Classic kill chain models that aim to find and stop external attacks don't account for threats from insiders. Here what a modern kill chain should include.

Ryan Stolte, co-founder and CTO at Bay Dynamics

July 6, 2018

5 Min Read

The kill chain model is not new to most security professionals. Created in 2011 by Lockheed Martin, the model highlights the seven stages bad actors typically go through to steal sensitive information. In case you need a refresher, the steps include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objective. The goal for security analysts and investigators is to disrupt the chain early, before sensitive data slips out the door. Although the model works for certain kinds of attacks, in many others, it doesn't.

Using more sophisticated techniques than ever before, attackers are coming from both the inside and outside, whether they're employees seeking to do harm, compromised users, or external bad actors. The classic kill chain model was designed to help organizations combat external threats by bad actors. Some organizations try to squeeze other types of threats, such as those posed by insiders, into the classic model, which doesn't work because the behavior of insider threats is not the same as those of outsiders.

Reactive versus Proactive
Kill chain models are reactive by nature. The goal is to stop a potential attack in progress before damage is done. The traditional kill chain aligns with that goal, but there are other models for threats, like malicious insiders, that also fit reactive cyber-risk models.  A second type of cyber-risk model that can be extremely effective against threats, is a proactive model. That model flips the recipe on its head and seeks to reduce the attack surface before an attack occurs. Let's first look at examples of reactive cyber-risk models, which very commonly can fit into one of two categories:

Flight Risks: Employees looking to leave the company elevate the risk of data loss. They tend to be less sophisticated and exhibit less cautious behavior on their way out. The kill chain–style reactive risk model begins with looking for early indicators — for example, if an employee frequently visits job search websites, something he or she typically would not do. However, even if employees are visiting those kinds of websites, that doesn't necessarily mean they are a threat. They become a potential threat when they move to the next stage when, for example, they upload unusually large encrypted files to cloud storage at odd working hours.

A combination of those two stages — an employee has repeatedly visited job search websites and has uploaded an unusually large file at odd working hours — is a good indication that the person is a flight risk and must be closely monitored. The next stage entails the employee aggressively trying to pull sensitive data off the network. He may attempt to email sensitive data to an outside address, get blocked, and continue to try other methods until he succeeds.

The goal of this kill chain–style risk model is to identify people who are flight risks and approach them before the exfiltration occurs. Or if they do exfiltrate data, identify the activity and stop them before they cause real damage to the company. 

Persistent Insiders: Unlike flight risks, these threats are more sophisticated insiders who have no intention of leaving the organization. They repeatedly look for whatever sensitive data they can get their hands on to hurt the organization and/or sell for profit. Organizations won't see these employees looking at job search websites. Instead, they will visit websites where they can circumvent web proxies. These are websites that allow them to hide, and then jump to the Dark Web, for example, to move data and bypass controls.

The next stage of the chain is when they persistently try logging into systems to which they typically do not have access. They quietly "jiggle doors" looking for sensitive data that is outside the scope of their, their peers', and overall team's role.

Combining these two stages — visiting suspicious websites and jiggling doors — are good examples that indicate a person may be a persistent threat. The next stage is when the person acts. For example, on a regular basis, s/he may encrypt small amounts of sensitive data and exfiltrate it outside the network. By breaking the data down into small amounts, the person aims to evade detection, and by encrypting it, makes it even more difficult because the company cannot see what's inside.

Obviously, the goal is to stop the person before getting to the final stage of exfiltration. The chain shows the progression of events so that organizations can stop the threat before damage is done.  

Insider threat models are an example of a reactive chain of events. Many organizations have tried to squeeze these into the original kill chain model only to find they need to skip stages, and often feel like they're trying to put a square peg in a round hole. Leveraging the principal that emerged and was made popular by the kill chain is very important, but being flexible to adapt to today's threat landscape is critical to success. 

To take the leap to proactive cyber-risk management, consider a predictive model for combatting ransomware. Instead of looking for indicators of a threat in progress, the chain begins with identifying which machines, applications, and systems are susceptible to ransomware, and then determining which ones contain sensitive data. From there, organizations can easily understand which assets need better patching or tighter controls, and finally see which of these machines are actively being attacked and how effective their response has been. Together, this provides predictive, proactive visibility to reduce the attack surface and get ahead of the attackers.

Whereas reactive kill chain models aim to find threats and stop them before it's too late, proactive models aim to reduce attack opportunities before attackers strike. If companies adopt this broader set of models, in addition to applying the classic one, they will spend less human resources and time hunting threats and stay ahead of attackers before they cause harm.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

About the Author(s)

Ryan Stolte

co-founder and CTO at Bay Dynamics

Ryan Stolte is co-founder and CTO at Bay Dynamics, a cyber risk analytics company that enables enterprises and government agencies to prioritize and mitigate their most critical threats. Ryan has spent more than 20 years of his career solving big data problems with analytics. Starting in the early days of the web, his first user behavior analytics challenges were to find innovative ways to recommend products to end users and drive sales on e-commerce sites. With the proliferation of the connected enterprise, his attention turned to new analytics challenges with internal IT, cloud, and cybersecurity initiatives. With two decades of experience in user behavior analytics, a portfolio of analytics patents, and an unparalleled leadership team, Ryan is focused on finding innovative ways to provide smart cybersecurity solutions for the enterprise.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights