The cyber kill chain concept is based on the military kill chain, which uses a three-stage process that covers target identification, defending against the attack and wiping out the target. Lockheed Martin started using the "kill chain" to refer to information security. It applies these same steps to cyber attackers who attempt to break into its computer network and corrupt or steal data. While the analogy may not always be a perfect one when you compare the cyber kill chain to the original military one, this concept gives you the opportunity to break a cyber attack into easily comprehensible stages.The Cyber Kill ChainThe cyber version of the kill chain takes you from the early reconnaissance all the way to the data exfiltration. You gain comprehensive insight into the full process and the steps that are required to prevent intruders from making any meaningful headway into your network.The threats to your business environment go through the following distinct stages:
Reconnaissance: Hackers are going to take a look at your virtual environment before they take actions that have a high potential to lead to detection. Specifically, they're looking for vulnerable endpoints, ways to exploit their way into your systems, and any other information that aids their ultimate goal.
Weaponization: The intruders have found a foothold into your network. Now they just need to release the weapon that will let them in. Typically, the form this takes is a malware.
Delivery: The hackers need to get their weapon onto the target. Depending on the areas that they can exploit in your network security, they may send the malware via email attachments, website links, compromised USB drives or other routes to drive installation of their remote access weapon.
Exploitation: Now it's time for the weapon to do its damage. The malware gets activated through some type of trigger, and then the identified vulnerability gets exploited.
Installation: Once the malware activates, the hackers end up with a backdoor they can freely use to get into your business network.
Command and control: The intruders have access to your network whenever they want — and may go entirely unnoticed in the process.
Actions on objective: Finally, the intruders attempt to execute their final goal. They may be after your data to sell, seeking out the destruction of your vital systems, or wanting to put ransomware in place to get money.
Mounting a Defense
So what can you do against this type of attack? They happen every day at organizations large and small, and the cost of data breaches continues to rise. Here are the steps you take when you're attempting to break a cyber kill chain:
Detect: Ideally, you detect attackers early on so you can prepare an appropriate defense. You might be able to derail them immediately, but that's not always possible.
Deny: The hackers might be able to get into your network, but with this defense, you stop them from getting any sensitive information or breaking into critical parts of your computer network.
Disrupt: You can disrupt their process in two ways. The first is stopping any traffic from reaching the attackers, while the second is changing it, so they aren't getting what they want.
Degrade: You step in and stop the command and control part of the cyber kill chain, making it difficult or impossible for the attackers to maintain their connection to your compromised network.
Deceive: The attackers might think that they're in full control of your network resources, but you have actually routed them elsewhere, so they're unable to do any damage.
Contain: You separate the attackers from the rest of your network, so they're only capable of inflicting limited damage and disruption.
Thoughts on the Cyber Kill Chain
Lockheed Martin certainly has a great analogy on its hands when it comes to the cyber kill chain, but there are a few problems with this seemingly foolproof strategy.The biggest issue is that the cyber kill chain places too much importance on perimeter-based network security. Today's sophisticated cyber attacks have many ways of overcoming intrusion prevention technology. All it takes is one vulnerability in a perimeter to let intruders in.When most of your security technology is geared toward keeping malware and intruders on the outside of the perimeter, they are ill-suited to deal with a compromised network once they're inside.You can still use the cyber kill model if you prefer, but you need to incorporate defense mechanisms that can cope with intruders who are already marauding through your business network.Protecting your organization from cybercriminals is a difficult enough process as it is. Before you adopt an exciting sounding concept for your security measures, make sure it's well-suited to the modern computer security world.
Subscribe to get new content! Never miss a security update from the team.
Security news, tips, webinars, and more straight to your inbox.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
