10:30 AM
Sean Mason
Sean Mason
Connect Directly

Leveraging The Kill Chain For Awesome

There are good reasons the Kill Chain is being used by some of the most successful information security teams around. Here are three.

I first learned about the Kill Chain when I was working with the organization known as the Defense Industrial Base, made up of the largest US government contractors. I recall a briefing we had on the KC, and when I went back to work the following week, I was frantically drawing the KC model on my whiteboard and exclaiming to co-workers that it was the greatest thing ever… but I didn’t know why.

The reality was, we were in our infancy as a security operations center and incident response team, let alone as a security organization hit with the new realities of the cyberworld. As such, we were just learning what others, like Lockheed Martin, had considered fundamentals by that point. It would be a couple years later, when I had moved on and my current team was looking to evolve our internal SOC and IR processes, that I truly saw the power of the Kill Chain. Let’s discuss three awesome ways to use the KC.

When it comes to enterprise detection, the Kill Chain is useful for understanding what your capabilities are, as well as your gaps in coverage by tools and threat actors. Simply put, not all detection tools are able to detect on all indicator types, nor are they able to cover all steps in the KC.

Step 1: By first laying out all of the indicator types by KC phase, you begin to paint a useful picture.

Step 2: By identifying which indicators can be used by each tool, by KC phase, you understand the capabilities of each tool.

Step 3: Aggregating together your detection tools will give you a holistic view of where your gaps lie or, in many cases, overlap. For example, you may find that your organization is only capable of detecting adversaries during KC7 Actions on Objectives and/or perhaps have zero visibility into KC3 Delivery. Among other things, understanding your capabilities at such a granular level can help you focus investment spend properly.

Step 4: Finally, by performing the same exercise by threat actors, you can better understand the visibility gaps and seek out intelligence to successfully plug those gaps.

Post-Incident Analysis
I’ve seen many different flavors of post-incident meetings over the years. Most are nothing but organized chaos where countless things are thrown around, and a decision is made to purchase some technology perceived as a panacea so that the incident won’t happen again. While some usefulness may come of that meeting, where I’ve seen post-incident reviews excel is by leveraging the Kill Chain model to systematically break down the attack. Using the KC as a framework to answer questions as to how the attack played out, and dissecting each step for what the adversary did and why it worked, may provide a wealth of understanding of the attack, the actor, and what should be done afterwards.

Have you ever tried to explain to the C-suite how an attack happened? It can be challenging. However, the Kill Chain offers a simple and powerful way to look at a very complex situation and tell a story. In a world driven by PowerPoint presentations, you can easily explain the concepts of the KC in terms that everyone will understand, without getting technical, and follow a linear approach to explain the details of the attack to your audience. While I don’t fully agree with the example below, here is a real-world use case that shows how powerful the KC can be to explain the complex Target breach to US Senators, an audience that would have very little technology background.

(Source: 'A 'Kill Chain' Analysis of the 2013 Target Data Breach,' March 26, 2014; US Senate Committee on Commerce, Science, and Transportation)
(Source: "A 'Kill Chain' Analysis of the 2013 Target Data Breach," March 26, 2014; US Senate Committee on Commerce, Science, and Transportation)

Detractors of the Kill Chain (see Deconstructing The Cyber Kill Chain) will generally state two things: It can’t be used to look at issues other than external attacks, and since a lot of things happen during KC7 Actions of Objectives, it is too broad. While technically correct, the Kill Chain provides a solid and proven framework that can be augmented to fit different use cases. In the case of an insider breach, an employee would perform internal “Reconnaissance,” “Exploit” control weaknesses, possibly “Install” software, and most definitely look to achieve the “Actions on Objectives.” As for the argument that KC7 is too broad, I’ve seen teams take liberties with KC7 and enhance it with a few sub-steps for even deeper granularity.

There is a reason the Kill Chain is being used by some of the most successful information security teams around. It is a powerful tool for any security organization that is able to harness its true potential and resolve highly complex attack scenarios. Like any tool, though, it can and should be modified as appropriate to fit an organization's specific needs.

Sean Mason is the Vice President of Incident Response for Resolution1 Security. After serving his commitment to the US Air Force, he has spent his career with Fortune 500 companies (GE, Monsanto, Harris & CSC) where he has worked in a variety of IT & industry verticals, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
12/4/2014 | 7:58:28 AM
Kill Chain controversy
I was surprised at how passionate supporters and detractors of the Kill Chain are in their views! Any thoughts on why that is? 
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.