## Research done towards understanding the Kill-Chain

### Section 1

##### Model 1: The 8 stages model **


**1. Reconnaissance**

"At the reconnaissance stage, the attacker gathers information about the target organization. They can use automated scanners to find vulnerabilities and weak points that may allow penetration. Attackers will try to identify and investigate security systems that are in place, such as firewalls, intrusion prevention systems and authentication mechanisms."

**2. Intrusion**

"At the intrusion stage, attackers are attempting to get inside the security perimeter. Attackers commonly inject malware into a system to get a foothold. Malware could be delivered by social engineering emails, a compromised system or account, an “open door” representing a gap in security, such as an open port or unsecured endpoint, or an insider accomplice."

**3. Exploitation**

"At the exploitation stage, attackers seek additional vulnerabilities or weak points they can exploit inside the organization’s systems. For example, from the outside, the attacker may have no access to an organization’s databases, but after the intrusion, they can see a database uses an old version and is exposed to a well known vulnerability."

**4. Privilege Escalation**

"In the privilege escalation stage, the goal of the attacker is to gain privileges to additional systems or accounts. Attackers may attempt brute force attacks, look for unsecured repositories of credentials, monitor unencrypted network traffic to identify credentials, or change permissions on existing compromised accounts."

**5. Lateral Movement**

"In the lateral movement stage, attackers connect to additional systems and attempt to find the organization’s most valuable assets. Attackers move laterally from one system to another to gain access to privileged accounts, sensitive data, or access to critical assets. Lateral movement is a coordinated effort that may span multiple user accounts and IT systems."

**6. Obfuscation**

"At the obfuscation stage the attacker tries to cover their tracks. They may try to delete or modify logs, falsify timestamps, tamper with security systems, and take other actions to hide previous stages in the kill chain and make it appear that sensitive data or systems were not touched."

**7. Denial of Service**

"At the denial of service (DoS) stage, attackers attempt to disrupt an organization’s operations. Usually the aim is to draw the attention of security and operational staff and cause a distraction, enabling the attackers to achieve their real goal, which is data exfiltration. DoS can be waged against networks and production systems, including websites, email servers, or customer-facing applications."

**8. Exfiltration**

"At the exfiltration stage, an advanced attacker finally “hits home”, getting their hands on the organization’s most sensitive data. Attackers will find a mechanism, typically some sort of protocol tunneling, to copy the data outside the organization, in order to sell the sensitive data, use it for additional attacks (for example, in the case of customer personal data or payment details), or openly distribute it to damage the organization."


_Note:_


 ** All descriptions for the stages are quoted from [exabeam](https://www.exabeam.com/) and can be found [here](https://www.exabeam.com/information-security/cyber-kill-chain/). Descriptions match the literature standards for the 8-phases model Kill Chain, but all credit for the exact wording goes to the authors cited in the article. 

###### How does the model match our data?

- 1) The classical definition for the first stage of the Kill Chain (KC) is less technical, often referring to actions such as 'gathering information on the target such as employee work schedule, e-mail lists, sponsorships, term targets etc.' This type of information would not be relevant to our data, as the actors are red_team penetration testers, who need not deal with any of those initial exploratory steps. The proposed scheme correctly highlights " Attackers will try to identify and investigate security systems [...] and authentication mechanisms." A considerable amount of such work is being carried out in the Authentication data, for precisely the mentioned purposes. From this perspective, the definition is mostly suited to our project.


- 2) Although logon attempts (eg. NetworkLogon, InteractiveLogon, CachedInteractiveLogon etc.) are sometimes met with failure, which may or may not be indicative of malicious purposes, our red_team actors do not require an intrusion mechanism per se. They are granted a connection attempt at the very least in the Authentication part of the attack, which then transfers into full effect on the Process data. Moreover, "Malware could be delivered by social engineering emails, [...], or an insider accomplice." holds very little relevance to our data. All testers are, in some weaker sense, "insiders". For all our intents and purposes, the intrusion stage appears as an unnecessary extension of the initial reconnaissance stage. We are therefore inclined to merge them into a single stage.


