Kill Chain 3.0: Update the cyber kill chain for better defense

If you’re in infosec, you’ve surely heard of the kill chain – a defense model designed to help mitigate more advanced network attacks.

The kill chain consists of seven proposed phases of an (external) network attack; the idea being each phase is an opportunity for specific types of defense. The phases in the kill chain include:

  • Reconnaissance – Learning about the target using many techniques.
  • Weaponization – Combining your vector of attack with a malicious payload.
  • Delivery – Actually transmitting the payload via some communications vector.
  • Exploitation – Taking advantage of some software or human weakness to get your payload to run.
  • Installation – The payload establishes persistence of an individual host.
  • Command & Control (C2) – The malware calls home, providing attacker control.
  • Actions on Objectives – The bad actor steals or does whatever he was planning on doing.

Security professionals have differing opinions on the effectiveness of the kill chain as a defense model. Some love it, pointing out how several successful infosec teams use it, while others think it’s lacking crucial details, and only covers certain type of attacks. I think there is truth to both view, so I’d like to propose three simple steps to make the kill chain even better—let’s call it Kill Chain 3.0.

First, we need to tweak the phases of the current kill chain. If we’re using the kill chain as a defensive tool, every link in the chain should be actionable by defenders. For instance, the Weaponization phase of the kill chain is something defenders can’t really do anything about. Why represent a phase that has little to do with defense? Meanwhile, the current kill chain focuses primarily on the initial intrusion, and not enough with how sophisticated attackers leverage their initial foothold to spread throughout a victim’s network. The kill chain needs a step for lateral movement and local elevations of privilege. Here’s my Kill Chain 3.0 proposal:

  • Recon
  • Delivery
  • Exploitation
  • Infection
  • Command & Control – Lateral Movement & Pivoting
  • Objective/Exfiltration.

With this basic change, you can now map actionable defenses to each of the kill chain’s phases. For instance, port and IP scan detection and header masquerading helps against Recon; Blocked firewall ports, IPS, and application control help against Delivery; Patching and IPS protect against Exploitation; network segmentation helps with Lateral movement… and so on.

Second, we need to understand that it’s important to have defenses for every phase of the kill chain, and that each phase is equally important. One of the kill chain concepts states that the earlier in the kill chain you prevent an attack, the better. While that’s technically true, I suspect it’s also why we spend more time establishing preventative protections early in the kill chain, and less time on the latter defenses, which still might “defang” successful attacks after the fact. The truth is, sophisticated attackers will often bypass or evade some of our early stage defenses. If we haven’t focused enough on the latter security controls, like botnet C&C detection, data loss prevention, and internal network segmentation, we’re not seizing our full opportunity to prevent a damaging attack. In short, the battle’s not lost at initial infection if you’ve fully realized the latter defenses in Kill Chain 3.0.

Finally, we need a visibility component that fully encompasses all seven stages of the kill chain. The kill chain is great at highlighting the individual areas where we might stop a network attack, but if we can’t monitor a single attack as it goes through each of these phases, we’re missing critical data that could help us protect ourselves. Visibility and analytics tools should be a core component of Kill Chain 3.0. If you don’t have a visibility tool that brings the logs from all your security controls together, and correlates different security triggers into a single incident, you’ll likely miss the signs of a more sophisticated attack.

To recap, tweak the kill chain stages a bit, focus on all the stages—including the latter ones—equally; and establish an overarching visibility tool to monitor the entire kill chain process, and you have Kill Chain 3.0; a great model for preventing advanced attacks.