How To Tweak The Cyber Kill Chain And Futureproof Your Defences

Cyber-Kill Chain

The attack on health insurer Anthem goes to show that regardless of the investment in security measures, businesses need to accept the vulnerability of static defence systems and take advantage of the pre-emptive options available. The Cyber Kill Chain, a defence model designed to help mitigate more advanced network attacks, has long been touted as a solution for IT departments in need of robust security architecture. But given the constantly evolving technology landscape, it is no surprise that some find it lacks crucial details which limit its effectiveness to certain types of attack.

With a few tweaks, the Kill Chain can become more intuitive and help us fend off increasingly sophisticated attackers, so I’d like to propose three simple steps to make the kill chain even better – let’s call it Kill Chain 3.0. The original chain consists of seven proposed phases of an external network attack, with specific types of defence brought in at each stage. The phases in the kill chain include:

  • Reconnaissance – Learning about the target using many techniques.
  • Weaponisation – Combining your route of attack with a malicious payload.
  • Delivery – Actually transmitting the payload via some communications path.
  • Exploitation – Taking advantage of some weakness to get your payload to run.
  • Installation – The payload establishes persistence of an individual host.
  • Command & Control (C2) – The malware calls home, providing attacker control.
  • Actions on Objectives – The perpetrator carries out any planned activity.

To optimise this structure against future attacks, we need to tweak the phases of the current kill chain to give a defending system the greatest opportunity to fight back. Currently, some phases such as the weaponisation stage simply aren’t something the defenders can do anything about. If the kill chain is being used as a defensive tool, every link in the chain should be relevant to this end and actionable. Cut out unnecessary stages in the chain and structure the phases around real steps that can be taken during the attack.

A related issue, as others have pointed out, is that the current kill chain focuses heavily on the primary intrusion, and not on how the initial foothold is leveraged by attackers to gain access to the wider network. The kill chain needs to be responsive to lateral movement and local elevations of privilege if it is to be resilient against more sophisticated attackers.

Accommodating these changes, here is a new proposal for Kill Chain 3.0:

  • Reconnaissance.
  • Weaponisation Delivery.
  • Exploitation.
  • Installation Infection.
  • Command & Control.
  • Lateral Movement & Pivoting.
  • Objective/Exfiltration.

These basic changes now allow a defender to execute actionable defences at each stage of a cyberattack. Port and IP scan detection and header masquerading helps against Recon; Blocked firewall ports, IPS, and application control help against Delivery; Patching and IPS protect against Exploitation; network segmentation helps with Lateral movement… and so on.

Whilst this goes some way towards full proofing the Kill Chain, the truth is that advanced attackers can often bypass or evade some of the early stage defences. Although these defences might ‘defang’ attacks, if the latter security controls aren’t just as developed as the initial guards the battle is lost as soon as the malware breaks through. Take the time to make sure these later stage strategies like botnet C&C detection, data loss prevention, and internal network segmentation are being invested in fully.

Finally, we need comprehensive visibility of all seven stages of the kill chain. As an attack moves through each phase, highly valuable data is created that could help against the current attack and any future threats to the network. Integrate a visibility component that brings the logs from all your security controls together, and correlates different security triggers into a single incident that makes it almost impossible for a more sophisticated attack to slip past.

Jonathan Whitley

Jonathan has responsibility for managing and working with the largest WatchGuard accounts in the UK. Working in a direct touch role as well as with partners he has specific responsibility for driving the development of bespoke solutions able to meet the growing demands of the education sector.