Home / Blog / Cyber Kill Chain applied to ICS

Cyber Kill Chain applied to ICS

Posted on 10/27/2016, by INCIBE
Cyber Kill Chain

The concept of Cyber Kill Chain was created by analysts in Lockheed Martin Corporation, who even registered the term. In 2011, they published a paper describing the procedure that they had called Intrusion Kill Chain, with the purpose of helping in the decision-making process to respond more adequately to potential attacks or intrusions to which any system is exposed. In the cyber security environment, the chain of actions defined in this paper has been called Cyber Kill Chain.

Intrusion Kill Chain

The Intrusion Kill Chain is a process which is aimed against a target with the intention of producing a desired effect. It is treated as a chain because it is made up by a series of stages, where mitigation of any stage implies breaking the chain and the attacker frustration.

The Intrusion Kill Chain is made up of a seven-step procedure which describes each stage in an advanced attack. This chain approach makes the process of identifying and learning lessons regarding each stage of the attack easier for the potential victim, thus allowing them to decide whether the current protective measures are appropriate for each stage of the attack.

Intrusion Kill Chain Stages

-Intrusion Kill Chain Stages-

This model is oriented to the corporate environment and for this reason, it is not totally adapted for industrial control systems, due to the nature of these systems and the attacks addressed to them. However, it may be adapted to operate in industrial environments.

ICS Cyber Kill Chain

Due to the specific characteristics of features deployed on control systems and the exclusive configurations presented by them, carrying out a successful attack requires considerable knowledge. The typical conditions of an industrial system form a scenario that requires the attacker to avoid interference with the multiple sensors and control technology devices, as well as overstepping the many networks that are usually found in such systems. Unfortunately, the inherent difficulties that the perpetrator has to overcome are often overridden by direct connections to the Internet which damage any advantage offered by the architecture.

At the end of year 2015, SANS Institute published a report adapting the Cyber Kill Chain to control systems. This report expands the original Intrusion Kill Chain stages (and divides it in two distinct phases) to better adapt them to the industry characteristics.

Phase 1 of ICS Cyber Kill Chain

-Phase 1 of ICS Cyber Kill Chain-

The first part is rather similar to the original model and corresponds to what has been traditionally classified as espionage or intelligence operations. Phase 1 reflects the procedure of a structured and targeted attack campaign.

  • Planning: This is the first stage and includes reconnaissance tasks aimed at collecting information about the target. Usually, it includes targeted research using free tools, but it is fundamentally based on OSINT, benefiting from corporate blogs, product brochures, use of Sochan-type tools, etc. with the aim of identifying the target's weaknesses.
  • Preparation: The objective of this stage is to prepare the intrusion path: It may include both the preparation of a file for use in subsequent stages and the selection of the target of the future attack. The appropriate tools will be selected depending on the target. Both tasks included on this stage may take place but neither is mandatory.
  • Intrusion: Includes any access attempt to the target networks and systems, regardless of whether they are successful or not. If they are successful, the attacker shall work on exploiting the target and try to install or modify methods in order to ensure future access.
  • Management and enablement: After an intrusion in the system has been completed, the next step is managing the access obtained, for which the attacker establishes one or more command and control systems (C2 or C&C).
  • Sustainment, entrenchment, development & execution: This is the stage where the attacker acts. Some usual actions in this stage are executing additional capabilities, finding new equipment, hopping between networks, etc. This task is critical for the beginning of the second phase.

When the target has been compromised it is time to consider phase 1 as completed and to continue to phase 2. Occasionally, a system may be compromised in an indirect manner due to the information exfiltrated from a supplier or collaborator, which makes the whole process contained in phase 1 unnecessary. In such cases, only phase 2, which is described below, shall be necessary:

Phase 2 of ICS Cyber Kill Chain

-Phase 2 of ICS Cyber Kill Chain-

In phase 2, knowledge collected on the previous phase is exploited to prepare a targeted attack. This phase may or may not immediately follow the first phase; a delay between phases is possible. The typical phases of phase 2 of a Cyber Kill Chain are:

  • Attack development and tuning: In this stage, the attacker tries to enable a new capability (procedure, tool, methodology, etc.) specifically involving the control infrastructure target.
  • Validation: The aim of the validation stage is to certify the new capability in an identical or similar environment to the one which is to be attacked. Usually, the attacker acquires specific hardware to carry out this stage, which includes simulations of the intended attack. This is a great challenge, due to the fact that simulating a whole system such as those used in industrial environments is highly complex.
  • Attack: Final stage of the chain. The attacker tries to deliver the developed capacity, or to install it, or to modify the behaviour of the system to be exploited and consummate the attack. The usual consequences of an attack on control systems are control or data losses, denial; usually denial-of-service, and manipulation of data, views, etc.

The complexity of completing the two distinct phases of the Cyber Kill Chain adapted to an industrial environment by an attacker shall depend on the security measures applied to the target system.

Security measures

Knowledge of the Cyber Kill Chain allows operators and security officers to apply specific measures to this field aimed at protecting control systems at each stage of the chain.

Depending on the stage and the desired action, different tools that are already used in control systems today shall be used, it would only be necessary to give them a new use. Other measures are related to the behaviour of employees, which shall be implemented easily using training to encourage a deeper safety culture in the company.

Security tools in different phases of the chain

-Security tools in different phases of the chain-

Analysis of other intrusion models

Cyber Kill Chain offers a very efficient and descriptive model of the operations by an attacker which streamlines the decision-making process on mitigation actions, but this is not the only method to ensure traceability of the attacker's actions. 

The diamond model of intrusion analysis is an alternative model which integrates the phase perspective of the Cyber Kill Chain and complements such analysis from a wider perspective, which reflects the complex activities that the attackers undertake.

Both models complement each other and may be used on industrial control systems. The Cyber Kill Chain allows analysts to "target and compromise a perpetrator to create the desired effect", while the diamond model allows them to develop and understand business for the purpose of building and organising the necessary knowledge to analyse the Cyber Kill Chain.