If you’ve been involved in cybersecurity for any period of time, you’ve likely heard of the concept of defense in depth security strategies. The general idea behind defense in depth is that there is no ‘silver bullet’ security measure that can fully protect our networks, so we seek to deploy a series of administrative, technical, and physical security controls that work in concert to make our security posture acceptable.
Since we know that you cannot mitigate 100% of risk (not just in terms of cybersecurity, but for anything), defense in depth strategies focus on a layered approach to security. If you put numerous layers of security in place at different points in the flow of data, you stand a better chance to prevent, disrupt, or mitigate an attack.
Think of the defense in depth approach as building a medieval castle. The concept of securing a castle takes an inside-out approach. The most important things (royal family, crown jewels, etc.) are located in the center of the castle, surrounded by layers of security – including rooms, walls, gates, guards, towers, the moat, and a drawbridge – all designed to keep out the people that shouldn’t be in and to keep safe those that should be there.
Figure 1 – Defense-in-Depth Model from ISACA and David Eduardo Acosta
But what mechanisms do we have that tell us we’ve developed a strong layered-security approach to security at our organization? Can our risk assessments provide this type of information? Perhaps.
The controls in your IT Risk Assessment likely have control mappings to various security standards that point to what type of control they represent (i.e., technical, physical, or administrative), though useful reporting on how those controls provide holistic protection may be limited.
If you’re using the FFIEC’s Cybersecurity Assessment Tool, the sub-domains under Domain 3: Cybersecurity Controls include controls identified as preventative, detective, corrective. But does that go far enough to help you understand if you’ve truly got appropriate layered security?
Perhaps you’re using NIST’s Cybersecurity Framework (CSF). This framework expands beyond the FFIEC CAT and perhaps provides the best look at layered security using it’s five functions: identify, detect, protect, respond, recover. But most financial institutions aren’t using NIST CSF for lack of automation, not to mention it isn’t mapped to the FFIEC guidance to which financial institutions are regulated.
So what do you do? Do you enhance an existing assessment you’re already doing in an effort to provide additional analysis on defense in depth strategies? Sure, that’s a possibility, but it’s going to be more work, and effectiveness will depend on the maturity and measurement of your risk management processes.
But what if there’s an easier way?
Enter, the Cyber Kill Chain
The Cyber Kill Chain, developed by Lockheed Martin, is designed to assist organizations in developing defense in depth strategies to combat the Advanced Persistent Threat by mapping controls to the steps an attacker must go through to successfully execute a cyber attack. Lockheed Martin provides the following seven steps and general definitions:
- Reconnaissance: Harvesting email addresses, selecting targets, gathering information, OSINT, etc.
- Weaponization: Coupling exploitation of vulnerabilities with remote-access malware into a deliverable payload
- Delivery: Sending a weaponized bundle to the victim via email, web, USB, etc.
- Exploitation: Once delivered, exploiting a vulnerability to execute code on a victim’s system
- Installation: Installing remote-access malware on the target asset (workstation, server, website, etc.)
- Command & Control: External command channel for remote access and manipulation of the victim asset(s)
- Actions on Objectives: Once remote access has been achieved and an attacker is inside the target network, the true objective can be accomplished (data exfiltration, destruction, intrusion of another target, etc.)
For our purposes, we’ll also add one more layer:
- Exfiltration: Removing data from the victim’s assets
Figure 2: Original Lockheed Martin Cyber (Intrusion) Kill Chain
To apply the Cyber Kill Chain, Lockheed Martin provides the following layers of control implementation:
- Detect: Determine when and how an attacker is performing recon against your organization or network
- Deny: Stop the attack from occurring by preventing information disclosure or unauthorized access
- Disrupt: Change or stop the flow of information or exfiltration of data to the attacker
- Degrade: Limit the effectiveness or efficiency of an attack
- Deceive: Interfere with an attack using misdirection or misinformation
For our purposes, we’ll add one more layer:
- Contain: Limit the scope of an attack to particular segments of your network or organization
Cyber Kill Chain Controls Matrix
The below illustrated Cyber Kill Chain Controls Matrix is designed to identify the controls that your organization has implemented at different phases of an attack, as well as how the control will help to disrupt the flow of, halt, or eradicate a cyberattack.
Please note: the list of controls in this Cyber Kill Chain Controls Matrix is intended to be a template for application purposes. Each institution will want to place their own controls in each respective category to fit their individual needs.
Figure 3: Cyber Kill Chain Controls Matrix
There you have it; it’s that simple! The identified controls should already be present in your IT Risk Assessment. The Cyber Kill Chain simply provides a visual representation of your defense in depth strategy development and assists in enhancing said strategy. If you identify an area in which you’re lacking – detection, for example – you can concentrate on making sure you have controls in place to tell if an attacker is targeting your organization in the first place.
Some areas will contain more controls than others, especially in less mature organizations that don’t have the ability to deceive an attacker, for example. If you don’t have the capabilities to set up and manage a honeypot or DNS Redirect, that’s ok. But understanding those additional controls or simply talking with your MSP or MSSP and asking how they can help you become more mature in areas you’re lacking can be very beneficial.
HINT: The Cyber Kill Chain Controls Matrix also fits extraordinarily well into your Incident Response Plan.
Measuring the Cyber Kill Chain
As you mature your Cyber Kill Chain controls, the next step is to measure the effectiveness of these controls. How do you measure the Cyber Kill Chain? Testing, of course!
The example below from Lockheed Martin highlights a handful of different campaigns (tests) simulating real-world attacks, and whether or not the controls identified to detect, deny, disrupt, deceive, degrade, or contain were effective. Be sure to not the “Future Proposed” columns on the right, which highlight controls you might be putting into place in the future to help close any known gaps.
Figure 4: Lockheed Martin – Measuring Cyber Kill Chain Effectiveness Scorecard
If Someone Was In Your Network, Would You Know?
The #1 question to ask yourself (or your organization) regarding information or cybersecurity is this: “If someone was in your network, would you know?”
If you can’t answer that question without breaking out into a cold sweat, it’s time to take action! The Cyber Kill Chain is one of a great many tools that can help your organization sleep better at night and make it significantly more difficult for an attacker to access your network or data.