Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Snapping Links in the Kill Chain: Lessons Learned from a Stealth Pilot

“Adversaries have to build a kill chain. We’re not trying to prevent every aspect of that chain, just snap one of those links.” 

“Adversaries have to build a kill chain. We’re not trying to prevent every aspect of that chain, just snap one of those links.” 

That statement was made by retired Marine Maj. Dan Flatley in a recent Business Insider article on the value of breaking the kill chain. Flatley is a former F-35 pilot; The F-35 is a stealth fighter, and one of the most sophisticated and technologically advanced jets in the air today.

According to Flatley, the process for shooting down a stealth fighter jet requires that the adversary find, fix, track, target, and “consummate” the kill.  In other words, to stop this from happening, one just has to break a single link in the kill chain, i.e. stop one of the phases.

Sound familiar? 

F-35In military terms, a kill chain describes phases or stages of an attack. This is a similar definition that “Lockheed Martin” used in 2013 to describe the cyber kill chain. The cyber kill chain represents the different phases to describe how an adversary infiltrates the enterprise, then moves laterally to a specific endpoint that has sensitive data before exfiltrating it.

There are several benefits of understanding the kill chain:

 Attacker versus defender perspective – The ability to see how you are viewed as a target allows you to take a critical view of your current security controls to make sure they are deployed and calibrated to meet your needs. You can use this view to test assumptions and probe for weaknesses using the techniques that hackers use to get in, move through, and exfiltrate data from a network

 Breaking the kill chain – While we all preach the philosophy of a defense-in-depth strategy with a layered number of security products, the reality is we have too many point products generating too many alerts with not enough people to manage them. When it comes to network defense and breach prevention, it’s not necessary to stop everything all the time. Your attacker has a specific objective. To stop them from consummating their attack, you just need to disrupt the hacker and prevent them from finishing their task.

This sounds great in theory. But, do technologies exist today to visualize the kill chain? How do you decide where to focus your security efforts to break the kill chain? Let’s take a look at three different approaches.

Advertisement. Scroll to continue reading.

Some SIEMS provide you with the option to create customized widgets within your dashboards. You can collate logs from multiple systems to gain visibility into what is happening in various phases of the kill chain. For example, collecting logs and alerts from firewalls, IPS/IDS, and network monitoring services would help with understanding port scanning. This would all be incorporated into the reconnaissance widget within the SIEM dashboard. However, this approach takes the “defender” perspective, and is more of a log aggregation exercise. As we established earlier, there is already insufficient manpower available to analyze logs and alerts; grouping logs and alerts into different widgets is more of a technical configuration view.

There are vulnerability management systems that attempt to model threats by grouping vulnerabilities and associated exploits into kill chain phases. For example, in order to understand the risks associated with infiltration, you might identify the number of internet-facing systems with exploitable and vulnerable endpoints. However, the issue with modeling the kill chain based on vulnerabilities is you are limited to a very specific attacker technique. This assumption  is very theoretical – an attacker may not take advantage of vulnerabilities; there are a number of non-vulnerability based techniques like social engineering or phishing that are more popular.

The final approach is using breach and attack simulation technologies. Defined by Gartner recently in their “Hype Cycle for Threat Facing Technologies” report, this technology actually simulates hacker breach methods by dropping simulators in various security zones – endpoint, network, cloud. A properly designed Breach and Attack Simulation platform offers a visual of the cyber kill chain based on the success of the hacker breach methods executed, and the types of assets an organization is trying to protect. Insights are offered on which security controls are working or broken against various types of attacks.

This attacker-based view allows you to take steps to snap the links that make up the kill chain by closing any security gaps you find, recalibrating your current assets and investing wisely in new assets that meet your known needs. You can train security teams to recognize and respond to threats in real-time with a plan that is practiced, and you can also effect relevant training and awareness programs to minimize the human factor that too often proves to be the focus of attack. You’ll have data to answer the question, “How
Secure Am I?”

No one expects an F-35 pilot to earn his or her wings, but never climb into the cockpit except to fly an actual combat mission. Pilots, along with air and ground crews, spend their days practicing their craft under simulated conditions and facing contingencies that they are likely to endure under hostile circumstances. They train for different terrain and weather; they train to use a wide array of weapons; they train for daylight and nighttime operations; they train for equipment failure. They train so that when the call is made to scramble, they are prepared to succeed under whatever conditions they might face and to ensure, as Flatley says, both survivability and lethality against a determined adversary.

In the security world, breach and attack simulation is a good approach to visualize the adversary and his/her kill chain. Breach and attack simulation provides great technical introspection and visibility into our network; to take as much interest as a hacker would and to find the cracks before they do. Without this information, bolting on a new widget won’t be much help even if the widget itself is a great product that can add real value to your defenses. 

Already in 2017 there have been more than 2,200 reported data breaches affecting more than 6 billion records. Those troubling statistics should be enough to convince you that, collectively, what we are doing as an industry to safeguard our data is not working. Let’s not work harder; instead let us work smarter, and snap the right links in our enemy’s kill chain.

Written By

Danelle is CMO at Ordr. She has more than 20 years of experience in bring new cybersecurity technologies to market. Prior to Ordr, she was CMO at Blue Hexagon (acquired by Qualys), a company using deep-learning to detect malware, and CMO at SafeBreach where she helped build the marketing organization and define the Breach and Attack Simulation category. Previously, she led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also Director, Security Solutions at Palo Alto Networks, driving growth in critical IT initiatives like Zero Trust, virtualization and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of a Cisco IP communications book and holds 2 US patents. She holds an MSEE from UC Berkeley.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.