Disrupting the cyber kill chain

final jaysonToday’s attack against organisations are sophisticated and complex, made up of many phases. Disrupting any of these phases, dubbed the ‘cyber kill chain’ by Lockheed Martin, can cause the attack to fail.

Jayson O’Reilly, director of sales and innovation at DRS, describes the various phases of an attack. “First, reconnaissance, where the threat actors gather information on the potential target. Next comes weaponisation, where the cyber criminals employ a piece of malware and create a malicious payload to send to the victim. Third comes the delivery, where the payload is sent to the victim via email, or some other means. Next comes exploitation, where the exploit is executed, followed by installation of the malware. Step six is command and control (C&C), where the criminal creates a C&C channel to operate his assets remotely. The final step is the objective, to exfiltrate the information he wanted, or carry out his intentions.”


He says this process is time consuming and elaborate, and disrupting any of these stages can prevent or at least slow down an attacker. “Although security experts have been talking about this for some time now, the high-profile breaches we have seen lately have highlighted how vital it is to think about the ways threat actors can damage your organisation during this process too.”


“Every business has different resources, including skills and budgets, and every organisation’s risk tolerance will be different, resulting in varying approaches to handling the cyber kill chain. All security professionals, however, have the same aim though: to force the attacker to spend so much time and energy that the reward is no longer worth the effort.”


According to O’Reilly, stolen credentials are still the main tool used by attackers to penetrate an organisation. “Once inside, they are able to execute their malicious code. However, most traditional security measures focus on malware alone, and miss these complex attacks. Companies must have continuous monitoring and full packet capture to have a hope of protecting themselves. Tools that monitor of internal systems looking for any anomalous behaviour will require more than just SIEM tools though, as data analytics are needed to handle the vast amounts of information. However, it is worth the expense, as anomalous behaviour is often an indicator that a breach is in progress, and bears investigation.”


He adds that there are other ways to disrupt the kill chain. For starters, keeping an eye out for signs that reconnaissance is taking place. “In particular, look at any change in Lightweight Directory Access Protocol (LDAP) queries. Segregating networks is also a good idea, as is limiting user privileges, enforcing the principles of least privilege and monitoring for the creation of new privileged user accounts.”


In terms of preventing the exfiltration of data, having a good firewall in place is key. “A new generation firewall will be able to monitor outgoing traffic against a list of known bad IPs, and make sure only the information that should be leaving the environment is doing so,” says O’Reilly.


“Disrupting the kill chain, while effective, is still no silver bullet. Although you may manage to stop a breach, you might not be aware of other problems that exist. Because of this, it is better to do this stealthily, and try not to alert the attackers. If they are aware you have made them, they might modify their attack accordingly.”


He advises to learn as much as possible about the attacker, keep your presence unknown to them, and look for any further infections. “Sandboxing can be used here to ensure infected systems don’t infect others. Once secure, you can gather intel to pinpoint infected hosts and applications.”


Ultimately, O’Reilly says the sooner a business can disrupt the kill chain, the better. “Since most advanced attacks follow the kill chain stages, understanding them can help you understand the attacker, and predict what he may do next and defend accordingly.”