The New De-Centralized Kill Chain
Understanding the Cyber Kill Chain and the Rise of Cybercrime-as-a-Service featuring strategies for mitigation and how to empower your team to win more battles
In the rapidly evolving world of cybersecurity, threats are becoming more complex and decentralized. This article explores the shift from traditional, centralized methods of cyber threats to a new, decentralized model. Understanding this shift is crucial for cybersecurity practitioners who are facing unprecedented challenges and need to adapt quickly to protect their organizations.
The Lockheed Martin Cyber Kill Chain framework outlines a systematic approach to cyber-attack detection and prevention, consisting of seven stages:
· Reconnaissance - where attackers gather information on their target.
· Weaponization - where a cyber-attack tool is coupled with an exploit.
· Delivery - the means by which the weapon is delivered to the victim.
· Exploitation - where the weapon's code triggers the intruder's payload.
· Installation - where a remote access tool is installed for persistent presence.
· Command and Control - enabling the intruder to control the compromised system remotely.
· Actions on Objectives - where the intruder achieves their goals, such as data exfiltration or encryption for ransom.
When Lockheed drafted this, it formed the basis of the idea and the classic kill chain; while the kill chain itself hasn’t changed, the methods used by threat actors have.
This framework is the foundation that cybersecurity practitioners build upon and monitor within their cybersecurity programs. This is the base of any security operations team; any AI tool being trained to identify threats and to any meaningful discussion around cybersecurity programs within an organization. The MITRE framework is largely based on the kill chain.
When it was written and published in 2008, the barrier to entry for cybercriminals and threat actors was higher and the process largely relied on one or two groups targeting the organization during this entire process using familiar tools and required a set of expertise for the criminals to navigate a target’s network, this helped practitioners and defenders to identify threats and events during the cycle of the kill chain to disrupt and prevent them.
Evolution of Cyber Threats
However, this changed in 2017 and has not been the same since. What changed you may ask?
Cybercrime-as-a-Service (CaaS) has significantly lowered the entry barrier for aspiring cybercriminals, offering a variety of illicit services and tools through an underground marketplace model.
Offerings include:
· Ransomware-as-a-Service (RaaS) - where users can deploy ransomware without extensive coding knowledge.
· Malware-as-a-Service (MaaS) - providing ready-to-use malware kits for various purposes.
· DDoS-for-Hire (Denial of Service) - enabling customers to disrupt services by overwhelming systems with traffic.
· Phishing-as-a-Service - offering complete phishing campaign tools with templates and hosting. Initial access brokers are the go-to experts for network access.
These services often operate on subscription or commission models, allowing individuals to conduct sophisticated attacks with minimal investment, thereby democratizing access to advanced cybercrime tools and techniques and increasing the overall threat landscape.
The term "de-centralization" is popular and appealing in many circles today, often used to describe a move away from the common, centralized controls of a government or business. See Crypto currency for more information or another buzzword that you might remember Blockchain.
Today cyber criminals and dark web marketplaces have created a de-centralized approach to hacking organizations. The de-centralized nature has introduced a challenge for security practitioners by taking away the flow of an event and the ability to detect it thus creating a far more challenging environment for practitioners to effectively defend their organizations.
Let’s investigate this process and how this is happening. As a rule of thumb, I won’t name a victim of a crime or use a group name to give them fame.
Technical Insights into Decentralized Cyber Attacks
Orchestration of Attacks:
Decentralized cyber-attacks often leverage a distributed network of compromised systems, commonly referred to as a botnet, to execute large-scale attacks without a single point of failure. For instance, a DDoS attack from a decentralized platform might utilize thousands of devices across the globe, each sending requests to a target server, thus overwhelming it. The coordination typically occurs via command and control (C&C) servers, but with advanced decentralized techniques, these commands can even be relayed through peer-to-peer networks, reducing the attackers' digital footprint and making it harder to shut down the operation.
Technical Detection Techniques:
1. Behavioral Analytics: Modern Security Information and Event Management (SIEM) systems can use behavioral analytics to detect anomalies in network traffic that may indicate a decentralized attack. For example, an unusually high volume of outbound requests from multiple points within the network to a similar set of IP addresses might indicate C&C activity.
