In this series, we are looking through the Unified Kill Chain. In the previous part, we looked at two previous attempts to model the behaviour of a cyber attacker. Both were ultimately flawed, and in this part we will introduce a third proposed model which combines the best of both: the Unified Kill Chain.
The Unified Kill Chain was proposed in 2017 by Paul Pols. Combining elements from both the Cyber Kill Chain and ATT&CK (along with a number of other models), it divides an attack into 18 separate stages, ranging from Reconnaissance to Objectives. Its aim is to expand the scope of the Cyber Kill Chain and to represent an improvement over the time-agnostic nature of ATT&CK. Countering one of the main criticisms levied against the Cyber Kill Chain’s focus on external attackers, the Unified Kill Chain was designed to ‘support the development of layered defence strategies that adopt the assume breach and defense in depth principles.’
The 18 steps are broadly grouped into four overarching areas. First, the Initial Foothold must be gained. This section covers the steps taken to compromise a single system within a target, and includes 8 of the steps—more than any subsequent stage. Beginning with Reconnaissance, Weaponisation and Delivery, as did the Cyber Kill Chain, it adds distinct steps for Social Engineering and Persistence, along with Exploitation, Defence Evasion and Command & Control.
After this comes the Network Propagation: Office Environment phase, where the attacker attempts to pivot from their compromised system to other, juicier parts of the target’s environment. It comprises the steps of Discovery, Privilege Escalation and Execution, as well as Credential Access and Lateral Movement—an attacker shifting from one compromised system to another. The third stage is Network Propagation: Critical Infrastructure, which repeats the same steps as the previous one, but represents the point at which an attacker has found their way from an innocuous initial compromise—the receptionist’s desktop, say—to a critical part of the network—the business’ data storage, perhaps.
Lastly comes the Action on Objectives: Critical Asset Access stage. This represents the attacker having hit the jackpot, gained privileged access to a part of critical infrastructure and performing their initially-planned task. This could be the exfiltration of sensitive data to a server controlled by them, or perhaps just its deletion. Perhaps this could be a cyber-physical attack, as in the Stuxnet attack on Iran’s nuclear centrifuges in 2010. Perhaps it’s just the installation of a backdoor, to allow them easy access again in the future. In the model, the steps are codified as Collection, Exfiltration, Target Manipulation and Objectives.
The main advantage of the way the Unified Kill Chain is laid out is in the use of repetition. Whereas the Cyber Kill Chain suggests a step 1, 2, 3 approach to attacking, the Initial Foothold, Network Propagation and Action on Objectives stages of the Unified Kill Chain are presented as loops that may, eventually, move on to the next stage. This better captures the actual behaviour of an attacker, who is likely to spend a lot of time attempting to gain that initial foothold and comparatively less actually doing what they came to do.
In the next part of this series, we’ll look into the Initial Foothold stage in more depth.
