Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/2/2014
10:30 AM
Sean Mason
Sean Mason
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Leveraging The Kill Chain For Awesome

There are good reasons the Kill Chain is being used by some of the most successful information security teams around. Here are three.

I first learned about the Kill Chain when I was working with the organization known as the Defense Industrial Base, made up of the largest US government contractors. I recall a briefing we had on the KC, and when I went back to work the following week, I was frantically drawing the KC model on my whiteboard and exclaiming to co-workers that it was the greatest thing ever… but I didn’t know why.

The reality was, we were in our infancy as a security operations center and incident response team, let alone as a security organization hit with the new realities of the cyberworld. As such, we were just learning what others, like Lockheed Martin, had considered fundamentals by that point. It would be a couple years later, when I had moved on and my current team was looking to evolve our internal SOC and IR processes, that I truly saw the power of the Kill Chain. Let’s discuss three awesome ways to use the KC.

Detection
When it comes to enterprise detection, the Kill Chain is useful for understanding what your capabilities are, as well as your gaps in coverage by tools and threat actors. Simply put, not all detection tools are able to detect on all indicator types, nor are they able to cover all steps in the KC.

Step 1: By first laying out all of the indicator types by KC phase, you begin to paint a useful picture.

Step 2: By identifying which indicators can be used by each tool, by KC phase, you understand the capabilities of each tool.

Step 3: Aggregating together your detection tools will give you a holistic view of where your gaps lie or, in many cases, overlap. For example, you may find that your organization is only capable of detecting adversaries during KC7 Actions on Objectives and/or perhaps have zero visibility into KC3 Delivery. Among other things, understanding your capabilities at such a granular level can help you focus investment spend properly.

Step 4: Finally, by performing the same exercise by threat actors, you can better understand the visibility gaps and seek out intelligence to successfully plug those gaps.

Post-Incident Analysis
I’ve seen many different flavors of post-incident meetings over the years. Most are nothing but organized chaos where countless things are thrown around, and a decision is made to purchase some technology perceived as a panacea so that the incident won’t happen again. While some usefulness may come of that meeting, where I’ve seen post-incident reviews excel is by leveraging the Kill Chain model to systematically break down the attack. Using the KC as a framework to answer questions as to how the attack played out, and dissecting each step for what the adversary did and why it worked, may provide a wealth of understanding of the attack, the actor, and what should be done afterwards.

Communication
Have you ever tried to explain to the C-suite how an attack happened? It can be challenging. However, the Kill Chain offers a simple and powerful way to look at a very complex situation and tell a story. In a world driven by PowerPoint presentations, you can easily explain the concepts of the KC in terms that everyone will understand, without getting technical, and follow a linear approach to explain the details of the attack to your audience. While I don’t fully agree with the example below, here is a real-world use case that shows how powerful the KC can be to explain the complex Target breach to US Senators, an audience that would have very little technology background.

(Source: 'A 'Kill Chain' Analysis of the 2013 Target Data Breach,' March 26, 2014; US Senate Committee on Commerce, Science, and Transportation)
(Source: "A 'Kill Chain' Analysis of the 2013 Target Data Breach," March 26, 2014; US Senate Committee on Commerce, Science, and Transportation)

Detractors
Detractors of the Kill Chain (see Deconstructing The Cyber Kill Chain) will generally state two things: It can’t be used to look at issues other than external attacks, and since a lot of things happen during KC7 Actions of Objectives, it is too broad. While technically correct, the Kill Chain provides a solid and proven framework that can be augmented to fit different use cases. In the case of an insider breach, an employee would perform internal “Reconnaissance,” “Exploit” control weaknesses, possibly “Install” software, and most definitely look to achieve the “Actions on Objectives.” As for the argument that KC7 is too broad, I’ve seen teams take liberties with KC7 and enhance it with a few sub-steps for even deeper granularity.

There is a reason the Kill Chain is being used by some of the most successful information security teams around. It is a powerful tool for any security organization that is able to harness its true potential and resolve highly complex attack scenarios. Like any tool, though, it can and should be modified as appropriate to fit an organization's specific needs.

Sean Mason is the Vice President of Incident Response for Resolution1 Security. After serving his commitment to the US Air Force, he has spent his career with Fortune 500 companies (GE, Monsanto, Harris & CSC) where he has worked in a variety of IT & industry verticals, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
0%
100%
Marilyn Cohodas,
User Rank: Strategist
12/4/2014 | 7:58:28 AM
Kill Chain controversy
I was surprised at how passionate supporters and detractors of the Kill Chain are in their views! Any thoughts on why that is? 
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...