The “Kill Chain” is a traditional warfare term most often used by the US Air Force in defining the command and control process for targeting and destroying enemy forces in order to make it most difficult for the enemy to continue in battle. A well-known and successful execution of this strategy was in the initial air attacks on Iraq during Operation Desert Storm, which targeted command bases and communications networks. The result was that cut-off ground units in the field, lacking orders and control, quickly lost the will to fight. Of late, Kill Chain has been applied by both the US Military and leading cyber threat defense teams at Mitre and Lockheed Martin to define a new defensive strategy for guarding against advanced persistent threats (APT) and other targeted cyber attacks.
In cyber attack, the “Kill Chain Defense” exploits the fact that a successful attack must complete all stages from planning and malware introduction to expansion and one or more command and control phases, until the target is identified, manipulated and exfiltrated. The goal of a kill chain defense is to break one or more stages in the attack chain to stop the progress of the attack and force the opponent to start over. It is important to remember three things in this method: 1) the bad guy must make the entire chain work to succeed; 2) you need only kill one link to stop them; and 3) having detection and kill capability at each point in the enemy’s attack chain gives you the highest probability of success in this defense.
Existing malware-catching technologies that start at the perimeter of the corporate network and focus on one or possibly two stages in an attack are a prudent idea, but will always fail to catch some exploits, as a study from advisory firm NSS Labs on CSOonline confirmed. Point products utilized separately do not offer correlated threat intelligence that is actionable in a kill chain defense mode, nor do they arm security teams with the prevention and containment control capabilities needed to effectively win against the well-funded and organized enemy.
CIOs can take specific actions to ensure proactive prevention that prevents malware from compromising targeted sensitive data, improves cyber attack detection rates, contains malware through a wide spectrum of controls and decreases time for forensic investigation into malware when the inevitable occurs. Here's how:
- Start with detection and build toward a kill chain defense.
Work towards a kill chain defensive strategy starting with detection capabilities across as many stages of a cyber attack as possible. This will include technologies focused on the perimeter, the network as well as host systems and endpoints. Remember – it is very likely that a single technology focused on a single layer will fail – you must have multiple levels of detection for the kill chain defense to work.
Collect and analyze threat intelligence quickly and effectively.
The threat and attack intelligence collected from various points must be correlated and then analyzed by your security team (or a third party team) that can determine how the attack is unfolding and the best defensive measures to take. It is common to utilize a SIEM tool for this intelligence collection and analysis. Regardless of how collection and analysis is accomplished, it must be done quickly and effectively for a kill chain defense to work. Speed of analysis is critical because the goal is to keep the attack from succeeding and stealing the critical information it is targeting. The kill chain defense only works if you can prevent or contain the cyber attack while it is occurring. If you cannot, you are doing nothing more than an expensive autopsy.
Deploy prevention and containment controls across your infrastructure and devices
Like detection, prevention and containment controls must be deployed at multiple stages in an attack. Some controls can be expected to fail. Prevention controls include blocking suspect executables, blocking suspect command and control communications, preventing the improper access, manipulation and movement of sensitive data and blocking data from moving to exfiltration points like FTP or HTTP file upload sites. It is critical to note that prevention and containment of suspect actions by malware must not stop when your company laptops leave your network and head home each night! Out of view of your network defenses, this is often when the attack will try to make progress – downloading more capable malware or exfiltrating data.
Correlation of information is the key.
If you have existing technologies in place, find ways to integrate the data feeds and threat intelligence and create processes and working groups to ensure the integration of the teams that manage these tools. With future purchases, look for platform-based solutions that include as many of these capabilities as you can find and offer unified command and controls centers across as many environments as possible including mobile and virtual.
Complete a threat assessment across your entire environment.
Review your existing defenses and make sure that all areas of your environment are covered. Do not forget endpoints! BYOD and corporate laptops are critically exposed when they are off the network.