Ransomware attacks have long since been on a steady rise, wreaking havoc and destruction within the cybersecurity industry. Since the coronavirus pandemic in 2020, there has been a 148% rise in ransomware attacks.
The situation in 2021 was alarming as the number of attacks continued increasing. The year 2021 saw some of the worst ransomware attacks, such as the REvil Ransomware attack. The situation seems very dire when it comes to ransomware attacks. Specifically, a ransomware attack can lead to financial and reputation losses.
Any organization facing a ransomware attack gets all of its data encrypted so that they can only recover their data after paying a hefty ransom. What’s more, the cost of that ransom has grown around $200,000. Apart from that, there is always the danger of losing client and partner trust and having them permanently withdraw from the organization. Therefore, with such high stakes at risk, cybersecurity professionals are always looking for a solution to mitigate ransomware, such as the Cyber Kill Chain Model.
What is the Cyber Kill Chain Model?
The Cyber Kill Chain Model is a security framework that’s part of the Intelligence Driven Defense Strategy. The model identifies and prevents cyber threats by identifying the necessary steps a threat actor takes to launch a cyber-attack successfully.
The term kill chain is taken from the military, which is used to define the structure of an attack. It covers all the aspects of an attack, such as identifying the target, dispatch, order, and destruction. In 2011 Lockheed Martin took this military kill chain model to design the Cyber Kill Chain Security Model, which outlines the various aspects of a cyber-attack.
According to the model, a typical cyber-attack is a layered process that occurs in seven essential stages. In theory, if security teams are made aware of these seven stages of a cyber-attack it can help them to better understand the process and give them the leverage to identify and stop a cyber-attack at any of its executive stages. The quicker the security teams can detect and intercept the threat actor during their attack procedure, the better chance they can defend themselves or delay the cyber-attack.
The Cyber Kill Chain Model can help organizations build up a better defense system against ransomware attacks. Since ransomware is a strategically designed cyber-attack involving social engineering tactics, the Lockheed Martin Cyber Kill Chain Model can prove effective against it, primarily as it also addresses the humanistic elements of a cyber-attack.
How can the Cyber Kill Chain Model help mitigate ransomware?
The Lockheed Martin Cyber Kill Chain Model is designed to help understand how a ransomware attack targets and infects an organization’s security infrastructure. While a typical cyber-attack might occur in seven stages, ransomware requires six main stages of execution. The model outlines the following six stages in dissecting a standard ransomware attack.
To launch a successful ransomware attack, the threat actor collects relevant information. If a randomized ransomware attack targets several organizations, the “relevant” information consists of email addresses required to deliver the infected payload. The threat actor might collect this list of emails through random spam lists acquired through various data breaches of websites and other organizations.
If the threat actor is targeting a specific organization, then the reconnaissance phase will comprise the information collected on that particular organization. The threat actor uses the collected data to construct the relevant social engineering tactic to successfully deliver the infected payload.
Apart from that, the attacker might also gather security vulnerabilities, loopholes, and weak points within the organization’s security infrastructure. The threat actor may scour the security infrastructure and find information on the security technique and tools used by the organization to exploit it. For the social engineering campaign, the threat actors may also look for unsuspecting employees to target.
Organizations at this stage can employ various tools and strategies to protect themselves such as setting up endpoint security tools, monitoring entry points to system networks, and implementing the zero-trust security infrastructure.
After collecting the relevant information, the attacker will then use that information in the most effective way to launch an attack. In case of a ransomware attack that relies on social engineering tactics, the attacker will craft a relevant social engineering tactic.
For mass ransomware attacks, the social engineering campaign will target the collected list of compromised emails. In contrast, for an attack on a specific organization, phishing emails will target gullible employees. The social engineering tactic can either be clickbait or a whaling attempt where the threat actor might hide the malware within documents such as PDFs or office files.
The attacker will also use the information collected on the organization’s security infrastructure to craft the ransomware. The crafted ransomware will be stealthy enough to evade most of the security measures in place.
Even at such an early stage, the security team can protect its organization by analyzing each external email and hard drive for malware. Having security awareness within employees regarding phishing and ransomware attacks can also help secure the organization.
This phase of the attack focuses on delivering the ransomware to the target environment. Since it is the case of a ransomware attack, the threat actor can use one of the following tactics to have the infected payload safely:
- Infected portable hard drives such as USBs,
- Whaling attack,
- Phishing emails, and
- A drive-by download that installs malware along with a regular program.
While at this stage, the security teams can protect their organization by having proper protective measures against phishing attacks. Apart from that, the organization should also have relevant endpoint security tools installed. Another crucial aspect of protecting the organization from cybercriminals is to have a robust compromise assessment program that ensures minimal damages in case of such attacks.
4. Command and Control
Once the malicious software has penetrated the system, the software will install itself, getting past the security measures unnoticed. The malicious application mainly attempts to form a communicative channel with its command network called C2 activity.
The command network is an external IP or domain address that the ransomware application communicates with to relay the infected host system data. The same command center is also used to retrieve encryption key data.
If the ransomware application is embedded with public key encryption, its reliance on the malicious IP and anonymized network for communication is particularly crucial to operate effectively within the target environment. The reason is that the ransomware embedded with a public encryption key needs a separate key for an infection to be downloaded from the C2 infrastructure.
Security at this stage by the security team mainly relies on detecting the malicious software within the system. For that, the network security infrastructure must have robust anti-virus software and updated devices. Apart from that, the security team can conduct regular vulnerability scans to path network vulnerabilities that ransomware could exploit to prevent a ransomware attack.
5. Discovery and Spread
In the case of a typical ransomware attack, this phase consists of the malware moving laterally within the network to gain access to higher data. Typically the malware would achieve this by exploiting vulnerable passwords, carrying out brute force attacks, and targeting various other system vulnerabilities.
However, few modern ransomware available nowadays relies on self-propagation. In fact, for ransomware functions these days, the spread phase is limited to the initial attack in emails or compromised websites. Only a few ransomware variants are available that will work to spread out and infect system files and other hosts.
Therefore, the security at this stage can be the identification of the ransomware. If it is the type to spread about, then it is best to isolate the device or the system with the ransomware infection to contain the spread. The security team would also need proper threat hunting and compromise assessment at this point to ensure minimal damage to the data present within their system.
The extraction phase within a ransomware attack often means the ransomware payment itself, usually a hefty sum paid in Bitcoin. However, the extraction phase also involves the ability to extract the data from the infected system.
In many cases, the extraction phase of the Cyber Kill Chain for a ransomware attack is already too late. The organization, at this point, cannot do much to mitigate the impacts of the infection. The ransomware works to search for relevant data and to ensure a successful ransom.
The security teams can, however, prepare themselves in advance for this step. The best security protocol here is to follow regular backups for their data to prevent data loss. Apart from that, they should also notify the law authorities and deal with the matter professionally.
cyber kill chain model – conclusion
Whether ransomware attacks or any other form of cyber-attack, protection and prevention require a holistic approach to security; the Cyber Kill Chain Model works to integrate that within a security infrastructure, touching on the humanistic and technological aspects of cybersecurity. A proper understanding of cyber-attacks through this model can help ensure robust cybersecurity that we need amidst the modern, sophisticated cyber threat landscape.