Using the Web App Kill Chain to Identify & Neutralize Threats

PUBLISHED ON September 11, 2018
LAST UPDATED August 20, 2021

Web App Kill Chain

There is an ongoing debate among security professionals surrounding the most effective ways to monitor, detect, classify, and ultimately, block malicious threats. Up to this point, the majority of security solutions hang their hats on monitoring and reacting to binary attacks or action. While this approach may provide the peace of mind that nearly every malicious attack will be blocked, it also results in ample false positives and disruption to legitimate prospect or customer web traffic. The frustration from security teams has prompted the search for another way. Enter, The Web Application Kill Chain

Kill Chains & Defensive Actions 

The Kill Chain approach is a military-inspired methodology for allocating resources to defeat an adversary – you attempt to construct a chain of interdependent actions (locate target, communicate to weapons platform, launch attack) which are difficult for your adversary to disrupt. Conversely, defensive actions aim to disrupt your adversary’s kill chain at the earliest opportunity.

This methodology has been adapted and popularized for cyber security as the Intrusion Kill Chain, which applies the same logic: an attacker must run through a chain of actions in order to successfully compromise a computer network, and network defenders have the opportunity to detect and stop the attacker at each stage.

Defensive actions can stop an attack before the adversary has the information or tools in place to complete it – Below we’ll discuss how ThreatX applies the kill chain to profile attacker behavior and takes action to defend your web application.

The Web Application Kill Chain

The Web Application Kill Chain is a specialized kill chain methodology to classify attacker behavior and the methods they use to attempt to gain unauthorized access to web applications or control of the target web server. Attacks are broken down into three broad phases (pre-exploitation, exploit delivery, and post-exploitation) and a number of stages which map attacks to more specific categories within each phase.

Phase 1: Pre-Exploitation

1. Reconnaissance

During the reconnaissance phase attackers attempt to collect relatively basic information about their target – what content management system (CMS), web server, or operating system does the target use? What software framework or programming language is the web application written in? Gathering this information helps the attacker to determine which tools & techniques may be most effective later on.

2. Scanning

Scanning can take different forms – probing for known vulnerabilities with a vulnerability scanner or simply enumerating pages, plugins, and configuration. The key to this stage is using automated tools to further refine potential avenues for exploitation.

3. Web Application Mapping

The final and most specialized pre-exploitation phase is Web Application Mapping: attackers collect web forms & fields processed by the web server – login pages, search functions, and any other potential interfaces to a database or back-end service. These fields may be used in the exploitation phase for delivery of the attack.

Phase 2: Exploit Delivery

4. Brute Force Attack

Brute force refers to a subset of techniques that an attacker may use to attempt to gain unauthorized access to the web application – primarily username or password guessing attacks against a login form or attacks exploiting known issues with ID or session token generation within the web application. Often, an attacker will limit the number of attempts to guess valid credentials or IDs before moving on to another target.

5. Denial of Service

Another subset of techniques used by attackers against the web application, denial of service attempts to disrupt availability of the web application to legitimate users. This can be accomplished by exploiting poorly formed or resource intensive queries to the application, exploiting known performance issues in the CMS, software framework, or web server, or by saturating network bandwidth/resources to slow down legitimate requests.

6. Exploitation

Exploitation is the delivery of malicious requests to the web application – this is a wide-ranging category of attacks which can span from SQL injection to dump user data, to command injection, to installation of malicious tools for further elevated, unauthorized, access to the web application and server by the attacker. Each attacker has a unique motivation and objective – this objective, the attacker’s capabilities, and the application specific vulnerabilities discovered during the pre-exploitation phase will determine which techniques are used in the exploitation stage.

Phase 3: Post-Exploitation

7. Malware Communication

After successfully delivering an exploit, the attacker may install malware or malicious tools to continue the attack against the web server and potentially against other infrastructure nearby. Malware communication is the web traffic, calls for further instruction, between the malicious tools and attacker after installation.

Web Application Defense with ThreatX

ThreatX applies this web application kill chain methodology to classify attack patterns detected in order to make risk-based decisions to block, deceive, and/or tarpit requests from suspicious entities and stop malicious web requests.

We take these defensive actions by applying risk collected by an entity as they match known attack patterns or exhibit suspicious behavior, and by tracking each entity’s escalation through the kill chain stages. This method enables to make intelligence blocking, deception, or tar-pitting decision by weighing overall entity risk and their progress along the kill chain against the likelihood of individual false-positive detections.

Web Application Kill Chain

While threat actors rarely hit each step in the kill chain in succession, this type of calculated monitoring and identification enables security teams to understand the top targets, hacker intentions, and overall risk to their organization. These insights can trigger educated blocking decisions, and in combination with the right security solutions, organizations can stay one step ahead of their assailants, instead of consistently reacting.

Learn more about attacker-centric approaches to web application security during a webinar with SC Magazine – Beyond Signatures & Anomalies: Attacker-Centric Security.  


About the Author

Will Woodson

Will's background is in security operations, working in the financial services sector and as a federal employee in engineering & analytical roles. He holds several industry certifications including a CISSP and is active in multiple information security community groups.