The business of protecting users, networks, and entire systems from hackers and state-sponsored threat groups has never been a stagnant industry or boring. New threats in the form of malware are expected but how to detect them and ultimately prevent them from causing havoc is not an easy task. Security researchers at Lockheed Martin 2011, developed a methodology to detect and neutralize cyber threats. The methodology was called the Cyber Kill Chain which involved several stages in dealing with cyber threats. The stages presented how a cyber-attack occurred and presented it as a chain of events. This chain was developed to help researchers and analysts understand the enemy. However, a lot has happened since 2011 and the Cyber Kill Chain may not accurately describe how a cyber-attack happens and how the attacker operates.
This opinion is shared by numerous researchers including Tom Kellermann, Chief Security Officer at Carbon Black and former cyber commissioner for President Obama, who recently published a paper titled “Cognitions of a Cybercriminal” which prevents a new theory to help researchers better combat cyber threats. His theory, which he terms “Cognitive Attack Loop”, looks to address the apparent failure of the Cyber Kill Method. The theory is an attempt to describe how real-world attacks, particularly those of state-sponsored groups, are carried out. Recent attacks illustrate that the old view of hackers looking to break in, steal, and exit as quickly as possible, like in a burglary, no longer applies.
Rather, the hacker wishes to remain on the network operating quietly. Kellerman argues that defenders of networks need to recognize the new reality and to start thinking about a modern persistent cognitive attack loop rather than a linear attack chain.
This shift in approach is needed as Russian hackers have revolutionized how attacks are carried out since the Cyber Kill Chain was put forward. This revolution in tactics is often directly linked to the Gerasimov Doctrine. In 2013 the Russian General Gerasimov, summarising the doctrine, said,
“The very 'rules of war' have changed. The role of non-military means of achieving political and strategic goals has grown, and, in many cases, they have exceeded the power of force of weapons in their effectiveness.”
These non-military means have come to embody cyber tactics performed not only by Russian hackers but have been copied across the globe. According to Kellermann changes in attack, the method could be seen when Russian hackers started including secondary command and control servers which were placed on a sleep cycle. Such tactics were further enhanced by incorporating sandbox evasion techniques, the use of steganography to deploy secondary payloads, island hopping to compromise a host and leverage further attacks from that host. These are not merely theoretical tactics but have been seen in the wild. Kellermann provides two examples, the first being the Democratic National Committee attacks despite the attacks been detected using the Cyber Kill Chain approach the secondary command and control server was not detected meaning the attackers to stay on the infected network right up till election. The second example provided involves Turla. In an interview with Security Week Kellermann explained,
“A new technique that the Russians have pioneered over the past year, is reverse business email compromise, where they commandeer the mail server and very selectively, through the use of machine learning, send out fileless malware against the board and the most senior executives from other companies that communicate with that organization. The newer technique that they are using, and another thing that we should pay attention to, is this construct of island-hopping platforms and essentially access mining in systems and leveraging text files to move laterally. These are all techniques that the Russians are employing.”
No Longer a Chain but a Loop
Given the above examples, Kellermann argues that no longer can cyber-attacks be seen as a chain of events but rather a loop. Rather than several events in a chain Kellermann’s theory involves three stages in a loop, those being: reconnoiter and infiltrate; maintain and manipulate; execute and exfiltrate with no planned exit. Each stage has further subdivisions which include privilege, persistence, and evasion within the network, then to maintain and manipulate followed finally by exfiltration of data, destruction, and disinformation. As there is no exit the hacker aims to remain on the network indefinitely. Only when the attack is discovered will they exit, but with a view to compromise the network again, starting the loop once more. The tactics of stealth and persistence need to be met by defenders in a new way and a more effective approach. Kellermann describes current tactics as being too focused on finding the bullet to a smoking gun, rather prevent attacks researchers need to look at why the target is chosen and how the attack is achieved. This implies that indicators of compromise (IOC), those been artifacts proving network intrusion by a hacker, cannot be the only thing analysts and researchers look for, rather more behavioral analysis needs to be conducted. It is hoped that by understanding behavior and context researchers will be able to determine the why, or intent, behind the attack. This will further help researchers to predict actions and contain events before damage is done. Kellermann knows that this is just a starting point in defining a new strategy and insists that,
“for a new strategy that will be completely intertwined with MITRE Att@ck, but will also allow us to become faster especially in decreasing dwell times and suppressing an adversary without that adversary knowing it. We have been far too loud and far too arrogant in how we conduct incident response in industry.”