Today’s columnist, Nicole Hoffman of GroupSense, explains the evolution of the Cyber Kill Chain developed by Lockheed Martin and argues that the industry needs a kill chain specifically for ransomware. (Credit: Creative Commons: https://www.flickr.com/photos/[email protected]; https://creativecommons.org/licenses/by/2.0/legalcode

Lockheed Martin introduced the Cyber Kill Chain in 2011, one of the first frameworks to step away from an indicator-centric approach and focus on adversarial techniques, tactics, and procedures.

Ten years later, the Cyber Kill Chain remains a foundational framework widely used in cybersecurity and incident response strategies. However, there’s a new species of cyber-attack wreaking havoc across the globe known as ransomware. This infamous attack does not fit into the traditional Cyber Kill Chain attack lifecycle.

The most pressing concerns a decade ago for many organizations were the potential regulatory, reputational, and financial damages caused by data breaches. Ransomware presents a far more complex threat scenario today for three main reasons:

  • It’s existential: The old “reputational” concerns of the past seem quaint compared to today’s ransomware threat, where the inability to use the systems required for business operations can mean bankruptcy, particularly for smaller businesses.
  • It’s multi-phase: To increase the urgency of ransomware demands, threat actors will often use double extortion techniques such as exfiltrating data before encryption. If ransom demands are not met, ransomware groups will threaten to publicly leak or sell the stolen data. Victims are left with two concurrent issues: decryption and preventing data exposure.
  • It’s multi-party: The dark web ecosystem has simplified ransomware operations, where “initial access brokers” sell access to compromised networks and ransomware-as-a-service (RaaS) vendors make it easy for anyone to become a cybercriminal. The fate of the company might be in the hands of a sophisticated ransomware syndicate that wants an initial victim to recover their data (so others will also pay), or an inexperienced freelancer who might behave erratically and not care whether a company recovers its systems.

These factors were not in place during the development of the Cyber Kill Chain. However, many organizations make the mistake of simply folding ransomware attacks into existing incident response programs. What’s really needed is a new Ransomware Kill Chain, which can form the framework for ransomware response plans.

If an organization can disrupt a ransomware attack early in the Ransomware Kill Chain, it can significantly reduce the overall impact. In this new concept adapted for today’s threat environment, there are three key “links” in the chain, each with increasing levels of risk and potential damage:

  • The Access Phase: Threat actors establish and sell access. Even if organizations fail to detect the presence of an intrusion, there’s still time to break this link in the chain before damage is done. Security teams can do this by monitoring access broker sites and determining if accesses to the company’s network are being sold. They can do this through a combination of automated and human intelligence, because it requires engaging the threat actor as a potential “customer” and getting information verifying the network breach. 
  • The Exfiltration Phase: Threat actors escalate privileges and move laterally across the network to find valuable data to exfiltrate as part of their double extortion scheme, threatening to release it on dark web “shame sites” if the victim does not pay the ransom. 
  • The Encryption Phase: The threat actor unleashes the ransomware, encrypting the data and the victim gets notified of the ransom demands or price for the decryption keys.

Beyond the ransomware kill chain

Security teams also have a considerable amount of work before and after the kill chain. Before, organizations should take steps to minimize the opportunities for threat actors to establish access. For example, the most common attack vectors used to carry out ransomware attacks are phishing campaigns, remote desktop protocol (RDP) vulnerabilities, and software vulnerabilities. Addressing these important issues could substantially reduce the number of soft targets for threat actors.

Likewise, companies should properly prepare for a ransomware attack. Generic incident response plans will not get the job done – security teams need to have a specialized ransomware response plan in place where executives and third parties have engaged in tabletop exercises and know exactly what needs to happen. Companies should discuss issues like “should we pay ransom or not?” ahead of time, and if the company opts to pay, it needs to assign a predefined (and competent) representative to handle the negotiation and transaction with the threat actor.

After an attack, organizations need to immediately identify and mitigate the initial access vector, or they only invite more attacks. Recently, we were in the process of closing a ransomware negotiation when the client was hit again by a second ransomware group. Now there were two different ransomware syndicates to deal with, not to mention the complexity of trying to decrypt data that had been encrypted twice!

Situations like this were never envisioned when the Cyber Kill Chain was initially created – and that’s why ransomware needs a kill chain of its own.

Nicole Hoffman, intelligence analyst, GroupSense