The term ‘kill chain’ was originally used as a military concept related to the structure of an attack. In 2011 Lockheed Martin adopted the term for cyber security, modeling network intrusion. In this post we zoom in, model and simplify the Zero-Day kill chain, a chain of malicious operations which are performed in order to take over the victim’s host or network. These operations are often referred to as the ‘pre-infection’ phase.

What is the chain of attack?

A  Zero-Day starts by the adversary searching and finding a new vulnerability, which is also known as a memory corruption.

A vulnerability is a weakness in a piece of software that gives the ability to perform an illegal operation in the memory; it could be in any application software such as MS Word, Google Chrome browser, a Java applet, or even the Windows OS. This vulnerability lets them inject their exploit code into the memory, and bypass the operating system security controls.

The goal of the exploit is to gain code execution privileges which happens even before the evasion techniques are utilized (which we’ll focus on in a later post).

Once the exploit is completed, the adversaries can run their shellcode, which is a small piece of code that retrieves the malware from the original file or from the internet.

Once the adversary retrieves the malware, they have total control and can do anything to the system such as exfiltrate data, log the keystrokes or spread malware further in the organization.

To simplify it, the Zero-Day attack, can be modeled as kill chain, composed of 4 steps:

  • Step 1: Memory Corruption. The very first illegal operation performed in order to make the actual attack start. A software vulnerability discovered by the adversary is being used in order to get the first foothold. Memory corruptions such as a ‘Buffer Overflow’ was publicly documented as early as 1972, or more modern types such as ‘Use-After-Free’ are being leveraged by the attacker.   

  • Step 2: Exploitation. This is the step in which the adversary is using a creative technique in order to ‘exploit’ the memory corruption from the previous step in order to get the ability to bypass the operating system protections and reach the next step, these techniques are vast and evolve every once in awhile, such as ‘Heap Spray’, ‘ROP’ and more.

  • Step 3: Shellcode. A small piece of code used as a payload usually written in machine code, is the first piece of code the attacker is able to run in the system, the purpose of the previous steps was to get to and be able to run this step.
    The code is mostly used to retrieve the 4th and last step.

  • Step 4: Malware. The malicious software or any software used to disrupt the computer, mobile or network operation, by gaining access to private and sensitive data, encrypting files (a malware type that is well known as ‘Ransomware’) or create other types of damage that the attacker can cause.

The heart of the attack

The memory corruptions, a few classes of illegal operations occurring in the memory, are the root cause of the kill chain.
Traditional methods such as a buffer overflow in which the attacker overruns the buffer’s boundary and overwrites adjacent memory locations, or methods such as ‘Use-After-Free’ that refers to an attempt to access memory after it has been freed, although sometimes can be seen as harmless bugs, many times are fatal and can potentially result in the execution of arbitrary code or even enable full remote code execution capabilities.

Tackling the root cause

As the adversary moves along the chain he has many more possibilities and options to accomplish the mission. Trying to stop the attacker at the malware stage is practically impossible in an absolute way, although most of the security vendors today try to do so.

There are millions types of malwares, ransomwares and other types of malicious software for example a recent version of Cerber ransomware generates a new sample in every 15 seconds, which makes it impossible to detect and prevent each sample.

It’s the same for the ‘Shellcode’ step, obfuscation techniques can generate an infinite number of variants of machine code performing the same operation which can hide itself in any section in the source.

The ‘Exploitation’ stage is the closest step to the root cause, which makes it a very good step to try to stop the attack at, but unfortunately this is not good enough as exploitation techniques still evolve, which makes products that try to stop the attack at this step still participate in the cat-and-mouse game of cyber security and can not give absolute and full protection.

Contrary to all steps, the ‘Memory Corruption’ step, is a very static world that contains only a handful classes, and the most recent one was discovered more than a decade ago.

Stopping the attack at the Memory Corruption step, means giving a real solution by tackling the problem at its root and not dealing with the symptoms.

In the coming posts we will address the enormous advantages of stopping the attack at the very first step in the kill chain, in terms of performance and types of attacks that can only be stopped at this step.