What is the cyber kill chain? Why it's not always the right approach to cyber attacks

Lockheed Martin's cyber kill chain approach breaks down each stage of a malware attack where you can identify and stop it, but be aware of how attack strategies are changing.

1 2 Page 2
Page 2 of 2

The use of Bitcoins makes it easier and safer for the attackers to receive money, he adds, which contributes to the change in the motivation behind attacks. The number of different groups involved in the consumption of stolen data has also become more complicated. That could, potentially, create opportunities for enterprise to work with law enforcement authorities and other groups to disrupt the process.

Take, for example, stolen payment card information. "Once credit card data is stolen, the numbers have to be tested, sold, used to procure goods or services, those good or services in turn have to sold to convert them to cash," says Monzy Merza, head of security research at Splunk, Inc. All of this is outside the traditional kill chain of a cyberattack, he says. Another area where the black market ecosystem impacts the cyberattack life cycle is before the attack begins. Attackers share lists of compromised credentials, of vulnerable ports, of unpatched applications.

That's a treasure-trove of low-hanging fruit, says Nils Swart, head of products at Skyport Systems, Inc. "I'd expect more datasets to become available," he says.

Beyond the firewall

The traditional cyberattack life cycle also misses attacks that never touch enterprise systems at all. For example, companies are increasingly using third-party software-as-a-service (SaaS) providers to manage their valuable data. Defending against attackers who buy their logins on the black market and never even touch a company's own infrastructure requires a completely different defense strategy, such as switching to a centralized, single sign-on system with two-factor authentication.

Then there are the attacks against third-party providers -- or even fourth-party providers. Law firms, marketing firms, and other vendors may have access to sensitive corporate documents. Financial institutions often use third-party processing systems. Health organizations routinely rely on outside vendors.

"The problem has grown exponentially in size given the amount of logins people have, the amount of SaaS service there are, the amount of third party connections that exist," says Ross Rustici, senior director at Cybereason, Inc.  "You could have a business-ending hack without your core network, the one you have control over, ever being touched."

To avoid breaches and regulatory fines, organizations need security processes that reach beyond the boundaries of their own networks. That includes document management systems, third-party audits, and vendor agreements that require providers to main needed security controls and have adequate cyber insurance policies.

"That is a fundamental shift in how we have to think about security," says Rustici. "Technically and legally, it's possible.  In practice, it's rarely done, and that has to do as much with the fact that its a mindset shift and a change in how we perceive the problem. It's the next evolution of cybersecurity, the next evolution of it networks, the next evolution of how businesses operate."

Next-gen kill chain frameworks

Instead of the Lockheed Martin cyberattack kill chain, some organizations are looking for a more flexible, and comprehensive, way of thinking about cyber attacks. A leading contender is the Mitre ATT&CK framework. "There's a huge movement to show actual attack techniques tied to each step in the kill chain, and this is what ATT&CK from Mitre has done," says Ben Johnson, CTO at Obsidian Security, Inc. "It's received incredible reception and buy-in from vendors and the community."

Another framework is the Cyber Threat Framework from the Office of the Director of National Intelligence, which was endorsed by the Office of Management and Budget this spring. It's touted as a better framework to have a common cybersecurity language across federal agencies, says Mounir Hahad, head of threat research at Juniper Networks, Inc. It is also more general than the Lockheed Martin one, and not centered around malware, but doesn't seem to be taking off. "I have not seen much in terms of industry adoption of this framework yet," says Hahad.

"We shouldn’t be relying on frameworks to explain everything," says Rod Soto, director of security research at Jask. "Adversarial drift is dynamic by nature. Attackers’ tools, techniques and procedures will continue to change as new defense measures make them obsolete. Frameworks like the cyber kill chain can be a part of our tool kit, but it’s up to us as security pros to continue to think creatively so we’re keeping up with attackers and their innovations."

Copyright © 2018 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Subscribe today! Get the best in cybersecurity, delivered to your inbox.