Skip to content
TRAC-Logo
 

Frustration-Free Risk Management

Simplify cybersecurity risk management and tackle your cybersecurity challenges with ease. TRAC automates the tedious risk assessment process and produces customized results that align with regulations, best practices, and your strategic goals.

A man with code on his face.
Cody DelzerAugust 23, 20196 min read

How the Cyber Kill Chain Can Help You Protect Against Attacks

If you’ve been involved in cybersecurity for any period of time, you’ve likely heard of the concept of defense in depth security strategies. The general idea behind defense in depth is that there is no ‘silver bullet’ security measure that can fully protect our networks, so we seek to deploy a series of administrative, technical, and physical security controls that work in concert to make our security posture acceptable.


Since we know that you cannot mitigate 100% of risk (not just in terms of cybersecurity, but for anything), defense in depth strategies focus on a layered approach to security. If you put numerous layers of security in place at different points in the flow of data, you stand a better chance to prevent, disrupt, or mitigate an attack.


Think of the defense in depth approach as building a medieval castle. The concept of securing a castle takes an inside-out approach. The most important things (royal family, crown jewels, etc.) are located in the center of the castle, surrounded by layers of security – including rooms, walls, gates, guards, towers, the moat, and a drawbridge – all designed to keep out the people that shouldn’t be in and to keep safe those that should be there.

 

 

DefenseInDepth

Figure 1 – Defense-in-Depth Model from ISACA and David Eduardo Acosta

 

 

But what mechanisms do we have that tell us we’ve developed a strong layered-security approach to security at our organization? Can our risk assessments provide this type of information? Perhaps.


The controls in your IT Risk Assessment likely have control mappings to various security standards that point to what type of control they represent (i.e., technical, physical, or administrative), though useful reporting on how those controls provide holistic protection may be limited.


If you’re using the FFIEC’s Cybersecurity Assessment Tool, the sub-domains under Domain 3: Cybersecurity Controls include controls identified as preventative, detective, corrective. But does that go far enough to help you understand if you’ve truly got appropriate layered security?


Perhaps you’re using NIST’s Cybersecurity Framework (CSF). This framework expands beyond the FFIEC CAT and perhaps provides the best look at layered security using it’s five functions: identify, detect, protect, respond, recover. But most financial institutions aren’t using NIST CSF for lack of automation, not to mention it isn’t mapped to the FFIEC guidance to which financial institutions are regulated.


So what do you do? Do you enhance an existing assessment you’re already doing in an effort to provide additional analysis on defense in depth strategies? Sure, that’s a possibility, but it’s going to be more work, and effectiveness will depend on the maturity and measurement of your risk management processes.


But what if there’s an easier way?

 

 

Enter, the Cyber Kill Chain

The Cyber Kill Chain, developed by Lockheed Martin, is designed to assist organizations in developing defense in depth strategies to combat the Advanced Persistent Threat by mapping controls to the steps an attacker must go through to successfully execute a cyber attack. Lockheed Martin provides the following seven steps and general definitions:

  1. Reconnaissance: Harvesting email addresses, selecting targets, gathering information, OSINT, etc.
  2. Weaponization: Coupling exploitation of vulnerabilities with remote-access malware into a deliverable payload
  3. Delivery: Sending a weaponized bundle to the victim via email, web, USB, etc.
  4. Exploitation: Once delivered, exploiting a vulnerability to execute code on a victim’s system
  5. Installation: Installing remote-access malware on the target asset (workstation, server, website, etc.)
  6. Command & Control: External command channel for remote access and manipulation of the victim asset(s)
  7. Actions on Objectives: Once remote access has been achieved and an attacker is inside the target network, the true objective can be accomplished (data exfiltration, destruction, intrusion of another target, etc.)

