Why the ‘cyber kill chain’ needs an upgrade

From Black Hat conference: Security pros need to focus more on catching attackers after they’ve broken in

One of the most popular models for analyzing cyberattacks doesn’t focus enough on what to do after adversaries break into networks successfully, which they inevitable will do, Black Hat 2016 attendees were told this week in Las Vegas.

“Every attacker will become an insider if they are persistent enough,” says Sean Malone, a security consultant who spoke at the conference. “We need to operate under a presumption of breach.”

MORE: 'Mayhem" wins $2M first prize at DARPA Cyber Grand Challenge

He’s critical of a popular defense scheme called the cyber kill chain that defines seven steps attackers must take in order to succeed: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions and objectives.

The problem with it is that it assumes a traditional perimeter defense where a firewall is the main impediment to intruders. But that is no longer the case, so organizations must beef up defenses within that perimeter, Malone says.

The New Cyber Kill Chain

That means adding more steps, which are actually the same set only this time preceded by the word internal, so the kill chain becomes internal reconnaissance, internal weaponization and so forth. Internal exploitation, for instance, might include privilege escalation, lateral movement within the network and manipulating individual targeted machines.

During internal reconnaissance, adversaries have access to a single user’s workstation and will data-mine it for local files, network shares, browser history, and access to wikis and Sharepoint. The objective is to figure out how that machine might help map the network and enable moving to more valuable assets.

At each stage of the internal cyber kill chain, security architects should figure out what tactics, techniques and procedures (TTP) adversaries are likely to use and then set up defensive TTPs. In the case of Internal exploitation that might be patching fully, including development and test systems, and installing effective endpoint protection products.

Each of the attack phases once inside a victim’s network can take anywhere from minutes to months, including a final wait time when an attack is in place and ready to go. But note that the attacker will hold off for the optimal time to launch in order to get the most impact, Malone says.

Reconnaissance and weaponization might each take months. It’s hard to disrupt weaponization because it takes place offline at the attacker’s sites. But defenders can take steps to harden their systems and applications so weaponization is more difficult, Malone says. This might also include introducing false devices on the network – obfuscation – to make the task harder.

This new kill chain extends into what happens in recovery after a successful attack is carried out. Corporate cybersecurity teams need to have a plan in place for dealing with reporting breaches, contacting law enforcement, dealing with adverse publicity and the like. Each of these steps should be thought through with a plan and personnel in place to deal with them, he says.

The larger goal is to build a more resilient enterprise. It won’t stop all adversaries, but it will stop more. One of the objectives is to prepare good defenses at every step of the kill chain in order to slow down attackers and make it more and more costly to continue.

“You have to ask what would you do if the adversary has access to the internal corporate network, usernames and passwords, all documentation and specifications of the network devices, systems, backups and applications,” Malone says.

Attackers have goals, he says, and are willing to expend a certain amount of resources to achieve them. If defenders can boost the cost – whether monetary, personnel or time – above the value the attackers expect to reap, then they can succeed more often, Malone says. It’s an economic model based on the premise that no defenses will be perfect.

BLACK HAT: How to make and deploy malicious USB keys

Join the CSO newsletter!

Error: Please check your email address.

Tags black hat

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place