2. Decoy Networks (Honeypots): By setting up decoy servers or networks (honeypots), organizations can attract attackers and study their behavior. This provides insights into the attack vectors used and the potential origin of the attack, offering a proactive approach to understanding and mitigating threats.
3. Machine Learning Algorithms: Machine learning can be used to predict and detect attack patterns based on historical data. For example, if a network segment starts to show signs similar to previous decentralized attack phases (e.g., scanning, lateral movement), the system can automatically trigger defensive mechanisms.
Mitigation Techniques:
1. Segmentation and Micro-segmentation: By dividing the network into smaller, manageable segments, you can contain the spread of an attack, limiting the damage. Micro-segmentation is particularly effective in a decentralized attack scenario because it restricts lateral movement within the network.
2. Threat Intelligence Platforms: Integrating threat intelligence platforms can help in the real-time identification of threats. These platforms can provide data on known malicious IP addresses, domains, and URLs and use this information to block communications with these entities.
3. Endpoint Detection and Response (EDR): EDR solutions can detect and respond to threats at the endpoint level. By monitoring endpoint and network activities, EDR can identify suspicious patterns that may indicate a part of a decentralized attack, such as the execution of unauthorized commands or unexpected installation of applications.
Example Case Study:
Consider a scenario where an organization faced a ransomware attack deployed via a decentralized network of malware-infected emails. The malware was programmed to encrypt data once it detected connectivity to a specific type of corporate network. By using EDR and network segmentation, the organization was able to quickly isolate the infected segments, preventing the spread of ransomware to critical data centers. Meanwhile, their SIEM system identified the anomaly based on deviation from normal baseline behaviors, such as unusual file access patterns and network requests, allowing the security team to respond before significant damage occurred.
On a recent major breach, we saw the kill chain executed by multiple groups coming together to gain access to launch a massive ransomware attack. The group operated in a de-centralized fashion using Telegram and dark web marketplaces to create s superstar team to take advantage of unpatched vulnerabilities and weaknesses to gain initial access, and this is just the beginning.
When any practitioners start a threat assessment on their business, they may find themselves asking questions like:
How does my business operate?
What applications, software’s or dependences are critical for business operations?
What data do we process, store, or maintain?
Who are our customers and suppliers?
Where do we operate and what regulators do we report to and what laws apply to my business?
There are many more questions to be asked here but you get the idea from the one’s above. The journey in the process is to identify the “Crown Jewels” of the business. That’s the secret sauce that demands the most attention, investment and catering to for security to be a business enabler.
Now that we knocked that out of the way… let’s get back to those threat actors who look for every possible way in.
The AS A Service Revolution
This started with the best business model in the world, software as a service, and it has made our life much easier to do business. Thanks to the As a Service revolution, the cloud means more the its traditional sense of the word. This same revolution reached the dark web and threat actor marketplace.
Nearly 10 years ago we started to witness the threat actor marketplaces start to offer services to their peers. It started as a collaboration but soon after ended up building an entire sub economy that’s worth Billions of Dollars and decreased the barrier of entry to anyone with access to these marketplaces (A short YouTube Video or Telegram interaction and you have access).
2020 to 2024 has changed the entire landscape and the approach practitioners take in tackling these threat actors. Today, the marketplace is teeming with threat actors selling exploits for vulnerabilities and creating sophisticated phishing kits for initial access. Additionally, initial access brokers are now developing exploits for SSO tokens to gain complete environmental access. This progression has created a challenge for security team everywhere. It now requires a larger look at the entire event and cross pollination of logs, data and telemetry, and nothing is a coincidence anymore. It means SIEM, SOAR and SOCs need a wider pane of glass then ever before. (Another buzzword, I am sorry)
This means that key KPI’s change as well and requires tracking to key metrics like Mean Time to Identify etc…
Threat Actors and Security Practitioners Share The Same Security Practice
This is where we see the most success for threat actors. With decentralization they have achieved mass confusion within the most underserved businesses. Don’t get me wrong many big companies suffer from the same type of cyber-attacks and cyber events however, the low hanging fruit are the small municipalities, healthcare facilities, small businesses where no one is watching for all the warning signs and fall victims to devastating cyber events.
