Election Security Spotlight – Cyber Kill Chain®

What it is

Earlier this week, US-CERT released a Joint Technical Alert (TA18-106A) detailing state-sponsored Russian cyber activity targeting private, government, and critical infrastructure network devices such as routers, switches, firewalls, and Network-based Intrusion Detection Systems (NIDS). The Alert’s Impact section used a variant of the Cyber Kill Chain® to walkthrough the types of attacks used.

A “kill chain” is a military term referring to the stages of an attack. Pioneered by Lockheed Martin, the Cyber Kill Chain® is a widely adopted concept in the cybersecurity industry. Through seven specific steps, it outlines what a malicious cyber actor must accomplish in order to obtain their objective. The Cyber Kill Chain® is most commonly applied to nation-state activity—that which is conducted by or on behalf of a foreign government—but it can be adapted to describe most malicious cyber activity. Understanding the Cyber Kill Chain® can help prevent malicious activity and remediate it when it occurs.

The seven steps to the Cyber Kill Chain® are:

  1. Reconnaissance – the identification of information about the target, which can aid in developing the most effective attack; this commonly includes identifying information about company operations and employees, including email addresses, attendance at conferences, and even personal information. From a technical perspective, reconnaissance may also include scanning of the network perimeter or websites for open ports or vulnerabilities.
  2. Weaponization – adapting the intended malicious activity so that it can infect the target; this commonly includes converting the malware into a form that will be opened or viewed by a recipient and adding an exploit that will target a vulnerability in the system, thereby allowing an infection;
  3. Delivery – sending or otherwise ensuring the target receives the weaponized package; this commonly includes directing the target to an intentionally malicious or compromised webpage that will infect the system with malware or sending a malicious spam email;
  4. Exploitation – this is the process in which the weaponized package from step 2 acts on the system, exploiting a vulnerability and executing code on the targeted system;
  5. Installation – the executed code from Step 4 then installs the malware on the target;
  6. Command & Control (C2 or C&C) – the malware installed on the target system will use a C2 channel to communicate with the malicious actor; C2 channels are frequently masked to look like normal traffic from the computer. Common C2 channels include malware connecting to another IP address, website or social media feed to receive additional commands;
  7. Actions on Objectives – the malicious actor will send commands to the malware through the C2 channel; this commonly includes providing remote access so the malicious actor can directly login to the system or other actions, such as gathering and exfiltrating predefined data.

Why does it matter

Understanding how attacks might occur is the first step in stopping them. The Cyber Kill Chain® makes it possible to more easily understand a malicious cyber actor’s tactics, techniques, and procedures (TTPs) and knowledge, skills, and abilities (KSAs). It also makes it easier to compare multiple attacks from different malicious actors and multiple attacks from the same actor. These comparisons lead to a better understanding of the offensive actors and just like in sports and other activities, offense informs defense. By using the Cyber Kill Chain® as a common language, election officials can better communicate malicious cyber activity affecting their offices within the community as well as to the wider public.

What you can do

When malicious cyber activity occurs, try considering it from the Cyber Kill Chain® perspective. Breaking it into the seven steps will likely help you better understand what activity occurred, whether it occurred on your system or elsewhere. This will lead to a more thorough understanding of the impact of the activity, a more informed remediation, and help to identify other preventative measures.

Additional information on the Cyber Kill Chain® model is available on the Lockheed Martin Cyber Kill Chain website.

The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact [email protected].