Security Experts:

Snapping Links in the Kill Chain: Lessons Learned from a Stealth Pilot

"Adversaries have to build a kill chain. We're not trying to prevent every aspect of that chain, just snap one of those links." 

That statement was made by retired Marine Maj. Dan Flatley in a recent Business Insider article on the value of breaking the kill chain. Flatley is a former F-35 pilot; The F-35 is a stealth fighter, and one of the most sophisticated and technologically advanced jets in the air today.

According to Flatley, the process for shooting down a stealth fighter jet requires that the adversary find, fix, track, target, and “consummate” the kill.  In other words, to stop this from happening, one just has to break a single link in the kill chain, i.e. stop one of the phases.

Sound familiar? 

F-35In military terms, a kill chain describes phases or stages of an attack. This is a similar definition that “Lockheed Martin” used in 2013 to describe the cyber kill chain. The cyber kill chain represents the different phases to describe how an adversary infiltrates the enterprise, then moves laterally to a specific endpoint that has sensitive data before exfiltrating it.

There are several benefits of understanding the kill chain:

 Attacker versus defender perspective – The ability to see how you are viewed as a target allows you to take a critical view of your current security controls to make sure they are deployed and calibrated to meet your needs. You can use this view to test assumptions and probe for weaknesses using the techniques that hackers use to get in, move through, and exfiltrate data from a network

 Breaking the kill chain – While we all preach the philosophy of a defense-in-depth strategy with a layered number of security products, the reality is we have too many point products generating too many alerts with not enough people to manage them. When it comes to network defense and breach prevention, it’s not necessary to stop everything all the time. Your attacker has a specific objective. To stop them from consummating their attack, you just need to disrupt the hacker and prevent them from finishing their task.

This sounds great in theory. But, do technologies exist today to visualize the kill chain? How do you decide where to focus your security efforts to break the kill chain? Let’s take a look at three different approaches.

Some SIEMS provide you with the option to create customized widgets within your dashboards. You can collate logs from multiple systems to gain visibility into what is happening in various phases of the kill chain. For example, collecting logs and alerts from firewalls, IPS/IDS, and network monitoring services would help with understanding port scanning. This would all be incorporated into the reconnaissance widget within the SIEM dashboard. However, this approach takes the “defender” perspective, and is more of a log aggregation exercise. As we established earlier, there is already insufficient manpower available to analyze logs and alerts; grouping logs and alerts into different widgets is more of a technical configuration view.

There are vulnerability management systems that attempt to model threats by grouping vulnerabilities and associated exploits into kill chain phases. For example, in order to understand the risks associated with infiltration, you might identify the number of internet-facing systems with exploitable and vulnerable endpoints. However, the issue with modeling the kill chain based on vulnerabilities is you are limited to a very specific attacker technique. This assumption  is very theoretical – an attacker may not take advantage of vulnerabilities; there are a number of non-vulnerability based techniques like social engineering or phishing that are more popular.

The final approach is using breach and attack simulation technologies. Defined by Gartner recently in their “Hype Cycle for Threat Facing Technologies” report, this technology actually simulates hacker breach methods by dropping simulators in various security zones – endpoint, network, cloud. A properly designed Breach and Attack Simulation platform offers a visual of the cyber kill chain based on the success of the hacker breach methods executed, and the types of assets an organization is trying to protect. Insights are offered on which security controls are working or broken against various types of attacks.

This attacker-based view allows you to take steps to snap the links that make up the kill chain by closing any security gaps you find, recalibrating your current assets and investing wisely in new assets that meet your known needs. You can train security teams to recognize and respond to threats in real-time with a plan that is practiced, and you can also effect relevant training and awareness programs to minimize the human factor that too often proves to be the focus of attack. You’ll have data to answer the question, “How Secure Am I?”

No one expects an F-35 pilot to earn his or her wings, but never climb into the cockpit except to fly an actual combat mission. Pilots, along with air and ground crews, spend their days practicing their craft under simulated conditions and facing contingencies that they are likely to endure under hostile circumstances. They train for different terrain and weather; they train to use a wide array of weapons; they train for daylight and nighttime operations; they train for equipment failure. They train so that when the call is made to scramble, they are prepared to succeed under whatever conditions they might face and to ensure, as Flatley says, both survivability and lethality against a determined adversary.

In the security world, breach and attack simulation is a good approach to visualize the adversary and his/her kill chain. Breach and attack simulation provides great technical introspection and visibility into our network; to take as much interest as a hacker would and to find the cracks before they do. Without this information, bolting on a new widget won’t be much help even if the widget itself is a great product that can add real value to your defenses. 

Already in 2017 there have been more than 2,200 reported data breaches affecting more than 6 billion records. Those troubling statistics should be enough to convince you that, collectively, what we are doing as an industry to safeguard our data is not working. Let’s not work harder; instead let us work smarter, and snap the right links in our enemy’s kill chain.

view counter
Danelle is VP of Strategy and Marketing at SafeBreach. She has more than 15 years of experience bringing new technologies to market. Prior to SafeBreach, Danelle led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also responsible for security solutions at Palo Alto Networks, driving growth in critical IT initiatives like virtualization, network segmentation and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of an IP Communications Book and holds 2 U.S. Patents. You can follow her at @DanelleAu.