- 3) The nature of the attacks the red_team actors could've deployed given their acquired rights, their method of infiltration and all other factors remain unknown to our team, provided the description and traffic flow. Thus, we may at no point confidently declare that an actor was seeking insight into a particular vulnerability given a single event or a set of events. Nonetheless, it is highly anticipated that this is how an usual attack would be carried out. In our case, however, the exploitation stage very likely consisted entirely of a search for further channels of access - by this we understand that an actor would, once they have trespassed, look into ways to communicate further as to maximizing the damage done. The penetration testers were mostly challenging the IDS's in place from LANL. For our purposes, this is to be understood as something close to a  privileges escalation phase.


- 4) This crucial stage exists, beyond reasonable doubt, within our data. It likely comes in both the form of Authentication as well as Processes and we suspect it will be among the hardest stages to positively identify, being easily confused with anything from reconnaissance to the actual lateral movement. The part of the description stating "[...] change permissions on existing compromised accounts." is perhaps not so relevant to our cause. We have little to no way of verifying such claims within Authentication, though some of the processes or parent processes within the Process dataset may prove more indicative of privilege escalations. On the other hand, the goal to "monitor unencrypted network traffic to identify credentials" is how this stage would otherwise be identified within the Authentication dataset.


- 5) Lateral movement is another of the stages that unequivocally feature in an attacker's method that leaves tracks to follow on. Similarly to stage 4, however, most events that could suggest lateral movement may also be part of trivial research instead. This makes lateral movement a difficult stage to set a verdict on, as the key to success lies in placing events into context rather than examining them individually. The sentence "Lateral movement is a coordinated effort that may span multiple user accounts and IT systems." is perhaps the perfect summary for the situation we're facing within the Authentication data, where certain suspicious users exhibit 'hopping' behaviour - where they attempt the same authentication type multiple times on different destination devices. Nevertheless, as we have already mentioned, we must proceed with caution in these cases as well. If those attempts are met with consecutive failures, it may be the case that the actor is merely trying to infiltrate and gets spotted by the IDS. In that case, a penetrator would often look for other points of entry. This is notably similar to a lateral movement scenario, except there the actor would not be met with failures. 


- 6) There are two main problems in considering this stage of the kill chain. We'll start with the one that explicitly adresses our data: there is little to no evidence sustaining the idea that attacker's were trying to cover their tracks. Indeed, this often happens (except when the attack is meant to be evident, eg. DDoS) in real hacking scenarios. However, the team was more involved in the infiltration itself rather than covering traces of where the attack originated. Not only can those be tracked to some reasonable degree, but the blue team was always aware of attacks going on. No one was actively working on stomping the infiltration stages of the operation, the only defendant being the automated DS. Secondly, considering a separate obfuscation stage seems a bit outdated. The only sense in which this action takes place within our data is usernames being anonymized in the Process data, after having infiltrated successfully through the Authentication stage. However, the planning that goes into that action arguably takes place way before the lateral movement. Having taken control over a device at the 4th stage (Privilege escalation), one may use their means to anonymize any further activity. Thus, actions need to be traced back to the original actor from stages 1-3, which leaves the blue team the only real option of detecting the primary intrusion step. In this sense there is an argument against the 8 phases model, according to our team's shared opinions. 


- 7) Within our somewhat synthetic environment, there is no place for this stage to play out, unfortunately. All the tests were carried out in a controlled setting, where the productivity and work schedule of the blue team colleagues suffered no disruption or change. The DoS stage is often highlighted as the most obvious and essential stage of the entire operation. While that remains true in real settings, there's no need to further justify why it wouldn't make an appearance in a controlled penetration testing.


