guys who prefer discussion of bullet-launching modalities will be in MEGO Mode by now, anyway). We hope to return to the Target breach, and in the meantime here is the link to the Senate Commerce Committee Report.