Defining the cyber kill chain and its impacts on Microsoft 365

What is a cyber kill chain, and how can it help you enhance your organization’s cybersecurity posture? This blog post provides all the details, including the seven stages in the original cyber kill chain model, as well as how the MITRE ATT&CK knowledgebase fits into the picture. Then it provides a deeper dive into one of the key stages of the Microsoft 365 cyber kill chain, privilege escalation, and explains how attack path management and monitoring can help you prevent adversaries from gaining control of your Active Directory.

What is the cyber kill chain?

While “cyber kill chain” sounds like something out of science fiction, the truth is much more mundane: The cyber kill chain is simply a cybersecurity model that details the stages of a cyberattack. Its purpose is to help IT security teams identify opportunities to shut down (“kill”) cyberattacks.

Understanding the stages of an attack helps IT security teams identify vulnerabilities that put their IT ecosystem at risk so they can remediate them before they can be exploited. It also helps them implement effective processes and technologies to spot and thwart adversaries during each step in an attack — enabling the organization to avoid or at least mitigate damage such as data breaches and downtime.

In short, understanding the cyber kill chain can help you dramatically enhance your organization’s cybersecurity and cyber resilience.

The stages of the original cyber kill chain

The original cyber kill chain model, developed by Lockheed Martin in 2011, comprises the following seven stages:

  1. Reconnaissance — Harvesting information about potential targets, such as email addresses
  2. Weaponization — Creating a malicious payload to be deployed against a target
  3. Delivery — Deploying the payload against the target using email, infected USB devices or other methods
  4. Exploitation — Executing the payload on the target’s IT infrastructure by exploiting a vulnerability
  5. Installation — Installing malicious code such as ransomware on the target
  6. Command & control (C2 or C&C) — Establishing communication with the hacker’s system to enable remote control of the victim’s IT systems
  7. Actions on objectives — Completing the mission, such as stealing or encrypting sensitive data or disrupting operations

Some subsequent models expand this framework to include an eighth step:

  1. Monetization — Attempting to benefit financially from the cyberattack, such as by demanding ransom in exchange for a decryption key or by selling sensitive information to competitors or on the dark web

What is an example of a cyber kill chain?

It’s important to keep in mind that cyber kill models do not claim that every cyberattack will use all the steps they describe; the models are designed to provide a framework for understanding how attacks can unfold and developing effective strategies for reducing risk.

For example, adversaries might conduct reconnaissance on your organization by using LinkedIn to discover names of employees and performing web searches to figure out how your organization’s standard for formatting names into email addresses. Then they might perform weaponization by creating a piece of ransomware, and deliver it through a phishing attack using the email addresses they have divined. When a recipient opens the attachment, the malware will be installed and establish a C&C connection back to the adversaries, who then take actions to spread the malware infection as broadly as they can, and proceed to monetization by demanding a ransom payment in exchange for the decryption key. A simpler ransomware attack might skip the C&C stage and simply infect whatever it can reach immediately.

Is the cyber kill chain model effective?

The Lockheed Martin model can help organizations begin to develop a cybersecurity strategy. However, it has several important drawbacks.

First, it is focused on external adversaries and offers little to address insider threats, which include both malicious activity and inadvertent mistakes. For example, common examples of security breaches include departing employees taking the organizations intellectual property (IP) or customer data, employees accidentally attaching confidential information to emails sent to groups not authorized to access that content, and even cybercriminals offering to share ransom payouts with employees willing to deploy their malware. Insider threats are a serious cybersecurity risk that have led cybersecurity experts to urge organizations to take an assume-breach mindset and move toward a Zero Trust approach to security.

In addition, because the Lockheed Martin model was developed before widespread adoption of the cloud, it focuses on perimeter security and malware prevention. Accordingly, it does little to help with web-based attacks such as SQL injection, denial of service (DoS) and distributed denial of service (DDoS) attacks, cross-site scripting (XSS), and many Zero Day exploits.

