Cybersecurity Blog: The Cyber Scene is evolving, are you?

Return to blog

“You can’t buy the Cyber Kill Chain®, but you can buy into it.” 

After reviewing key findings from the NTT Group’s 2016 Global Threat Intelligence Report including an incident response case study in which a team effectively leveraged the Cyber Kill Chain analysis framework to better understand each phase of the attack and gain a comprehensive picture of the adversary’s tactics, techniques and procedures. The mid-size financial client, code named Peaceful Panda Financial Corporation (PPFC), did not know they were breached until day 65 of the attack.

Below I walk through the seven successful steps the adversary took before posting sensitive PPFC data to a PasteBin site. 

How Peaceful Panda Was Breached

During the broadcast, I reviewed the Peaceful Panda attack case study through the lens of the Cyber Kill Chain. The steps of the Cyber Kill Chain describe actions that an adversary must complete to successfully orchestrate an attack. The Cyber Kill Chain framework helps an analyst study an attack from the viewpoint of the adversary. The output? A threat-centric view of an intrusion. The benefit? Looking at attacks as a set of sequential steps creates a paradigm shift in which the attacker needs to be right seven times and the defender just once.

Cyber Kill Chain® Step Peaceful Panda Attack Details Defense-in-Depth Opportunity

Reconnaissance: Research and identify targets – including people, systems, programs and technologies

Adversary used "on-target reconnaissance" approach – conducting reconnaissance against the actual target environment. System and application profiling against externally facing systems at Peaceful Panda. Attacker sent requests to external systems to extract information to build a picture of the target environment; where can they find the data? what vulnerabilities might be successful?

  • Minimize information leakage and attack surface through technical and non-technical controls
  • Take proactive action when recon is identified

Weaponization: Preparation of the tools the attacker will use in subsequent stages by taking something benign and making it malicious or by taking something already malicious and making it easier to spread

The tool of choice for the attacker was Havij, which they then configured to target specific systems and applications based on what they learned during recon. In an abstract sense, the attackers took otherwise harmless HTTP requests, and weaponized them using the tool to accomplish a malicious purpose, like exploiting system vulnerabilities to gain unauthorized access.

  • Identify, understand, detect, and mitigate "tool marks" left by weaponizers

Delivery: Transfer the payload to the target. Classic delivery mechanisms typically fall into one of three categories; email, web-based and physical delivery such as removable media

Delivery was accomplished via HTTP. The adversary used Havij to construct specific requests, then delivered those requests via HTTP to the target systems. In this case, delivery was highly automated and relatively high volume, with a distinct delivery action for each malicious request.

  • Robust visibility across delivery vectors
  • Scanning, filtering, whitelisting, policy

Exploitation: Exploiting some vulnerability to enable malicious code execution. Beyond zero-day application exploits, social engineering is the most common exploit – convincing people to take some action to help further an attack

The exploitation was really an exploit of application design and poor secure coding practices. Because of the design and implementation of the application, it was vulnerable to SQL injection. That vulnerability gave the attacker a means to advance the attack and interact with the system in an unanticipated and undesirable manner.

  • Minimize exploitable footprint
  • Technical controls to mitigate exploitation

Installation: Establishing a presence on the system at which point it may create/modify files, modify the registry, or modify processes

Established presence and established persistence via a multi-layered installation approach. The attacker creates a database admin account, a local system account, and finally installs malware on the system. Each of those actions served to establish persistence for the attacker.

  • Technical and policy controls to prevent unauthorized system modifications
  • Endpoint visibility, detect, and response capabilities

Command & Control (C2): Remote control to establish establishing hand-on-keyboard access and communication between the malware or the tool or the target system and the attacker

The attacker used a fairly novel C2 scheme that leveraged IRC and social media to receive commands from the attack and report results. Social media posts would include encoded commands that the malware should run. It would retrieve and decode the command (ex: perform a directory listing on this directory and post the results back to that IRC channel.)

The multiple communication channels established provided them with failover capability, made the attacker more agile and their activities harder for the defender to detect. In hindsight, IRC was a prime detection and mitigation opportunity for PPFC.

  • Control (monitor, scan, filter) outbound traffic for signs of malicious communications
  • Restrict non-business protocols (e.g. IRC) to reduce channels available to attackers

Actions on Objections: Where the attacker achieves their goal – accomplish whatever they set out to do; escalation of privilege, data exfiltration, lateral movement etc.

NOTE: Up to this point they've done bad things but they haven't yet achieved their true objective.

The observed Action on Objectives was the dumping of sensitive user data. Given the ability to the adversary to establish persistence within the environment, it's plausible they could have continued to access the data at-will as long as it remained valuable.


  • Minimize information leakage and attack surface through technical and non-technical controls
  • Take proactive action when recon is identified


It’s Not a Bullet – It’s Ballistics

The Cyber Kill Chain is not a silver bullet. Rather it’s an analytic framework – a way of thinking through an attack and using the results to better inform defensive strategies. Indicators can be organized and analyzed in the context of each of the seven stages and evidence can be examined to further an organization’s understanding of their threat profile and how to gain a competitive edge. Intelligence gained informs real-time detection and future prevention. The Cyber Kill Chain is a critical piece to a sound security strategy.

The 2016 Global Threat Intelligence Report provides organizations with the information necessary for resiliency and survivability in the face of an attack. The report illustrates how you can advance your security posture by applying the Cyber Kill Chain across your organization. By using the Cyber Kill Chain, your organization will better understand what the attackers are doing, and what you can do to disrupt the attack.


[Cyber Kill Chain is a registered trademark of Lockheed Martin.]
Currently the manager and lead analyst for the Leidos Commercial Cyber Services Security Intelligence team, Mr. Lachesky has over 6 years of professional experience in the computer network defense and cyber threat intelligence domain. His background includes working as an analyst as part of the Lockheed Martin Computer Incident Response Team (LM-CIRT) (the group that defends the LM Network from Advanced Cyber Threats). He currently supports Leidos Cyber commercial clients through a variety of services, products, and engagements with a unique focus on cyber security and advanced threats. Mr. Lachesky leverages his expertise in industry leading technologies and methodologies to respond to these information security threats. He and his team conduct incident response and triage activities for commercial clients and provide remediation and mitigation strategies. This includes analyzing APT tactics and techniques, developing and implementing advanced detections and analysis capabilities for APT, and performing Incident Response and Forensics. Mr. Lachesky holds a Master of Information Systems Management degree from Carnegie Mellon University, and a Masters Certification in Systems Engineering from Johns Hopkins University.