Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Ryan Stolte
Ryan Stolte
Connect Directly
E-Mail vvv

Reactive or Proactive? Making the Case for New Kill Chains

Classic kill chain models that aim to find and stop external attacks don't account for threats from insiders. Here what a modern kill chain should include.

The kill chain model is not new to most security professionals. Created in 2011 by Lockheed Martin, the model highlights the seven stages bad actors typically go through to steal sensitive information. In case you need a refresher, the steps include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objective. The goal for security analysts and investigators is to disrupt the chain early, before sensitive data slips out the door. Although the model works for certain kinds of attacks, in many others, it doesn't.

Using more sophisticated techniques than ever before, attackers are coming from both the inside and outside, whether they're employees seeking to do harm, compromised users, or external bad actors. The classic kill chain model was designed to help organizations combat external threats by bad actors. Some organizations try to squeeze other types of threats, such as those posed by insiders, into the classic model, which doesn't work because the behavior of insider threats is not the same as those of outsiders.

Reactive versus Proactive
Kill chain models are reactive by nature. The goal is to stop a potential attack in progress before damage is done. The traditional kill chain aligns with that goal, but there are other models for threats, like malicious insiders, that also fit reactive cyber-risk models.  A second type of cyber-risk model that can be extremely effective against threats, is a proactive model. That model flips the recipe on its head and seeks to reduce the attack surface before an attack occurs. Let's first look at examples of reactive cyber-risk models, which very commonly can fit into one of two categories:

Flight Risks: Employees looking to leave the company elevate the risk of data loss. They tend to be less sophisticated and exhibit less cautious behavior on their way out. The kill chain–style reactive risk model begins with looking for early indicators — for example, if an employee frequently visits job search websites, something he or she typically would not do. However, even if employees are visiting those kinds of websites, that doesn't necessarily mean they are a threat. They become a potential threat when they move to the next stage when, for example, they upload unusually large encrypted files to cloud storage at odd working hours.

A combination of those two stages — an employee has repeatedly visited job search websites and has uploaded an unusually large file at odd working hours — is a good indication that the person is a flight risk and must be closely monitored. The next stage entails the employee aggressively trying to pull sensitive data off the network. He may attempt to email sensitive data to an outside address, get blocked, and continue to try other methods until he succeeds.

The goal of this kill chain–style risk model is to identify people who are flight risks and approach them before the exfiltration occurs. Or if they do exfiltrate data, identify the activity and stop them before they cause real damage to the company. 

Persistent Insiders: Unlike flight risks, these threats are more sophisticated insiders who have no intention of leaving the organization. They repeatedly look for whatever sensitive data they can get their hands on to hurt the organization and/or sell for profit. Organizations won't see these employees looking at job search websites. Instead, they will visit websites where they can circumvent web proxies. These are websites that allow them to hide, and then jump to the Dark Web, for example, to move data and bypass controls.

The next stage of the chain is when they persistently try logging into systems to which they typically do not have access. They quietly "jiggle doors" looking for sensitive data that is outside the scope of their, their peers', and overall team's role.

Combining these two stages — visiting suspicious websites and jiggling doors — are good examples that indicate a person may be a persistent threat. The next stage is when the person acts. For example, on a regular basis, s/he may encrypt small amounts of sensitive data and exfiltrate it outside the network. By breaking the data down into small amounts, the person aims to evade detection, and by encrypting it, makes it even more difficult because the company cannot see what's inside.

Obviously, the goal is to stop the person before getting to the final stage of exfiltration. The chain shows the progression of events so that organizations can stop the threat before damage is done.  

Insider threat models are an example of a reactive chain of events. Many organizations have tried to squeeze these into the original kill chain model only to find they need to skip stages, and often feel like they're trying to put a square peg in a round hole. Leveraging the principal that emerged and was made popular by the kill chain is very important, but being flexible to adapt to today's threat landscape is critical to success. 

To take the leap to proactive cyber-risk management, consider a predictive model for combatting ransomware. Instead of looking for indicators of a threat in progress, the chain begins with identifying which machines, applications, and systems are susceptible to ransomware, and then determining which ones contain sensitive data. From there, organizations can easily understand which assets need better patching or tighter controls, and finally see which of these machines are actively being attacked and how effective their response has been. Together, this provides predictive, proactive visibility to reduce the attack surface and get ahead of the attackers.

Whereas reactive kill chain models aim to find threats and stop them before it's too late, proactive models aim to reduce attack opportunities before attackers strike. If companies adopt this broader set of models, in addition to applying the classic one, they will spend less human resources and time hunting threats and stay ahead of attackers before they cause harm.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Ryan Stolte is co-founder and CTO at Bay Dynamics, a cyber risk analytics company that enables enterprises and government agencies to prioritize and mitigate their most critical threats. Ryan has spent more than 20 years of his career solving big data problems with ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/6/2018 | 1:21:43 PM
Lockheed Martin at BlackHat and on GitHub
Back in 2013 DR did another article on kill chain and how Lockheed Martin approached that process.  In fact, Lockheed did a presentation at Black Hat and the conclusion of that paper back in 2012 was that their "current batch of Intrusion Detection products are clearly insufficient against today's targeted modern threats." Their presentation laid out "a series of models for how to rethink the problem from the ground up. Stepping back from our need to only instrument highly actionable events is the first and most important realization that we have outlined. The event pipeline provides a framework to understand how low confidence events can and should be assimilated into an effective intrusion detection program."

Jump to 2018 and that declaration of intent to develop a better kill chain process has Lockheed leading the industry with their Cyber Kill Chain, notably "proactive" and to some extent "predictive" in character.  As cool as this all sounds, I'm afraid that the industry still needs to bring this model and idea of cyber defense down to a more digestible level.  At Black Hat Lockheed sounded like the next step in cyber defense was ready to be revealed, but for the everyday security analyst, Cyber Kill Chain may come off like yet another expensive bloatware Enterprise product.  Luckily, Lockheed Martin has shared some of its tech on GitHub with several threat analysis and prevention tools that it has open-sourced.  Better understanding of kill chains and the attack phases may come from the FOSS community in the short term, with easily accessible and free implementations to play with.

In addition to the LM GitHub code, I recommend Security Onion (SO), a GNU/Linux OS for security professionals, to play with code related to the newer kill chain models.




Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. The risk is partially mitigated if your ATD instances are deploye...
PUBLISHED: 2021-04-15
Cleartext Transmission of Sensitive Information between McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update and McAfee Global Threat Intelligence (GTI) servers using DNS allows a remote attacker to view the requests from ENS and responses from GTI over DNS. By gaining con...
PUBLISHED: 2021-04-15
Cleartext Transmission of Sensitive Information vulnerability in the ePO Extension of McAfee Content Security Reporter (CSR) prior to 2.8.0 allows an ePO administrator to view the unencrypted password of the McAfee Web Gateway (MWG) or the password of the McAfee Web Gateway Cloud Server (MWGCS) read...
PUBLISHED: 2021-04-15
Denial of Service vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.100 allows a local, low privileged, attacker to cause a BSoD through suspending a process, modifying the processes memory and restarting it. This is triggered by the hdlphook driver reading invali...
PUBLISHED: 2021-04-15
Privilege Escalation vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.100 allows a local, low privileged, attacker to write to arbitrary controlled kernel addresses. This is achieved by launching applications, suspending them, modifying the memory and restarting ...