Cyber kill chain vs. MITRE ATT&CK

Enter MITRE ATT&CK, a knowledgebase of adversary tactics and techniques. (Indeed, “ATT&CK” stands for “adversarial tactics, techniques and common knowledge.”) Instead of describing a sequence of steps that cyberattacks typically follow, it lays out a matrix of categories of tactics and techniques that adversaries draw from. This detailed matrix provides IT professionals with a more modern and flexible approach to enhancing cybersecurity across on-premises, cloud and hybrid IT environments.

The MITRE ATT&CK matrix comprises the following 14 categories. As you can see, they overlap with the phases of the cyber kill chain to some degree but provide a different focus and a more expansive perspective.

  • Reconnaissance — Collecting information to facilitate targeting
  • Resource development — Establishing the resources and capabilities necessary to execute a cyberattack
  • Initial access — Gaining a foothold in the victim’s network
  • Execution — Running malicious code on the target network
  • Persistence — Attempting to maintain their foothold by evade defense strategies
  • Privilege escalation — Attempting to obtain elevated access in the network, especially membership in powerful groups like Domain Admins
  • Defense evasion — Taking steps to avoid detection
  • Credential access — Compromising account credentials
  • Discovery — Exploring the wider network to find vulnerabilities and opportunities
  • Lateral movement — Expanding from the initial foothold across the network environment
  • Collection — Gathering information and resources required achieve the objective, such as to exfiltrate data, spread ransomware or disrupt operations
  • Command & control — Enabling the adversary to control the victim’s systems remotely
  • Exfiltration — Stealing data from the victim’s network
  • Impact — Manipulating, disrupting or destroying compromised IT assets, such as systems, accounts and data

The key phases of the Microsoft 365 kill chain

When it comes to attacks on Microsoft cloud environments, five of the 14 MITRE ATT&CK categories are particularly relevant. Although the MITRE ATT&CK categories are not ordered steps, attacks targeting Microsoft 365 typically include methods from these five categories in the order listed below, so this model is often referred to as the Microsoft 365 kill chain.

The five key steps in the Microsoft 365 kill chain are:

  1. Reconnaissance
  2. Initial access
  3. Persistence
  4. Discovery
  5. Exfiltration

Common tactics in the Microsoft 365 kill chain

Let’s dive into the top tactics and techniques used in each step of the Microsoft 365 kill chain.

Reconnaissance

To learn about potential targets, adversaries often rely on the following resources. Note that many of these tactics are impossible for IT teams to detect because they occur on third-party sites.

  • DNS — All of DNS is public, and cybercriminals can spot use of Microsoft 365 simply by checking for corresponding domain validation records, such as mail exchange (MX) records.
  • Digital certificates — Anyone can view a list of all the certificates that have ever been issued to a particular Active Directory (AD) domain. Since many organizations today are hybrid, information about their on-premises AD can be useful even if the attack is focused on Microsoft 365.
  • Social media — As we saw in our earlier example, adversaries can harvest details about a company’s employees from LinkedIn. Other social media sites are also rich sources of valuable intel.
  • Email address lookup — We mentioned that hackers can accurately guess employee email addresses by learning their names and the organization’s formatting standard. But sites like hunter.IO will reveal not just the pattern used for a domain’s email addresses, but a list of actual email addresses that are only partially redacted.

Initial access

In this phase of the Microsoft 365 cyber kill chain, attackers use tactics and techniques like the following to gain a foothold in their chosen victim’s network:

  • Phishing — Attackers often get into an IT environment by sending emails that include malicious attachments or links to websites under their control. Using the intel gleaned during reconnaissance, they can craft personalized spear-phishing messages that can fool even savvy users because they contain personal details or appear to come from their managers or IT team.
  • Other social engineering attacks — There are many other flavors of social engineering attack. Two of the most common are vishing, which leverages voice communication (such as a phone call) rather than email, and smishing, which exploits text (SMS) messages.
  • Valid account compromise — Adversaries often achieve initial access by obtaining credentials of legitimate accounts, including default accounts (like Guest or Administrator), domain accounts, local accounts and cloud accounts.

