When Lockheed Martin engineers first came up with the cyber kill chain concept, the purpose was clear – to mitigate or eliminate a cyberattack. It borrowed from military ideology, in particular the “Four F’s” that were prominently used during World War II: find, fix, fight and finish the enemy.
Today, several varieties of cyber kill chain exist, offering sometimes dizzying models of cyberattacks and creating endless debates and arguments over the most current and correct portrayal of how cyberattacks occur and how a model should be constructed. In the process, many have lost sight of the original intent—stopping an attack early to minimize its impact.
At the same time, fundamental conditions have changed since the Lockheed Martin cyber kill chain. First, attacks—at least significant ones—do not follow linear, malware-only progressions to accomplish their goals. Make no mistake: malware is still a potent component of some attacks, but the way malware behaved in 2011 (when the cyber kill chain was released) is much different than how it behaves now.
Today, the more significant attacks may involve malware, but they also likely involve the hands-on, orchestrated work of human attackers using different tactics for access and control. Other tools that are legitimate – particularly for reconnaissance and lateral movement inside a network – are likely involved, such as port scanners or remote access/remote desktop applications or utilities.
Today’s higher-value attacks are often iterative, trial-and-error affairs, where attackers try different tactics on different portions of an organization’s externally exposed attack surface. Even after a network or resource is breached, trial-and-error continues as attackers progressively seek out valuable assets and how to gain control of them.
There are other significant differences as well, such as public cloud infrastructure, proliferation of a company’s own mobile apps that are susceptible to hijacking or impersonation, and digital business initiatives that empower groups to stand up applications and sites without the involvement or even knowledge of the IT or security teams. Often these resources involve use of third-party components, management, or infrastructure.
The digital world is far more complex and cyberattacks are a profitable and growing business that are human-led and multifaceted. Attackers and infrastructure have evolved but kill chains have not.
Extended Detection and Response (XDR) platforms have come into being to address these newer realities. They are built with the knowledge that organizations need to have a comprehensive understanding of their entire attack surface as well as what goes on within their on-premises and cloud-based infrastructure.
XDR was designed to unite all the traditionally siloed security systems that look only at one portion of attack surface or infrastructure, integrate their data, and correlate it to gain a way of finding an in-progress attack early and curtailing it. Gartner has welcomed this advancement, and multiple security vendors have developed products.
While security technology, such as XDR, has come into being or evolved to meet new realities and challenges, the models for understanding attacks have not.
The introduction of the MITRE ATT&CK framework was helpful in the sense of showing a more updated view of attacks, but it also was a step backwards in that it was not really built with the primary purpose of defeating an attack. For example, the Reconnaissance tactic categorizes behavior of adversaries “trying to gather information they can use to plan future operations,” but what comes before and after these events? Is this from the outside or on the inside? How does it tie into the bigger picture?
Now that XDR has steadily gained momentum as a way to address the gaps and deficiencies in what is otherwise a silo-laden approach to security, it’s time to reconsider the kill chain and establish practical strategies and methodologies in terms of how attacks and attackers can be defeated.
Ideally, the kill chain provides a “you are here” view of an attacker that is useful in understanding the stage, severity, and potential next steps of an attack, as well as ones already transpired. This map or model provides context that can prove important operationally.
Some XDR solutions have been able to move from being a system of alerts to one of incidents. Although XDR alerts should be fewer in number and more precise, up-leveling individual alerts into a broader incident substantially eases the work for a security team to respond to early signs of an attack. It brings efficiency and greater effectiveness at stopping an attack early.
Adding a new kill chain model at the heart of an XDR system provides another boost for efficiency and effectiveness. Closely identifying attack behavior and mapping it to a realistic model empowers security professionals with not only information but also context that can significantly contribute to faster remediation.
The point of a kill chain is not so much the chain, as it is the “kill.” Organizations desperately need game-changing strategies, procedures, and technology to begin to seriously flip the odds on an attack.