For our purposes, we’ll also add one more layer:

  1. Exfiltration: Removing data from the victim’s assets

 

PhasesOfIntrusionKillChain

Figure 2: Original Lockheed Martin Cyber (Intrusion) Kill Chain

 

 


To apply the Cyber Kill Chain, Lockheed Martin provides the following layers of control implementation:

  • Detect: Determine when and how an attacker is performing recon against your organization or network
  • Deny: Stop the attack from occurring by preventing information disclosure or unauthorized access
  • Disrupt: Change or stop the flow of information or exfiltration of data to the attacker
  • Degrade: Limit the effectiveness or efficiency of an attack
  • Deceive: Interfere with an attack using misdirection or misinformation

For our purposes, we’ll add one more layer:

  • Contain: Limit the scope of an attack to particular segments of your network or organization

 

 

Cyber Kill Chain Controls Matrix

The below illustrated Cyber Kill Chain Controls Matrix is designed to identify the controls that your organization has implemented at different phases of an attack, as well as how the control will help to disrupt the flow of, halt, or eradicate a cyberattack.


Please note: the list of controls in this Cyber Kill Chain Controls Matrix is intended to be a template for application purposes. Each institution will want to place their own controls in each respective category to fit their individual needs.

 

KillChainMatrix

Figure 3: Cyber Kill Chain Controls Matrix

 


There you have it; it’s that simple!  The identified controls should already be present in your IT Risk Assessment. The Cyber Kill Chain simply provides a visual representation of your defense in depth strategy development and assists in enhancing said strategy. If you identify an area in which you’re lacking – detection, for example – you can concentrate on making sure you have controls in place to tell if an attacker is targeting your organization in the first place.


Some areas will contain more controls than others, especially in less mature organizations that don’t have the ability to deceive an attacker, for example. If you don’t have the capabilities to set up and manage a honeypot or DNS Redirect, that’s ok. But understanding those additional controls or simply talking with your MSP or MSSP and asking how they can help you become more mature in areas you’re lacking can be very beneficial.


HINT: The Cyber Kill Chain Controls Matrix also fits extraordinarily well into your Incident Response Plan.

 

 

Measuring the Cyber Kill Chain

As you mature your Cyber Kill Chain controls, the next step is to measure the effectiveness of these controls. How do you measure the Cyber Kill Chain? Testing, of course!


The example below from Lockheed Martin highlights a handful of different campaigns (tests) simulating real-world attacks, and whether or not the controls identified to detect, deny, disrupt, deceive, degrade, or contain were effective. Be sure to not the “Future Proposed” columns on the right, which highlight controls you might be putting into place in the future to help close any known gaps.

 

CyberKillChainScorecardSm

Figure 4: Lockheed Martin – Measuring Cyber Kill Chain Effectiveness Scorecard

 

 

If Someone Was In Your Network, Would You Know?

The #1 question to ask yourself (or your organization) regarding information or cybersecurity is this: “If someone was in your network, would you know?”


If you can’t answer that question without breaking out into a cold sweat, it’s time to take action! The Cyber Kill Chain is one of a great many tools that can help your organization sleep better at night and make it significantly more difficult for an attacker to access your network or data.

avatar

Cody Delzer

Cody Delzer is the Consulting Manager at SBS CyberSecurity (SBS), a company dedicated to helping organizations identify and understand cybersecurity risks to make more informed and proactive decisions. He is also an instructor for the SBS Institute, leading the Certified Banking Cybersecurity Manager (CBCM) course. Cody maintains Certified Information Systems Auditor (CISA) and Certified Data Privacy Solutions Engineer (CDPSE) certifications. He received his Bachelor of Science in Computer and Network Security from Dakota State University. Cody has over 13 years of risk management, audit, and consulting experience in the financial services industry, specializing in IT and IT security, systems operations, and information assurance. He joined the SBS team in 2011 and has transitioned into a senior leadership role as the Consulting Manager. Cody is passionate about sharing his cybersecurity knowledge and supporting his clients as they strive for increased cyber maturity. On top of being an instructor for the SBS Institute certification program, he speaks at conferences, authors blog posts and articles, hosts webinars, and conducts training.

RELATED ARTICLES