By Maria Korolov, Lysa Myers
Nov. 8, 2017
As an infosec professional, you’ve likely heard about using a cyber kill chain, also known as a cyber attack lifecycle, to help identify and prevent intrusions. Attackers are evolving their methods, which might require that you look at the cyber kill chain differently. What follows is a recap of what the cyber kill chain approach to security is and how you might employ it in today’s threat environment.
What is a cyber kill chain?
In military parlance, a "kill chain" is a phase-based model to describe the stages of an attack, which also helps inform ways to prevent such attacks. These stages are referred to as:
[ Get a deeper look at the business impact of a cyberattack. | Get the latest from CSO by signing up for our newsletters. ]
The closer to the beginning of the kill chain an attack can be stopped, the better. The less information an attacker has, for instance, the less likely someone else can use that information to complete the attack later.
The cyber kill chain is a similar idea, which was put forth by Lockheed Martin, where the phases of a targeted attack are described. Likewise, they can be used for protection of an organization's network. The stages are shown in the graphic below.
It's a lot like a stereotypical burglary. The thief will perform reconnaissance on a building before trying to infiltrate it, and then go through several more steps before actually making off with the loot. Using the cyber kill chain to keep attackers from stealthily entering your network requires quite a bit of intelligence and visibility into what's happening in your network. You need to know when something is there that shouldn't be, so you can set the alarms to thwart the attack.
Another thing to keep in mind is the closer to the beginning of the chain you can stop an attack, the less costly and time-consuming the cleanup will be. If you don't stop the attack until it's already in your network, you'll have to fix those machines and do a whole lot of forensics work to find out what information they've made off with.
Let's look at the various stages to determine what questions you should be asking yourself to decide whether it's feasible for your organization.
Reconnaissance: Viewing your network from the outside
At this stage, criminals are trying to decide what are (and are not) good targets. From the outside, they learn what they can about your resources and your network to determine whether it is worth the effort. Ideally, they want a target that is relatively unguarded and with valuable data. What information the criminals can find about your company, and how it might be used, could surprise you.