Disturbing the Cyber Kill Chain

We transact in a business and personal world in which we hear of data breaches at an astonishing rate; we’re seeing threats proliferate almost exponentially across the industry and the news is rife with a plethora of updates on bad-actor groups or cyber-criminals successfully exploiting applications, systems and networks. Are we then at a tipping point? One where cyber criminals have the upper hand or one where the great cybersecurity battle against hacker cells or bad-actor groups is a lost cause for organisations and individuals? That said, the perception couldn’t be further from the reality. Stay one step ahead in the cybersecurity battlefield by understanding the “kill chain for cybersecurity.”

What is the “kill chain for cybersecurity”?
Well, it’s quite simply an articulation—based on years of research by U.S military and intelligence organisations, and coined by Lockheed Martin—of how an attack proliferates through different stages, from what we like to represent as “Pre-Compromise” to “Post-Compromise” activity. This representation of the attack flow has been widely adopted by organisations to help them approach their defense strategy in the same way attackers approach infiltrating their businesses. The “kill chain” is incredibly relevant to how almost all threats/exploits we’re seeing in the industry today operate.

Why is the “kill chain” so fundamentally important to individuals or organisations in today’s threat landscape?
To answer that, you have to reflect on where you are today in terms of your own security strategy. What we have seen in the industry over the last 10 years or so is the era of “point security solutions” in which IT or security managers (and in many cases both roles are one) have been sold the virtues of focusing budgets on point-solutions for specific layers of the technology infrastructure, working in isolation from each other in the majority of cases.As an example, endpoint (server and client side) security tools would be chosen on the merits of a particular vendor’s claimed features and functions.  Moving up the stack, they are looking at how to best secure networking infrastructure with packet level monitoring tools, configuration and logging tools, and more and then they look at adding gateway content inspection systems focused on web traffic (HTTP/S) and external to internal communications. Ultimately, this meant that Companies were left with a myriad of vendors and products, operating much the same as a “split-brain” and diluting to overall security outcome required.

When you couple this challenge with the fact that those products require intensive management around feature updates, new content, and expert resources who are able to analyse the information these tools are creating in the context of the organization and it’s threat profile, you can quickly see where a gap of feature consumption and security capability maturity starts to quickly materialise.  

This very real scenario illustrates the challenge that the industry has faced for quite some time. Very few security professionals have been armed with the knowledge on the reality of how data is breached, how networks are exploited, and how bad actors and cyber criminal groups access systems. Ultimately, this means that the security tools deployed have, more often than not, been hit and miss in terms of their effectiveness against the actual challenge faced from a cybersecurity perspective.

All things considered, it’s not a story of panic or hopelessness. If we take a deep breath, step back and apply the knowledge, steps and framework defined in the “kill-chain” (e.g. how bad-actors and cyber-criminals operate when attempting to breach an organisation or exfiltrate data), to what has been deployed from a technology perspective within the organisation, we can start to assess where gaps may exist in capabilities to detect indicators of compromise (IOCs) at both the pre and post stages.

The “kill chain” also allows organisations to question the effectiveness of their existing infrastructure to correlate data at each layer for the technology stack, looking for indicators-of-compromise (IOCs) in even the most advanced threats from a malware or exploit perspective. Furthermore when you apply the “kill chain” to your own security practices and detection capabilities, you are then able to assess your ability to analyse all the relevant data points and ensure you have the right expertise in place to bring context to the data you’re correlating.

The industry long relied on SIEM technologies to deliver levels of correlation and security intelligence; however, the challenge was that these systems required an immense amount of configuration and rule management, and human expertise to decipher the information.

Today, companies are in a far better position to stay one step ahead in the great cyber threat landscape. Armed with the knowledge of the “kill-chain” born out of exhaustive and relevant military research with respect of how bad-actors and threats proliferate, organisations are better placed to understand how their existing IT security infrastructures are placed to remain effective. Furthermore the “kill chain” provides a framework for identifying where gaps may exist in security capabilities and provides an easy to articulate process by which we can educate employees and technology teams to be better prepared in today’s online world.

Understanding the Cyber Kill Chain
On-Demand Webinar: Top 5 Building Blocks For Your Cyber Security Strategy
Subscribe to the Alert Logic Weekly Threat Report

About the Author

Richard Cassidy - Technical Director - EMEA

Richard Cassidy

Richard Cassidy has worked in the Cloud Infrastructure, Cloud Security, Cloud Services, MDM, Core Networking, Security, and Virtualization markets for over 16 years, working with customers across every vertical from small office through to multi-national corporates, manufacturers, government, military, finance, and retail organizations. In his role as an expert product lead and technical evangelist for Alert Logic solutions, he is responsible for developing and implementing the technical strategy for international business.

@rvcassidy | More Posts by Richard Cassidy