The computer security world uses a lot of military language and concepts. This is not just because it "sounds good" but because there are many useful analogies to be found.
One of those is Lockheed Martin's concept of the cyber kill chain: an intelligence model for the early detection, identification and prevention of attacks. The cyber kill chain is one of the methods you can use for understanding network intrusions.
Before we jump into what exactly the kill chain is, we need to understand one of the fundamental elements of intelligence: indicators. There are three types of indicators:
The indicators are what you use to detect the different phases of the kill chain.
The core idea of the kill chain is that an attacker must gather material to breach an environment, keep his foothold and then move onto their final objective.
The chain consists of seven phases:
A set of indicators for the delivery phase could be a specific email subject — for the installation phase, the local path where a file gets installed and an IP for the C2 phase.
So how can understanding network intrusions help defend against them?
In this model, the crucial point is that breaking any one single step breaks the entire kill chain, meaning that attackers must go through the entire model again to be successful.
For reconnaissance, you can use web analytics and log forensics for detection. Limiting the amount of information that you publicly expose can help. Not publishing your internal network scheme is obvious but you should also limit the amount of information on staffing and working procedures. Putting proper firewall rules and access controls is a no-brainer.
There's nothing much you can do about the weaponization because that occurs on the attacker's premises, but you can use different lines of defense for the delivery, exploitation, installation and C2 phases.
Raising awareness among your users (vigilance) and proxy filtering can prevent delivery.
The other phases can be stopped by using (host-based) intrusion detection, antivirus systems, isolating systems and proper outbound filtering. Also, you mustn't neglect using available threat intelligence data to update your filtering and inspection devices. It's 2016 and doing proper log management should be part of your IT processes, applying that same threat intelligence data to your logs can also help you to detect attacks in the other phases.
One of the criticisms of the cyber kill chain model is that it is too focused on malware. Malware is only one possible attack vector but current threats can now also involve an insider threat, social engineering, or intrusions based on intended remote access (e.g., via a supplier or captured credentials).
Some of the phases will still apply and can help prevent or detect incidents. But as the attackers are changing their methods, so should you.
Get our latest blog posts delivered in a weekly email.