The practicality of the Cyber Kill Chain approach to security

If you're one of those folks who read a lot of InfoSec news, you've no doubt heard a lot of mention of the effectiveness of a Cyber Kill Chain approach to security. If you managed to miss the hubbub, you may be wondering if that's the latest sci-fi movie starring the usual muscle-bound action hero. In this article we'll talk about what a Cyber Kill Chain approach is, and whether it might be a good fit for your organization.

[Zero information loss: A keystone habit to drive business success?]

In military parlance, a "Kill Chain" is a phase-based model to describe the stages of an attack, which also helps inform ways to prevent such attacks. These stages are referred to as:







Ideally, the further towards the beginning of the Kill Chain an attack can be stopped, the better. The less information an attacker has, for instance, the less likely someone else can use that information to complete the attack at a later date.

The Cyber Kill Chain is a similar idea, which was put forth by Lockheed Martin, where the phases of a targeted attack are described. And likewise, they can be used for protection of an organization's network. The stages are:






Command & Control


In essence, it's a lot like a stereotypical burglary -- the thief will perform reconnaissance on a building before trying to infiltrate it, and then go through several more steps before actually making off with the loot. Using the Cyber Kill Chain to keep attackers from stealthily entering your network requires quite a bit of intelligence and visibility into what's happening in your network. You need to know when something is there that shouldn't be, so you can set the alarms to thwart the attack.

Another thing to keep in mind is the closer to the beginning of the chain you can stop an attack, the less costly and time-consuming the cleanup will be. If you don't stop the attack until it's already in your network, you'll have to fix those machines and do a whole lot of forensics work to find out what information they've made off with.

Lockheed Martin recently released details of its own success using a kill chain tactic to stop someone who had intruded on its network. It's not just something that applies to government contractors or giant corporations, though it does take quite a bit of work if you're not already set up to gather a whole lot of data about your digital resources.

Let's look at the various stages to determine what questions you should be asking yourself to decide whether it's feasible for your organization.

Reconnaissance: Viewing Your Network From the Outside

This is the stage where the criminals are trying to decide what are (and are not) good targets. From the outside, they try to find out what they can about your resources and your network to determine whether it is worth the effort. Ideally, they would like a target that is relatively unguarded and with valuable data. What information the criminals can find about your company, and how it might be used, could surprise you.

Companies often have more information available than they realize. Are names and contact details of your employees online? (Are you sure? Think social networks too, not just your own corporate website.) These could be used for social engineering purposes, say, for getting people to divulge usernames or passwords. Are there details about your web servers or physical locations online? These could be used for social engineering too, or to narrow down a list of possible exploits that would be useful to break into your environment.

This is a very tricky layer to try to control, particularly with the popularity of social networking, but it's also a fairly low-cost layer. Hiding sensitive information tends to be a fairly inexpensive change, though being thorough about finding the information can be time-intensive.

[6 essential components for security awareness programs]

Weaponization, Delivery, Exploit, Installation: Attempting to Enter

These stages are where the criminals craft a tool to attack their chosen target, using the information they have gathered, and put it to malicious use. The more information they can use, the more compelling a social engineering attack can be. They could use spear-phishing to gain access to internal corporate resources with the information they found on your employee's LinkedIn page. Or they could put a remote access Trojan into a file that appears to have crucial information on an upcoming event in order to entice its recipient into running it. If they know what software your users or servers run, including OS version and type, they can increase the likelihood of being able to exploit and install something within your network.

These layers of defense are where your standard security wonk advice comes in. Is your software up to date? (No really, all of it, on every machine. Most companies have that one box in some back room that is still running Windows 98. If it's ever connected to the Internet, it's like having a welcome mat outside your door.)

Do you use email and web filtering? Email filtering can be a good way to stop common document types that are used in attacks. If you require that files be sent in a standard way, such as in a password-protected ZIP archive, this can help your users know when files are being sent intentionally. Web filtering can help keep users from going to known bad sites or domains.

Have you disabled autoplay for USB devices? Giving files the chance to run without approval is seldom a good idea from a security perspective. It's better to give the user a chance to stop and think about what they're seeing before it launches. Do you use AV software with more-advanced functionality like IPS? While AV software is not intended to deal with brand-new targeted attacks, sometimes they can catch threats based on known suspicious behavior or known software exploits.

Command & Control: The Threat is Checking In

Once a threat has got in to your network, its next task will be to phone home and await instructions. This may be to download additional components, but more likely it will be contacting a botmaster in a Command & Control (C&C) channel. Either way, this requires network traffic, which means there is only one question to ask yourself here: Do you have a firewall that is set to alert on all new programs contacting the network?

If the threat has gotten this far, it's made changes to the machine and is going to require a lot more work from IT staff. Some companies or industries require that forensics be done on the affected machines to determine what data has been stolen or tampered with. And those affected machines will either need to be cleaned or reimaged -- it can be less costly and time-consuming if the data has been backed up and there is a standard corporate image that can be quickly replaced onto the machine.

[3 habits of successful data center security teams]

Actions: Time to Wreak Havoc

What the threats do at this point is entirely up to the attacker. It may steal data, it may spew spam or DDoS traffic, or it may steal CPU cycles for other purposes. If the threat has gotten this far, you can count on having to do all the work from the previous stages, but on a larger scale. It may have gone from one machine within the network to many (or all) of the machines in your network, it may have done a lot more damage or stolen a whole lot more data. If nothing has detected the file at this point, you may be dealing with an "Advanced Persistent Threat," which is a fancy way of saying that sufficient security measures were not in place to detect the threat.

Will Kill Chain Tactics Work for Your Organization?

If you don't already have security and visibility built into your corporate environment, this may seem like an impossible hill to climb. But implementing a Cyber Kill Chain doesnt have to be done overnight. Take smaller measures, completing stages as you are able. Do a check of your web presence to see what information it could give an attacker. Have each of your sites do an inventory of all computers so you can update them all. Implement layered security to decrease the possibility that threats will slip through unnoticed. Create a policy for dealing with malware events. Educate your staff about what to do with unexpected, suspicious emails.

With each step taken, you'll get more information about your environment. And the more information you have, the more likely you will be able to identify anomalous behavior.

Lysa Myers is a virus hunter for Intego and contributor to the InfoSec Institute.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about EngageIntegoIPSLockheed Martin

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lysa Myers

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place