- 8) The final stage of the kill chain can positively be identified exclusively in the Process dataset. It consists of processes which exclusively transfer data to outside sources, and/or those that 'leak' the data in a spam-like manner. This is well captured by the description: "[...] copy the data outside the organization, [...] or openly distribute it to damage the organization." The red team testers are likely mimicking this interaction, once again, being particularly interested in whether such action is possible against the IDS meant to prevent exfiltration. If this procedure leaves any distinguishable characteristics, they are likely to be picked up without worry of confusing the events as belonging to another stage of the kill chain. 

##### Model 2: The 7 stages model ***

**1. Reconnaissance**

"Finding, identifying and choosing a destination, often carried out by scanning the internet, web sites, newsgroups, social media or information (white intelligence)."


**2. Weaponization**

"Preparation of attack tools, such as Trojan horses, explosions and data. This is usually a collection of tools that automate the arming. Place prepared tools in infected files that the victim will use (such as PDFs or Microsoft Office files) when they are delivered."


**3. Delivery**

"Upload of prepared "attack tools" to the attacked environment, through a pre-prepared attack vector (such as email attachments, web pages, or USB media)."


**4. Intrusion, Exploitation**

"After delivering the "attack tools" to the victim machine, the code is executed in the attacked environment. Most often exploits are vulnerabilities in applications or the operating system of an attacked computer. There are much simpler burglaries that use configuration errors or user unawareness."


**5. Installation**

"Installing a Trojan horse or so called “backdoor” in the victim's system allows the permanent existence in the attacked environment."


**6. Command and Control**

"Take control of the infected device. Typically, the compromised computer connects to the Control and Control (C2) computer through a specially created communication channel."


**7. Actions on Objective**

"It is only at this point that the right action is taken to achieve the objectives. Typically this is a penetration, analysis, collection and copying of data. Alternatively, a burglar may use the compromised computer only as a starting point for further attacks and the location from which the trusted victim network is penetrated."


_Note:_

*** All descriptions for the stages are quoted from [linkedin pulse](https://www.linkedin.com/signup/cold-join?session_redirect=https%3A%2F%2Fwww%2Elinkedin%2Ecom%2Fpulse&trk=login_reg_redirect) and can be found [here](https://www.linkedin.com/pulse/how-use-cyber-kill-chain-model-build-cybersecurity-ireneusz-tarnowski). Descriptions match the literature standards for the 7-stages model Kill Chain, but all credit for the exact wording goes to [Ireneusz Tarnowski](https://pl.linkedin.com/in/ireneusztarnowski?trk=pulse-article_main-author-card), the article's author.

###### How does the model match our data?


- 1) This definition of reconnaissance is what we have previously commented in the 8 phases model on as being an unsuitable approach. What we might identify in our data as network exploration has nothing to do with "scanning the internet, web sites, newsgroups, social media [...]". Instead, the stage is focused on initial penetration in the system, finding inside routes for later connections such as lateral movement and scanning for availability of logons through different destination devices.


- 2) This stage cannot possibly feature in our data. By definition, not only is this not a part of the red team's purposes since they're not inflicting any damage in the form of a trojan or virus; but if they were involved in these activites they wouldn't be detectable within the data at the stage of creation. Such activites would only become apparent once deployed, and the weaponization stage takes place externally to the target data and connections.


- 3) The deliverance of the 'attack tools' is equivalent, in our case, to a perpetrator's entry in the inner system, i.e. the initial penetration that authenticates the username and enables its further anonymization in the Process dataset. This stage is distinct from the reconnaissance, in the sense that there may be a large temporal gap between the exploratory phase and the actual start of the malicious operations. Moreover, there is no extension of actions to be observed in the former case, whereas the latter represents the start of all ulterior red team events.


