As soon as I read “cyber kill chain” I immediately hated it. This was in 2011 when Lockheed Martin first came out with it and the word cyber hadn’t been used enough to make me numb to it like now in sad 2017. The other two thirds of the phrase felt like another attempt to make something computery sound cooler by associating it with the military. KILL CHAIN slots perfectly in to the teenage power fantasy that is hacking and I say that with full ironic understanding that I am partially motivated by such things.

Here’s the Wikipedia definition of a Kill Chain:

The term kill chain was originally used as a military concept related to the structure of an attack; consisting of target identification, force dispatch to target, decision and order to attack the target, and finally the destruction of the target.[ Conversely, the idea of "breaking" an opponent's kill chain is a method of defense or preemptive action.

Lockheed Martin then tried to clumsily apply this to, uh, cyber and out popped this infographic which explains the 7 easy steps to cyber kill something.

cyberkillchain.png

Right. Starting at the top, #2 Weaponization is an obviously dumb link in the chain as it’s completely out of our control. It’s a step that takes place on their computer. Therefore because we have no hope to impact it, it shouldn’t be on the chain. The point of the chain is for each link to represent an action that we can disrupt or deny. We could add a million dumb links of actions out of our control and they’d be equally as useful as #2.

#3 yeah ok, #4 is fine I guess. I don’t want to get too pedantic about what exploitation is so they can have that one.

#5 Installation. Why does anything need to be installed? We’re not some .msi installation wizard saying hello how you doing to the computer, we’re hacking it. We can live in memory and never touch disk or be “installed” permanently. This isn’t the 90’s.

#6 Command And Control AKA c&c AKA C2 AKA I’ve never heard of worms even though Stuxnet, the biggest deal of a worm ever, was discovered the year before this was published.

I want to reiterate the point of the chain - if any link is broken then the attack is stopped. But as we’ve seen some of these links aren’t necessary and wouldn’t stop an attack if broken or made impossible.

Lets see how the chain applies to one of my favourite worms Code Red - the classic “Hacked By Chinese!” worm that compromised thousands of computers in early 2001.

  • Recon: It didn’t perform recon, it randomly generated a target IP and launched the exploit at port 80.
  • Weaponization: lol
  • Delivery: yes! Here we could have stopped it though websites generally like to be accessible.
  • Exploitation: sure
  • Installation: Code Red didn’t ‘install’ itself and could be removed via a reboot.
  • C&C: Nope, preprogrammed actions depending on the data (spreading, ddos on fixed IP addresses, sleeping)
  • Actions on objectives: For a worm I guess this is the spreading/ddos/sleeping part and can be denied.

3 out of 7, a nice model of reality.

But that’s not what I don’t like about the CKC. It’s #7 Actions On Objectives. The amount of complexity those few words hide is ridiculous. It’s here that the entire chain falls apart. Because what are Actions On Objectives? It’s reconnaissance, it’s exploitation, it’s c&c, it even fucking contains #2 Weaponization! Turns out hacking isn’t a straight line but a loop with clearly defined exits -> leaving the network by choice or getting kicked out temporarily.

Everything I’ve written has been said before by many other people but the chain persists. People just love that brand awareness / EDGY NAME so much that they have to get in on it, even when they know it’s wrong. So they make modifications but keep the name. Like @PwC_Belgium

pwcbelgiumcyberkill.jpg

Look at that Freudian looping style - you can tell that they know it should be a real loop but they’re afraid of showing too much independent thought. But they did add an 8th step, rming your logs.

weirdkillchain.jpg

Same Freudian loops but without the budget.

weirdkill2chain.jpg

Just make it a loop already! They’re so close.

icskillchain.png

Another contender, ICS, straight up name jacked the Cyber Kill Chain and applied it to their smurf dong. Note: this is just stage one of their multi donged approach to hacking.

varoniscyberkillchain.jpg

There were some people out there we knew in their bones that it had to be a loop but couldn’t work out how to make it one. Some decided to link the whole thing from front to back because it’s a well known fact that you always have to start at the beginning when you decide to do more hacking.

They also decided to add two of their own steps to the Cyber Kill Circle, swapping out Weaponization for Obfuscation and adding DoS, leading straight into exfiltration. I’m not sure about you but I always DoS the network just when I’m trying to exfiltrate data out.

tiered-killchain.jpg

expanded-cyberkillchain.png

Others, who had not yet discovered loops, went with the more primitive ‘tiered’ approach.

microsoftkillchain.jpg

Frustrated with their inability to find a singular loop location, Microsoft, in its hubris, soars like Icarus by adding two loops to the chain. One loop apparently smaller than the other, even though the smaller one is labeled ‘month’ vs the larger loop’s ‘week’. I don’t know what it is about the Cyber Kill Chain that just warps a person’s brain like a Lovecraftian creature. I’m pretty sure that I can recall a H.P. Lovecraft story in which a diary of an estranged sailor is discovered; he had been marooned on a hellish island, driven mad by visions from an ancient dreaming god, but manages to return to civilization and all the while muttering

Ph'nglui malw'nath C'ybar Kyll Ch'aayn fhtaan!

Now, I’ve talked a lot of smack this post on the various gymnastics people have gone through to contort the Cyber Kill Chain into something that resembles reality but who has done this well? My go to for representing the lifecycle of an attacker is from Matt Monte’s book Network Attacks and Exploitation: A Framework

good-killchain

How hard was that huh? In fact, if you take the original chain and draw arrows from every stage to every other stage, then I’d be a lot happier. Note the text at the bottom, “ideal operational life cycle”. This is because hacking is messy and there aren’t straight forward steps to it every time. Matt represents this reality well:

mess

What is this big whinge all about then? What’s the take away? Well, if you didn’t already know the Cyber Kill Chain was dumb then you’ve got that, but I also want people to stop naming their own versions after the Kill Chain because it perpetuates the original bad idea. Newcomers, management, the people who read CSO magazine, all think the Cyber Kill Chain represents reality and that is bad for everyone. It’s like wearing a harness on your mind.

It’s making us dumber. The above is evidence of that. I didn’t overly cherry pick these ridiculous pictures you see above - I just searched twitter for “cyber kill chain” and scrolled down a years worth of tweets to find the above. They’re just trying to represent reality with a bad model.

So please, come up with your own over militarized term for something technical and not that cool so we can leave the Cyber Kill Chain to die.