Businesses today plan and accept that these types of attacks are part of business and some account for them in the form of cyber insurance. While these are calculated risks, the fact is very few businesses fail after a cyberattack. Many recovers and investors no longer panic, they mostly open the wallet and invest in security to ensure they contain risk and reduce the impacts of the next event.
Security starts at the top, if matters to the board and the CEO, it matters all the way down. If it doesn’t then it won’t and security will likely fall in the wayside, creating a rotation of leadership and staff who grow frustrated with not being able to really influence the organization to buy into their program and try a fresh start somewhere else and there is no shortage of companies seeking smart security people.
Threat actors understand these challenges, they read the same headlines, listen to the same podcasts, watch the same webinars, and attend the same events, in most places they are faces smiling at you and in other cases they are quickly forgotten. Threat actors gather intel on the industry as a whole and with more publication on cybersecurity than ever before and more reporting requirements than ever before, they are armed to the teeth with information that leads to successful attacks.
Threat actors has mastered the kill chain, and the decentralization allows for greater success since it reduces the risk each threat actors takes. Take the most recent ransomware gangs that are made up from many affiliates who take a part of the pie. LockBit, BlackCat/ALPHV, WannaCry, Royal and many more are names that are household names for practitioners.
In fact, on my daily podcast, I often cover the success law enforcements has had in dismantling their operations, only to see them pop up several months later under a different name, with several new affiliates and an attack method. This is why the current method of fighting ransomware is nearly impossible to be successful. We are approaching this as a traditional set of crime but it’s not.
This is where frustration may set in, and it should. If they keep changing a few hundred lines of code, get better and come back under a different name, how in the world can we stop them?
All valid questions that I ask myself daily, weekly, and monthly. I have some ideas I will share now.
Proactive Security Measures & Best Practices
Let’s talk some best practices and solutions for this challenge:
1. Low Hanging Fruit
a. Vulnerability Management & Patching
Run constant validation of vulnerabilities and patch them as soon as possible. Once a vulnerability is public the clock starts, and threat actors start scanning for vulnerable systems and building exploits and they are fast.
b. Endpoint protections
I can’t explain how important it is to have an EDR or MDR on EVERY endpoint.
c. Identity and access Management
Identity is the new perimeter; I did an entire series on Substack talking about this challenge. You need to build the right program to suit your business that helps create access thresholds for the right teams at the right time while authenticating their access constantly.
2. Train your SOC and NOC
a. Workforce Development
Train, Train, and Train. Train your security and network operation teams on all your tools, ensure they are getting constant briefing about new attack methods, tools and share TTP’s and IOC as soon as possible. SANS, ISC2 and ISACA are all great resources, let me not forget CSA as well.
b. Tools – yes AI, I see the eye roll I know, buzzwords but hear me out…
Give them the right tools to do the job for the environment. Don’t be afraid to try new products and technologies to help. Buzzword incoming: AI – A well trained Gen AI tool leveraged correctly with capable humans can make a world of difference in your risk portfolio.
c. The Right Security Partners
Do you have the right security partners doing the right work to support your team and filling in the gaps, how often are you reviewing them and the work quality. Do the contracts you have with them give you what you need during troubled times to solve the challenges you are facing, moreover, what’s the R&D investment they are making? Product roadmap? Do they listen to you?
3. The Cybersecurity Community
a. Information Sharing
Being part of any ISAC or any organization that supports your industry is the right first step to get some serious information sharing. InfraGard is great to collaborate and build relationships with the FBI, CISA is probably the best run Federal agency in government and doing work that actually supports their mission and the US in general.
b. The CISO Community
Are you in ISLF or security tinkers? Why not? I have never seen a question or problem not get at least 7 different points of views with people willing to get on a call-in moment’s notice to help. If you haven’t joined, do it now. Its free!
All these are just the first steps in the process of looking at what threat actors do and building the knowledge needed to tackle the coming challenges. It’s some of the steps to tackle how de-centralized the cybercrime world has become.
In conclusion, I am working on Part II of this, doing a deep dive into these marketplaces, services and getting real insights.
If you think I should speak with someone about this please email info@cyberhubpodcast.com with the details.