- 4) Certain actions undertaken by an infected source device could potentially be spotted within the Process data, which would then be indicative of exploitation. One form of exploitation is given by privilege escalation, which is furthermore the most frequently cited such action. In this sense, the fourth stage of both models are similar, although the 7-phases model proposes a much more general description. However, the most useful bit for our problem is: "Most often exploits are vulnerabilities in applications or the operating system of an attacked computer." Indeed, we have no way of telling exactly what a user was doing, since processes have been anonymized in a procedure similar to the anonymization of the computer devices. However, one may infer the malicious intent of a process if it's run on an infected device and precedes events such as C&C or lateral motion.


- 5) Having been granted username access, anonymized or not, one may carry on with their perpetrator activities within the system provided they don't log out, get detected, are forced into failure or any other mean of compromising the continuity of their process takes place. In this sense, there is no 'installation' stage going on that we can verify or identify within our data. It is likely that many of the parent processes presented within the Process dataset represent downloads or installations. However, we cannot make any assumptions about those, and simply deduce what their intent is.  


- 6) This phase is equivalent to the 5th stage identified in the 8-phase model of Kill Chain, i.e. that of lateral movement. As we previously discussed then, it represents a stage that's indisputably observable within our data. What we'll be likely seeking is connections of the form ' UserX on CompA to CompB running some processes', later followed by 'UserX on CompB to CompC' where C is not necessarilly distinct from A. The actions leading to C&C can be traced back to Authentication, though this type of events in itself is unlikely to be seen anywhere but in Processes.


- 7) The final phase of the Kill chain is well established across any of the descriptive models as the stage of data exfiltration, ramsomware placement, or any other action that the red team wants to take on their objectives. This may appear in very different ways across different data, given the versatility of actions. The same comments made previously about the penetrators simply testing the connections rather than implementing malicious actions still apply, nonetheless.  

### Conclusions drawn from literature Kill Chain models

Both proposed models (and all their sources, literature variations and different descriptive details) well summarize an attacker's process when carrying out the hack. While all stages are hence relevant and in a well ordered succession, it became apparent that some are less or not at all relevant for the purpose of classifying events within our traffic data as pertaining to one stage or the other. For instance, externally driven stages such as 'Weaponization' cannot be identified in the logs of the infiltrated data for obvious reasons. Similarly, since the red team perpetrators were hired actors, no actual malicious intent was in place. The team was tasked with testing the defensive mechanisms put in place by LANL, crucially _without_ disrupting co-workers' activity. This fact also eliminates stages like 'Denial of service for attention drawing' from the plausible steps our model may identify. 


On the other end of the spectrum, a lot of useful classification criteria can be drawn from combining the most suitable descriptions from both models, and tailoring the product to our dataset. Start and end events of reconnaissance and exfiltration respectively certainly happen in the case of our data, though the latter is once again a mere test against the mainframe rather than possessing any malicious intent beyond defeating the IDS. In between these two, absolutely crucial steps such as lateral movement/C&C, intrusion and privilege escalation take place - where actors test their infiltration and contamination capabilities following different networking models and patterns. These are sometimes picked up via periodicity, at other times based on their distribution and sometimes they don't feature in an actor's plan. It is perhaps worth noting that different red team workers may have been tasked with different levels of penetration. Perhaps some were given escalated rights as a prior and offered consequently more difficult missions such as chain corruption or exfiltration, whereas other could have been tasked with only reconnaissance without any internal assistance. Regardless of the chosen task distribution for the experiment, events should be picked up and classified accordingly.

**References**

[1. Eight stages KC description](https://www.exabeam.com/information-security/cyber-kill-chain/)


[2. Alternative source for the eight stages KC](https://www.varonis.com/blog/cyber-kill-chain/)


[3. The 7 stages Kill Chain](https://www.linkedin.com/pulse/how-use-cyber-kill-chain-model-build-cybersecurity-ireneusz-tarnowski)


[4. Alternative source for the seven stages KC](https://www.usprotech.com/7-essential-steps-cybersecurity-kill-chain-process/)