Threat Intelligence Frameworks - Breaking the chains

Breaking the chains and moving away from the cyber kill chain once and for all?

Photo by Paolo Nicolello

Introduction

Currently in the threat intelligence industry we rely heavily on US military and intelligence ideas which were transferred into a cyber paradigm; for example the cyber kill chain, diamond model and analysis of competing hypotheses (ACH). These are good frameworks and processes to introduce as concepts to understand different stages of cyber attacks but are becoming more irrelevant in threat intelligence work, and in my view, hindering sound intelligence analysis outside of the public sector.

In this post I detail how Threat Intelligence has moved away from large, late attribution phase reports to more mixed reporting due to the variation in audience. Also in this blog I point out why private organisations should move away from the cyber kill chain in cyber security reporting and analysis.

Threat Intelligence now isn’t just for governments

Threat intelligence has moved on since APT1; it's good to cast our minds back to the APT1 report and observe the differences analysts face now compared to back then.

¹

The APT1 report is one of the most comprehensive and impressive public reports on China-based threat actor activity. For those who are unaware, it was the first public report by a commercial entity which detailed APT activity related to cyber espionage. This is a huge threat intelligence report containing over 70 pages of content, most organisations would not easily consume in today’s market. The report dives into a complex multi-year investigation of a threat actor with (at the time) advanced capabilities targeting a vast amount of sectors. Most organisations do not have the capabilities or the resources to be able to properly process the information revealed in this report, and would likely if released today rely on consultancies to summarise the information and give actionable intelligence.

The market back then for consuming commercial threat intelligence was incredibly small and was largely dominated by the public sector. However, it has since moved on and organisations cyber security posture is advancing, even if only by a small section of industries, with healthcare and banking leading the way.

²

The APT1 intelligence report from my analysis is likely focused toward selling to governments with attribution into the threat actor as close to a persona/individual level as possible. This level of granularity requires huge amounts of technical information and is still just technical data which supports a hypothesis based on a human’s possible interactions with a keyboard. This granularity is late in an attribution ‘phase’

³

of a threat actor which most organisations will not need to understand, this phase is largely dominated by governments, who wish to execute indictments on specific individuals and impose cost on individuals and governments taking part in cyber attacks.

For example a threat actor dubbed APT41 was exposed by indictments by the US government in 2020. In the indictment was an incredible level of access to the threat actor’s activity and communications, such as a print out of communications showing the threat actor discussing an attack on a Hong Kong hotel chain.

⁴

Concepts which improved threat intelligence reporting were only recently being developed at the time of the APT1 report release. Concepts such as the ‘Pyramid of pain’

⁵

had only just been released in 2013 which is a model stating that the value of indicators in behavioural activity (Accessed registry keys, executed commands, common behaviours) is more valuable than atomic indicators (MD5, SHA-1, IPs). This theory has slowly become dominant among practitioners from which the MITRE ATT&CK framework was born and reports became more about tools, techniques and procedures (TTPs - also described as tactics, techniques and procedures). The APT1 report does have TTP information in it, but the report isn’t focused on this due to the TTPs concept just being released.

In today's threat intelligence reports, the viewership is much more varied, leading to changes in some threat intelligence industry report’s length and language used. Variety like this is good, as organisations are more exposed to threat intelligence and other defence concepts. Availability to technical data which is accessible and relevant to an organisation is critical for organisations to consume threat intelligence (and subsequently making attacks harder for a threat actor). However, using the processes designed by governments for governments can lead to slowing of defending an organisation and ultimately not giving the right picture. For example, late phases of attribution to many organisations is ultimately a waste of labour and time. Understanding an operator or understanding their exit points (network router exit points where they are identifiable) is cool, but ultimately for many organisations knowing which particular threat actor has conducted the activity is enough.

Key point: Commercial threat intelligence reports first started with governments as an audience but has since changed, leading to changes in how information is displayed. Advances in cyber concepts such as tools, tactics, procedures (TTPs) have led to a more palatable read to a variety of organisations and led to better yields in defending enterprises. However improvement is needed, organisational maturity is still slow.

Breaking the chains

The cyber kill chain framework describes a step by step process an attacker could take during a lifecycle of an attack; a similar one is described in Mandiant's APT1 report. This includes reconnaissance, weaponisation and exploitation. This is problematic for modern cyber threat intelligence analysis and intrusion analysis: the concept is good to understand the basic structure of an attack, but attacks are far more complex now and most threat intelligence providers rarely see the full chain.

Attackers may work as a network where they use initial access brokers; a type of attacker often associated with crime motivated threat actors and which is responsible for the initial entry, likely including reconnaissance to an organisation. There is evidence of advanced persistent threat (APT) actors also handing over access after initial entry to another threat actor.

⁶

Multiple threat actors being involved in one intrusion complicates attribution, assessments, understanding the overall threat and TTP mapping. In short, a threat actor's main objective might be just installation of malware. Here for example is a graphic publicly available from CrowdStrike indicating interconnections within a crime threat actor ecosystem.

