Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The practicality of the Cyber Kill Chain approach to security

Lysa Myers | Oct. 8, 2013
Lysa Myers of the InfoSec Institute explains the Cyber Kill Chain approach and whether or not it's a good fit for certain organisations.

Let's look at the various stages to determine what questions you should be asking yourself to decide whether it's feasible for your organization.

Reconnaissance: Viewing Your Network From the Outside
This is the stage where the criminals are trying to decide what are (and are not) good targets. From the outside, they try to find out what they can about your resources and your network to determine whether it is worth the effort. Ideally, they would like a target that is relatively unguarded and with valuable data. What information the criminals can find about your company, and how it might be used, could surprise you.

Companies often have more information available than they realize. Are names and contact details of your employees online? (Are you sure? Think social networks too, not just your own corporate website.) These could be used for social engineering purposes, say, for getting people to divulge usernames or passwords. Are there details about your web servers or physical locations online? These could be used for social engineering too, or to narrow down a list of possible exploits that would be useful to break into your environment.

This is a very tricky layer to try to control, particularly with the popularity of social networking, but it's also a fairly low-cost layer. Hiding sensitive information tends to be a fairly inexpensive change, though being thorough about finding the information can be time-intensive.

Weaponization, Delivery, Exploit, Installation: Attempting to Enter
These stages are where the criminals craft a tool to attack their chosen target, using the information they have gathered, and put it to malicious use. The more information they can use, the more compelling a social engineering attack can be. They could use spear-phishing to gain access to internal corporate resources with the information they found on your employee's LinkedIn page. Or they could put a remote access Trojan into a file that appears to have crucial information on an upcoming event in order to entice its recipient into running it. If they know what software your users or servers run, including OS version and type, they can increase the likelihood of being able to exploit and install something within your network.

These layers of defense are where your standard security wonk advice comes in. Is your software up to date? (No really, all of it, on every machine. Most companies have that one box in some back room that is still running Windows 98. If it's ever connected to the Internet, it's like having a welcome mat outside your door.)

Do you use email and web filtering? Email filtering can be a good way to stop common document types that are used in attacks. If you require that files be sent in a standard way, such as in a password-protected ZIP archive, this can help your users know when files are being sent intentionally. Web filtering can help keep users from going to known bad sites or domains.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.