Applying Cyber Kill Chain Testing to Aerospace Systems

By Darren Cummings, DoD/Cyber Leader

More than two decades of offensive and defensive cyberwarfare have seen threats evolve from arbitrary, mass-scale attacks like Melissa or Code Red to precision-targeted attacks that involve sophisticated planning and execution by determined adversaries. The activities of these “advanced persistent threats,” which include both nation states and advanced criminal hacker groups, follow a consistent methodology, which Lockheed Martin has termed the “Cyber Kill Chain.” The elements of this framework, like most of the attacks themselves, are formulated primarily around enterprise networks and applications. Still, the cyber kill chain has direct relevance for aerospace and defense systems, including embedded avionics, especially as these systems become increasingly internetworked and exposed to outside data sources. Aerospace technology developers and integrators can make use of the cyber kill chain in a variety of ways. One strategy is to employ the methodology as an outline for penetration testing of aerospace systems still under development, in order to understand their susceptibility to real-world attacks down the road.

With an aerospace system, the first stage of the cyber kill chain, reconnaissance, is critical both for penetration testers and real-world hackers. That’s because, unlike enterprise and consumer technologies, adversary hackers often don’t have their own instances of the system with which to experiment. Information disclosures can increase the attack surface of a system considerably, so it’s important that developers minimize the exposure of design decisions and potential security flaws.  This goes beyond public information in documentation or on the internet; in some cases, individual system interfaces need to be examined. Utilities that aid in the visibility and internals of system software, such as virtualization and reverse engineering tools, need to be used during the reconnaissance phase. Strategies such as fuzzing and code coverage also ensure that developers understand as much of the attack surface as possible.

Weaponization is the process of translating vulnerabilities into exploits so that they can be delivered to the target for exploitation. Attackers begin with knowledge of a security flaw such as an interface that accepts messages without authentication. A weaponized exploit will contain the functionality needed to transmit messages on the interface in a way that is optimized to achieve the attacker’s goal.  In the enterprise world, this is typically information gathering and movement through the network, but in the aerospace world, more “physical” effects including degrading, redirecting or even destroying the physical system are also potential attack goals. Attackers use two strategies to weaponized vulnerabilities. First, they use their knowledge of security to maximize their access and control over the target system. Second, they use their knowledge of the system’s capabilities to design effects that give them a strategic advantage. Any penetration test of the system should include weaponization, in order to understand the theoretical and practical challenges (or lack thereof) an attacker would face.

The final phases of the cyber kill chain, command-and-control and actions on objectives, represent the system after it’s fully compromised. It is critical that security testing consider what activities an attacker might be able to carry out against a compromised system and take active steps to thwart them. Too frequently, most or all of the emphasis is placed on preventing access, only to offer the attacker full control after a compromise. Testing of access control and privilege, redundancy, separation of concerns, escalation of privilege, and movement between subsystems ensures that, even if a system is compromised, the system-of-systems remains resilient. A careful study of interface boundaries is necessary in order to ensure this; whole or partial virtualization of the system allows for more precise testing as well as simulation of resource-intensive attacks.

Penetration testing is not a substitute for good security design, secure development practices, or an overall emphasis on quality and reliability. Still, teams that can’t think like an attacker will often overlook vulnerabilities that may seem obvious to persistent adversaries. Leveraging the cyber kill chain is a critical step in assessing a system’s resilience against known adversary methods and strategy.

To learn more about how the cyber kill chain and virtualization-based penetration testing can help improve your system’s security, contact Performance Software today.