How to Deal With the Cyber Kill Chain

 
 
By Karen A. Frenkel  |  Posted 11-16-2016 Email
 
 
 
 
 
 
 
 
 
  • Previous
    How to Deal With the Cyber Kill Chain
    Next

    How to Deal With the Cyber Kill Chain

    Many cyber-security teams have turned to a well-understood military concept, the kill chain, which details how adversaries structure their attacks.
  • Previous
    Reconnaissance: Gather information to enable attacks on assets
    Next

    Reconnaissance: Gather information to enable attacks on assets

    Monitor threat intelligence on known actors when communications indicate possible recon attempts from those acting against your assets. Set alerts and immediately act on any stolen credentials, personally identifiable information and confidential company information that becomes available on the internet.
  • Previous
    Weaponization: Coupling exploit with backdoor into deliverable payload
    Next

    Weaponization: Coupling exploit with backdoor into deliverable payload

    Monitor and gain visibility into actor-based threat intelligence feeds that provide insight into Trusted Third Parties and malware Indicators of Compromise that may target your business or assets. Capture and analyze any network traffic payloads for malware indicators.
  • Previous
    Delivery: Deliver malicious payload to the victim via email, internet or USB
    Next

    Delivery: Deliver malicious payload to the victim via email, internet or USB

    Ensure all ingress and egress network connections have inline inspection based on signature and non-signature mechanisms, including within encrypted payloads. Ensure inline inspection has full Layer 7 inspection, not just network layer.
  • Previous
    Exploitation: Exploiting a vulnerability to execute code
    Next

    Exploitation: Exploiting a vulnerability to execute code

    Integrate threat intelligence to understand potential threats and vulnerabilities. Automate the detection of vulnerabilities within owned assets and network infrastructure to ensure quick detection of attacks. Automate vulnerability to signature creation within network inspection capabilities to ensure quick detection of network-based vulnerability attacks.
  • Previous
    Installation: Installing malware on the asset
    Next

    Installation: Installing malware on the asset

    Deploy an endpoint protection system (EPS) to provide inspection of all pre-installation of applications. Connect the EPS to a threat intelligence system with up-to-date malware hash information.
  • Previous
    Command and Control (C2): Command channel for remote manipulation
    Next

    Command and Control (C2): Command channel for remote manipulation

    Gather and monitor threat intelligence feeds that identify all known C2 servers worldwide. Use your threat intelligence platform to select and prioritize which systems to protect. Connect the threat intelligence to your threat mitigation gateways to automate protection against C2 communications. Ensure investigation and analysis of internal lateral movement of communications after infection so that other infected hosts are found.
  • Previous
    Privileged Operations, Resource Access and Exfiltration
    Next

    Privileged Operations, Resource Access and Exfiltration

    To counter attacker's steps inside the network: Monitor internal network flow data and analyze to your asset ownership/compromise indicator intelligence. Ensure your threat mitigation gateway is informed with up-to-date threat intelligence about known data exfiltration sites. Inspect network traffic for unauthorized egress of corporate data.
 

In the quest to stay ahead of cyber-threats, many cyber-security teams have turned to a well-understood military concept, the kill chain, which details how adversaries structure their attacks. They are working to implement their own defenses in order to anticipate and react to where the attacks are coming from. But Chris Coleman, CEO of LookingGlass, said that most common security architectures do not address the complete concept of the cyber kill chain and instead just defend their organization's perimeter. "Organizations are faced with threats that are continuously evolving to avoid detection before and after their targets are exploited. Ideally, threats are mitigated early in the cyber kill chain. This avoids the threat actor gaining a foothold within an organization to attack laterally and find higher value assets," said Allan Thomson, CTO of LookingGlass Cyber Solutions, which focuses on addressing threats throughout the life cycle. Below are his tips on how to handle threats during seven stages of the chain: reconnaissance, weaponization, delivery, exploitation, installation, command-and-control, and privileged operations, resource access and exfiltration. The report features Gartner research.

 
 
 
 
 
Karen A. Frenkel writes about technology and innovation and lives in New York City.

 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login Register