Defend like an attacker: Applying the cyber kill chain

August 21, 2014  |  Lauren Barraco

Understanding the cyber kill chain gives you an advantage

With the constantly evolving nature of most threats, it can be difficult to address every incident and alert that occurs in your environment. Effective incident response requires effective methods of prioritization: Deciding which alerts to focus on and in which order. In general, we’ve relied on a few standard methods of prioritization. However, each of these methods has their flaws. The primary methods (and their drawbacks) include the following:

  • Time – In time-based prioritization, we address the most recent incidents first, letting older ones fall to the bottom of the stack – similar to how emails pile up in your inbox. But the reality is that things happening now aren’t always more important than things that happened a week ago. Missing last week’s incident because you were focusing on today’s alert could result in a compromised system.
  • Target – At first glance, this one seems to make the most sense – focus on the assets that are most valuable to the organization. In reality, the assets that are most important to you are not necessarily the ones that are most important to an attacker. In general, attackers value your assets in the context of an attack – not in the context of your business. An asset that you may deem “low value” can be the stepping-stone in the path of an attack. So while you’re busy guarding the vault, the attacker could be walking in through the side gate, preparing for a breach. In one well-publicized attack, the intruder used a vulnerability in the organization’s vacation scheduler to gain access to sensitive client financial data – the seemingly “low value” program providing the gate to the attacker’s goal.
  • Data source – We are routinely making one of two opposing errors when we prioritize based on the credibility of the data source. The first error is to treat all alerts equal regardless of the source. But this generally leads to never-ending context switching and wild goose chases – trying to track down every event reported by every source. The second, a more common, but equally problematic approach is to assign static levels of priority to your data sources, regardless of context. This approach fails because in most implementations, each data source lacks the context another might provide – and all of them lack business context.

Why effective prioritization is your best friend

If prioritization based on time, target, or data source contains potentially fatal flaws, then how do you build an effective prioritization approach? As any chess expert knows, the best defense is always based on understanding your attacker’s strategy. When we start mapping our efforts to the attacker’s infiltration steps (known as the cyber kill chain), we can determine where to focus our time. In this case, keeping our attention on the activities towards the end of the cyber kill chain can be a better use of time.

Overview of the cyber kill chain

The “cyber kill chain” is a sequence of stages required for an attacker to successfully infiltrate a network and exfiltrate data from it. Each stage demonstrates a specific goal along the attacker’s path. Designing your monitoring and response plan around the cyber kill chain model is an effective method because it focuses on how actual attacks happen. Considered in the context of network intrusions, the kill chain process is as follows:

Attacker's Intent and Goals in the Kill Chain Process

The cyber kill chain defense method allows you to create a prioritization strategy that avoids the pitfalls of a time-, asset-, or data source-based approach. By thinking like an attacker, you can target assets that are truly at risk (whether or not they are considered “valuable” from a business perspective). Vulnerability-based models fall apart in comparison because they focus on the perceived weakness in the infrastructure without any proof that those weaknesses are of value to an attacker.

Mapping security controls and procedures to each stage of the kill chain will allow you to develop very detailed, result-oriented security procedures. By explicitly breaking down attacks based on their intended goals, the cyber kill chain method moves away from the “one signature/one attack” mentality that plagues other security monitoring models. More importantly, this moves us away from the redundant perimeter model (that has collapsed in the modern threat landscape) and into a more organic threat lifecycle that operates throughout the infrastructure.

The cyber kill chain in AlienVault

The Cyber Kill Chain in the AlienVault USM Alarms Dashboard

The alarm prioritization taxonomy in AlienVault USM and OSSIM is a simplified version of the Lockheed Martin “Cyber Kill Chain” methodology. To help you quickly prioritize alarms, each alarm category in AlienVault provides the intent of the threat. The intent can be surmised based on attack activity and how they’re interacting with your network and its assets. AlienVault Labs applies their extensive research into attacker profiles, tools and techniques to evaluate each threat to determine the appropriate category for each alarm.

Categorized Threat Alarms Based on the Kill Chain

Which category of alarms should you look at first?

AlienVault has 1700+ event correlation rules in our threat intelligence subscription – each alarm is triggered by an event correlation rule. In terms of security exposure, the most critical events will be in the System Compromise category. Once a system has been compromised, an attacker has gained a foothold into your network. This may be a contained incident to one system, however, in most cases this is just the tip of the iceberg.

So when viewing all of your alarms, you may want to begin with those that are the most critical, and typically, this would be signaled by the System Compromised intent.

In general, keep these tips in mind:

  • For each incident, ask yourself these questions: “How close to a successful breach is this?” and “How close are the attackers to their goal?”
  • Move away from “a first-in-first-out” pipe model. Look at each event in the context of other events as well as the context of what an attacker’s goal or intent might be.
  • Use the context of your environment and business model to surmise what the intent of the attacker is, and use the reporting source of the event to further refine prioritization efforts. Establish the reliability of the data source based on the full context of what it is reporting.

Aligning Security and Business Processes

Attacks are typically based on the structure and process of your business, thus your response should be based on that same structure and process. Knowing that someone from accounting has been logging into a source code server every weekend can be more impactful than a single alert for XX exploit. The intuitive alarm taxonomy in AlienVault based on the cyber kill chain process provides you with the necessary context for each alarm and helps you effectively prioritize for incident response. Check it out for yourself with our free 14-day trial.

Share this with others

Get price Free trial