Last updated at Sun, 31 Dec 2023 17:18:11 GMT
Let’s redefine
In our new blog series, we want to contextualize the term “kill chain” as much as possible. Make sure to read the first entry in this series, Kill chains: Part 1→Strategic and operational value, for a general overview of kill chains and the specific frameworks we’ve discussed. We already know the term was used by armed forces to provide transparency on how an enemy attacks a target, but beyond understanding how enemies think, how can security organizations gain the upper-hand to put down threats and risks before they cause harm?
Let’s now take a look at how you can leverage the different kill chains to overcome vulnerabilities and win the day against attackers.
Lockheed Martin Cyber Kill Chain
The heading above may look familiar, but in the spirit of connecting themes in this series let’s discuss key use cases of this particular kill chain.
- Strategic usage
- Organizations can expect to use this kill-chain methodology to examine the effectiveness of controls at the big-picture level.
- It's fairly easy to grasp, and helps provide a contextual window into standing up processes such as a security-awareness training program.
- Tactical usage
- At this actionable level, it’s important to remember to implement anti-virus measures to combat the exploitation phase. It is, after all, a very linear process where attackers might combine multiple steps into a single offensive against cloud infrastructure.
MITRE ATT&CK Kill Chain
Remember, MITRE started this project to document tactics, techniques, and procedures; it helps to detect adversary behaviors.
- Strategic usage
- Use the attack navigator tool to take input from operational usage, and then prioritize detection-and-posture improvements to visually show what is protected and prevented in your specific environment.
- Tactical usage
- At this actionable level, use the information as a blueprint to evaluate defenses and keep track of adversaries as they start to get too big for their...frameworks.
Unified Kill Chain
Those who after always see with 20/20 vision. That’s why this last instance describes the time-agnostic nature of the attack kill chain and its main focus areas that attempt to block actor-specific kill chains.
- Strategic usage
- This is going to be extremely similar to the previous 2 kill-chain strategic examples, with the understanding that the value combines strengths from the Lockheed Martin instance, MITRE instances, and a realistic story of attacker behaviour.
- Tactical usage
- At this actionable level, this kill chain will focus on steps attackers take when they are attempting to gain a foothold in your environment. Mapping steps back to a security framework will most likely be a manual process, as this methodology combines steps in the previous 2 kill chains.
Spring into attack-tion (seriously)
Of course, we could compare these kill-chain examples all day. Which one should you follow? Are there valuable elements you should pluck from each to create your own solution? It depends if you want to go big picture on attacker behaviors (Cyber), be extremely thorough and prioritize based on risk (MITRE ATT&CK), or leverage a framework that overcomes the limitations of both; one that uses repetition and supports development of layered defensive strategies (Unified).
Jeffrey Gardner, Practice Advisor for Detection and Response at Rapid7, recently presented a deep-dive into all things kill chain. In it, he discusses how these methodologies can help your security organization cut down on threats and drastically reduce breach response times. You can also read the first entry in this series for a general overview of kill chains and the specific frameworks we’ve discussed.
Read Part 3→What's next, or go back and read Part 1→Strategic and operational value