Every day that you prevent an attack is a good day. Sophisticated adversaries have the money, skills, and technologies to thwart most organizations’ defensive capabilities. With the rise of Ransomware-as-a-Service (RaaS), less sophisticated attackers have access to payloads and customer service representatives to help them deploy successful attacks. By understanding attackers’ motivations and goals, you can find opportunities to stop them from achieving their goals.
When defenders use threat intelligence to detect activities across the cyber kill chain, they mitigate risks more efficiently and effectively.
What is the Cyber Kill Chain?
The cyber kill chain consists of the seven steps that threat actors must complete for a successful attack. Organizations combine threat intelligence with the cyber kill chain’s steps to minimize a cyber attack’s impact.
Stopping attackers at any of the following stages reduces potential damage to data and systems:
- Reconnaissance: conducting research to understand which targets enable them to achieve their objectives
- Weaponization: preparing and staging the operation
- Delivery: launching the operation by conveying malware to the target
- Exploitation: identifying known or unknown vulnerabilities that they can use to gain unauthorized access
- Installation: create a persistent way into the victim’s environment to maintain ongoing access
- Command and Control (C2): opening a two-way communication channel to remotely manipulate the victim’s environment
- Actions on Objectives: using hand-on keyboard tactics to achieve goals, like collecting credentials, escalating privileges, moving laterally through systems, stealing data
By understanding adversaries’ tactics, techniques, and procedures (TTPs), defenders can mitigate risks arising from:
- Malware
- Ransomware
- Spear phishing
- Social engineering
Cyber threat intelligence enables security teams to mitigate risks arising from advanced persistent threats (APTs), defined as targeted, coordinated, and purposeful malicious actors with intent, opportunity, and capability.
MITRE ATT&CK
MITRE ATT&CK is a system for organizing adversary tactics and techniques based on real-world observations. Although many people conflate it with the cyber kill chain, MITRE ATT&CK focuses on specific attacker activities while the cyber kill chain focuses on the general phases of an attack.
Although both models include reconnaissance and C2, the MITRE ATT&CK model primarily details the activities that occur within each of the cyber kill chain phases. For example, the cyber kill chain’s actions on objectives phase includes the following MITRE ATT&CK tactics tactics:
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Exfiltration
Unified Cyber Kill Chain
Recognizing the importance of both the cyber kill chain and the ATT&CK MITRE framework, Paul Pols combined the two models to create the Unified Kill Chain.
The Unified Kill Chain model identifies the three phases of an attack as In, Through, and Out.
During the In Phase, adversaries try to gain access to systems and employ the following tactics:
- Reconnaissance
- Resource development
- Deliver
- Social engineering
- Exploitation
- Persistence
- Defense evasion
- Command and control
During the Through Phase, adversaries try to move across and within network and systems, employing the following tactics:
- Pivoting
- Discovery
- Privilege escalation
- Execution
- Credential access
- Lateral movement
Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.
Finally, the Out Phase occurs when adversaries have performed their actions on objectives. This phase is defined by:
- Collection
- Exfiltration
- Impact
- Objectives
Applying Threat Intelligence to the Cyber Kill Chain
Cyber threat intelligence provides insight into adversary motivations, objectives, tactics, and techniques. The more information you have, the better prepared you can be.
Technical Threat Intelligence
Technical threat intelligence identifies the breadcrumbs that adversaries leave in systems, including:
- Indicators of Compromise (IoC)
- Malware
- Vulnerabilities exploited
- C2 channels
- Malicious IP addresses
This information provides insights into the following cyber kill chain phases:
- Delivery: IoCs and malware signatures provide insight into the malware that the adversary used during the attack.
- Exploitation: Identifying known and unknown vulnerabilities that threat actors exploit enables defenders to apply security updates or look for suspicious activity on those devices or networks.
- C2: Identifying the C2 channels and malicious IP addresses help trace remote interactions with the organization’s environment.
Tactical Threat Intelligence
Tactical threat intelligence provides insights into the TTPs that adversaries use in attacks, including:
- Network traffic patterns
- Log files of known attacks
- Phishing scams
- URL and IP blocklists
This information provides insights into the following cyber kill chain phases:
- Delivery: Identifying known phishing scams can help prevent malicious actors from using email as a delivery method.
- Installation: Log files of known attacks provide insight into how adversaries are using and continuing to access resources.
- C2: Network traffic patterns and blocklists give defenders a way to identify suspicious communications and prevent access from malicious locations.
Operational Threat Intelligence
Operational threat intelligence is actionable information about threat actors’ nature, motive, timing, and methods. Normally found on the deep or dark web, operational threat intelligence comes from adversary communications across illicit Telegram channels, infected device markets, and cybercriminal forums, often including information like:
- Organizations they want to target
- Compromised credentials for sale
- Ransomware or malware variants for sale
- Lists of compromised devices that can be used as entryways during attacks
This information provides insights into the following cyber kill chain phases:
- Reconnaissance: Targeted organizations, compromised credentials, and compromised devices all help an organization identify whether adversaries are planning an attack.
- Delivery: Ransomware and malware variants available for sale provide information that defenders can use to prevent or detect the code in their environments.
- Exploitation: Finding the organization’s devices on a compromised device list gives defenders a way to prevent the devices from being exploited.
Unified, Actionable Threat Intelligence with Flare
With Flare’s easy-to-use platform, you get simple, actionable threat intelligence that surfaces events in seconds, not days. Our platform enables all security professionals, empowering entry-level analysts to do research and giving experienced analysts detailed technical information.
Using Flare’s AI Powered Assistant, you overcome the noise and language difficulties inherent in the mission-critical illicit sources monitoring that helps detect adversary reconnaissance activities. Our automated cyber threat intelligence linguist seamlessly translates Russian, Arabic, Spanish, French, and other threat actor forum posts into seamless English summaries that provide rich context.