Persistence

To retain their access to a compromised Microsoft 365 environment, attackers often use these techniques:

  • Account manipulation — Adversaries often modify accounts to maintain their foothold on compromised systems. For example, they might reset an account’s password to prevent the account owner from changing it and locking them out. Or they might add cloud roles or email delegation permissions to an account, or register additional devices to thwart multifactor authentication (MFA) protections.
  • Office application startup — Attackers use multiple tactics to re-establish their access when an Office application is started, including templates, macros, add-ins, and Outlook forms and rules.
  • Scheduled tasks — Adversaries can abuse the Windows Task Scheduler to execute malicious code at a specified time or on a recurring schedule.

Privilege escalation

Adversaries typically achieve initial access by compromising a regular user account. To get the elevated permissions they need to access sensitive data and systems, they often identify and abuse an attack patha chain of abusable privileges, misconfigurations and other vulnerabilities that enables the adversary to gain elevated rights, such as membership in the Domain Admins group. We explain attack paths in more detail in the discussion of defense strategies below.

Discovery

Adversaries often take time to explore the Microsoft 365 environment to uncover vulnerabilities, learn about the services being used and find sensitive data. Here are some of the key pieces of information that they look for:

  • Local system, domain, email and cloud accounts
  • Browser bookmarks, which can provide details about users, servers, tools and other network resources
  • Cloud services
  • Email content

Exfiltration

Techniques for stealing data include:

  • Automating the extraction process
  • Transferring data in smaller batches to avoid detection
  • Exfiltrating data via a USB drive, smartphone or other physical medium
  • Exfiltrating data using an external web service

How can the cyber kill chain be used to improve cybersecurity?

By understanding the Microsoft 365 cyber kill chain and the tactics and techniques used in each phase, you can uncover weaknesses in your IT environment and implement effective tools and strategies to strengthen your cybersecurity and cyber resilience.

While it’s wise to pay attention to a wide range of attack vectors, one of the most critical phases of the cyber kill chain is privilege escalation. After all, if you rigorously enforce the least privilege principle, compromising a regular user account will not get adversaries very far. The real danger comes when they get elevated access rights, or even total control of your AD domain. Since most organizations sync identities from their on-prem AD to Azure AD, an Active Directory attack is also an attack on Microsoft 365.

We already mentioned one of the most valuable techniques that adversaries use for privilege escalation: identifying and exploiting attack paths in Active Directory. An attack path is not just a missing patch or a misconfigured setting that can be uncovered through a traditional security risk assessment process. Rather, an attack path is a series of steps that an adversary can take to elevate their privileges from ordinary user to highly privileged user by taking advantage of things like concealed permissions, nested group membership and inherent security gaps in AD architecture.

What’s worse, most organizations have thousands or even millions of attack paths ripe for exploitation, and to see all of them laid out clearly, all an adversary needs to do is run an open-source tool called BloodHound. As a result, an adversary who compromises an AD user account today is likely to be just a handful of steps away from total control of Active Directory — and therefore Microsoft 365.

Accordingly, it’s vital to proactively identify the attack paths in your AD, mitigate them as quickly as possible and closely monitor any attack paths that have yet to be addressed. Indeed, attack path management and attack path monitoring can dramatically enhance your ability to interrupt the cyber kill chain by preventing privilege escalation.

Conclusion

The cyber kill chain provides a useful framework for understanding the anatomy of cyberattacks. It’s even better when paired with the MITRE ATT&CK knowledgebase, which provides the vital details about adversary tactics and techniques you need to uncover weaknesses and implement effective security controls to protect your hybrid IT environment.

One of the most important categories in the MITRE ATT&CK matrix is privilege escalation, since elevated permissions are required for reaching your most valuable systems and data. And one of the most effective strategies for blocking privilege escalation is attack path management and monitoring.

Active Directory security risk assessment and attack path management

Active Directory is a favorite target for cyber attackers. Learn why current defenses aren’t enough, how risk assessments can go wrong and a better approach for security.

Download Guide

About the Author

Bryan Patton

Bryan Patton is a Principal Strategic Systems Consultant at Quest Software. For nearly 20 years he has helped customers shape their Microsoft environments. With particular emphasis on Active Directory and Office 365 environments, Bryan specializes in Identity and Access Management, Data Governance, Migration, and Security, including Certified Information Systems Security Professional (CISSP) certification.

Related Articles