If you're one of those folks who read a lot of InfoSec news, you've no doubt heard a lot of mention of the effectiveness of a Cyber Kill Chain approach to security. If you managed to miss the hubbub, you may be wondering if that's the latest sci-fi movie starring the usual muscle-bound action hero. In this article we'll talk about what a Cyber Kill Chain approach is, and whether it might be a good fit for your organization.
In military parlance, a "Kill Chain" is a phase-based model to describe the stages of an attack, which also helps inform ways to prevent such attacks. These stages are referred to as:
Ideally, the further towards the beginning of the Kill Chain an attack can be stopped, the better. The less information an attacker has, for instance, the less likely someone else can use that information to complete the attack at a later date.
The Cyber Kill Chain is a similar idea, which was put forth by Lockheed Martin, where the phases of a targeted attack are described. And likewise, they can be used for protection of an organization's network. The stages are:
- Command & Control
In essence, it's a lot like a stereotypical burglary — the thief will perform reconnaissance on a building before trying to infiltrate it, and then go through several more steps before actually making off with the loot. Using the Cyber Kill Chain to keep attackers from stealthily entering your network requires quite a bit of intelligence and visibility into what's happening in your network. You need to know when something is there that shouldn't be, so you can set the alarms to thwart the attack.
Another thing to keep in mind is the closer to the beginning of the chain you can stop an attack, the less costly and time-consuming the cleanup will be. If you don't stop the attack until it's already in your network, you'll have to fix those machines and do a whole lot of forensics work to find out what information they've made off with.
Lockheed Martin recently released details of its own success using a kill chain tactic to stop someone who had intruded on its network. It's not just something that applies to government contractors or giant corporations, though it does take quite a bit of work if you're not already set up to gather a whole lot of data about your digital resources.
Sign up for CIO Asia eNewsletters.