Cyber Kill Chain With Mallory

Much like any event we observe, cyber-attacks tend to have some type of a [chrono]logical order of steps they take from start to end. In the world of cybersecurity, we are often exposed to terms Intrusion Kill Chain or Cyber Kill Chain (CKC) – a framework developed by Lockheed Martin. CKC is essentially a spin-off from the military kill chain model “F2T2EA”, which is used to describe phases of an attack: Find, Fix, Track, Target, Engage, Assess. An interesting thing to note about this concept is the “chain” part, meaning that since this is an end-to-end progression of an event, it can be disrupted, and stopped, at any step. CKC falls under the same principle, with the exception of having defined different phases in the model.

Adoption of the CKC framework is sometimes criticized as detrimental to network security; some are of an opinion that it is too “intrusion-centric”. While the perception of this framework can be of subjective nature, it proves its value in numerous ways when we are not focusing on its could-be-flaws, but rather the possibility to efficiently describe a cyber-attack’s progression in a step-by-step fashion:

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command and Control
  7. Actions on Objective

The model forces us to look at our cyber ecosystem inversely and ask ourselves: “How does our network look to an attacker?”, as well as: “What can we see inside our system?”. The latter makes one thing quite obvious: visibility is crucial. Enter Mallory.

1. Reconnaissance

The first step, reconnaissance, is perhaps the most self-explanatory of them all – think resource gathering. The attacker, let’s refer to her as the infamous Mallory, will first have to identify its target and gather data about it, unfortunately, an easy task to accomplish in today’s Internet-of-Everything world. It does not help that what the target may be covers a broad spectrum:

  • People: name, telephone number, address, credit card information
  • Host: IP address, username, password, software, hardware, protocols
  • Network: architecture (topology), domain names, security policies, IDS/IPS

Mallory can also utilize a pallet of different approaches for information gathering:

  • Passive: observation, public records, public network information, Google (Shodan)
  • Active: port scanning (NMAP!!!), vulnerability scanning (Nessus), traceroute, Netcat

Just to name a few.

2. Weaponization

When Mallory has gathered enough information to identify a vulnerability, it is time for her to craft a lethal weapon for the target system. This step could be arbitrarily complex, as there are countless ways to couple together a vulnerability with malware, but to give a couple of tangible examples:

  • Web application exploit
  • MaaS (Malware as a Service)
  • Custom malware

The end product is expected to penetrate the found vulnerability and get Mallory one step closer to accomplishing her objective.

3. Delivery

The weapon itself has no value if there is not a viable way to deliver it. A very important step in CKC is delivering the payload in a way that it actually reaches the target…and hopefully remains undetected. [Un]Luckily, there are countless ways to deliver it:

  • Leveraging network services (it is 2017 and one can still find open telnet ports)
  • Flawed applications
  • Web presence (malvertising)
  • E-mail

The last two are normally user-initiated and are a part of the social engineering paradigm; a field that is receiving a tremendous amount of attention due to its success rate.

4. Exploitation

Here is where things really start to go south. If the malicious payload is successfully delivered, Mallory gains a foothold in the system. She managed to accomplish this by exploiting an earlier-identified vulnerability, crafting the right weapon for the job, and choosing an optimal delivery method. There are many ways to accomplish this step, but whatever exploit was leveraged, it must have been pre-determined. It could have been caused by:

  • Buffer overflow
  • SQL injection
  • Zero-day vulnerability

The truth is there are too many vulnerabilities out there to account for every one of them. They are usually software agnostic, so Mallory has likely had a lot to choose from.

5. Installation

Here is where Mallory wants to be as stealthy as possible and achieve some sort of persistence in the system. Usually, this will require her to utilize code from the delivered malware to trigger actions on resources/applications of the asset. Whatever the technique, Mallory’s malware will attempt to either establish a means for communicating with Mallory, or wait for a certain action on the system to occur before performing the next step. Based on the sequence of the events which take place in the installation phase, a classification of the malware can typically be made:

  • Spyware
  • Ransomware
  • Trojan
  • Rootkit
  • Backdoor

6. Command and Control

If Mallory wants to accomplish anything other than exploit a vulnerability of a system, she had to have made sure that she can communicate with the infected machine(s). The communication can occur in numerous different frequencies and ways:

  • Public DNS servers
  • Dynamic DNS
  • Leveraging less prominent protocols/services
  • ICMP (beaconing)

Mallory can now control the newly obtained asset, telling it where to go next and what to do.

7. Action on Objectives

Finally, Mallory will want to accomplish the overarching goal of her attack. What she decides to do here is defined by the nature of her initial purpose, which can be any of the following:

  • Data exfiltration
  • Lateral movement (spreading persistence)
  • Privilege escalation
  • Damaging the assets

Needless to say; this is the most crucial part of the CKC for Mallory. If she made it all the way down here, we have a serious problem.


Walking through the CKC with Mallory gives a very high-level overview of how a cyber-attack may progress through its life cycle. By no means should CKC be considered as a magic bullet of security approaches, but rather a firm foundation to the overall approach. The exponential growth in complexity of today’s system and thousands of application and devices emerging daily, make tracking and understanding an attack’s execution rather difficult – especially if we were to swear on a single framework. Acknowledging this fact, we must learn to incorporate different approaches and grow with the developing landscape around us – it is the only way to survive.

Thank you for your time!




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s