⁷

It indicates the complexity we face as threat intelligence practitioners in communicating threats and their connections in reports and other threat intelligence products. The “actions on objectives” phases aren’t always clear. Phases are sometimes missed, such as communication with a C2 (ransomware) leaving it difficult to use the cyber kill chain often in a compelling manner. Of course, ransomware may be part of a infection chain communicating with a C2, but that’s not always the case. Credential spraying a RDP server and then executing ransomware or exploiting a external web service to execute code does not require a C2.

From a high level the kill chain can loosely describe attacks with multiple threat actors, but cannot be used accurately as a framework to investigate modern attacks. The telemetry or access to data an organisation possesses to understand an attack often will not include the reconnaissance or other stages, making the cyber kill chain difficult to communicate in attacks. This is due to a variety of reasons but often down to log retention policies from the victim organisation (if logs are even held for that matter!).

Attackers may take days, weeks or even months to attack an organisation after initial reconnaissance. A threat intelligence consultancy may hold more information on the reconnaissance stage, but this information can often hold very little value (IPs, user agents) to a private organisation due to the fact everyone is scanning the internet.

⁸

⁹

If an organisation doesn’t observe every step of the cyber kill chain it becomes difficult to use it often, and as already mentioned becomes hard to use it in a compelling manner.

The kill chain on occasion can seem quite dated too, for example the model is influenced by endpoint intrusions and can be tricky to fit into cloud concepts. Cloud concepts have slowly been introduced into other frameworks such as the MITRE ATT&CK framework, but the kill chain has remained. Others have introduced cloud cyber kill chains, but from my observations these have not been integrated into security teams, largely due to them trying to keep the same format from the cyber kill chain without truly expanding it.

¹⁰

It is encouraging to see steps to try and reform the cyber kill chain recently through the Unified cyber kill chain.

¹¹

However, even in the Unified cyber kill chain most of the heavy lifting is brought by the MITRE ATT&CK Framework and the In, Through, Out concept.

Key point: The cyber kill chain for modern intrusion analysis has become outdated and on occasions more of a hindrance compared to other frameworks. While it still holds use on occasion to some analysts, it has clear problems that significantly reduce its practical value. Communicating the idea of the cyber kill chain is trivial, but attempting to map a modern attack to it often leads to missing phases or having the analyst change the analysis of the attack to suit the framework better.

Conclusion

This blog attempts to signify a required divergence away from public sector intelligence frameworks for threat intelligence work; specifically in this instance the cyber kill chain. As intelligence has evolved into the digital age, concepts derived from military and classic intelligence remain. These concepts are critical to understanding threat intelligence as a subject, but often difficult for organisations, especially in the private sector, to use during dissemination of threat intelligence products. My points compliment a talk I watched by JD Work, who highlights the problems with the colliding intelligence communities in the public and private sector.

¹²

I’m not the first to have some critique of the cyber kill chain

¹³

, but for me it's wider than that. I hope in my next posts to discuss other threat intelligence processes which should be reviewed, critiqued and in some cases scrapped.

1

APT1: Exposing One of China's Cyber Espionage Units, Mandiant, https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf (2013)

2

'Organizational cyber maturity: A survey of industries', McKinsey, https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/organizational-cyber-maturity-a-survey-of-industries (4th August 2021)

3

‘Attribution of Advanced Persistent Threats’, Timo Steffens, https://doi.org/10.1007/978-3-662-61313-9 (20th July 2020)

4

'Seven International Cyber Defendants, Including "Apt41" Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally', United States Department of Justice, https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer (16th September 2020)

5

‘The Pyramid of Pain’, David Bianco, http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html (1st March 2013)

6

'New ICS Threat Activity Group: KAMACITE', Dragos, https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-kamacite/ (3rd January 2021)

7

‘2021 Global Threat Report’, CrowdStrike, https://www.crowdstrike.com/global-threat-report-2021/ (2021)

8

‘Scanning the internet for fun and profit’, NCSC UK, https://www.ncsc.gov.uk/blog-post/scanning-the-internet-for-fun-and-profit (1st November 2022)

9

'A Comprehensive Survey of Recent Internet Measurement Techniques for Cyber Security', Computer & Security Volume 128, https://doi.org/10.1016/j.cose.2023.103123 (May 2023)

10

‘Understanding The Cloud Infrastructure Cyber Kill Chain’, Michael Raggo, https://www.forbes.com/sites/forbestechcouncil/2020/08/25/understanding-the-cloud-infrastructure-cyber-kill-chain/?sh=6f860cb76d8e (25th August 2020)

11

'The Unified Cyber Kill Chain’, Paul Pols, https://www.unifiedkillchain.com/assets/The-Unified-Kill-Chain.pdf (v1.3 February 2023)

12

‘Intelligence Communities in Collision’, JD Work Crisis Con, youtube.com/watch?v=VCvTFXZQzDU (25th March 2020)

13

'Deconstructing The Cyber Kill Chain', Giora Engel, https://www.darkreading.com/attacks-breaches/deconstructing-the-cyber-kill-chain (18th November 2014)