One of the biggest challenges for security professionals is staying ahead of the sheer volume of cyber-attacks targeting their business. These teams are faced with ongoing indicators that the network may have been compromised. Prioritizing and tackling these alerts can become a never-ending job; it is almost impossible to get through them all making it difficult for security professionals to feel confident in the business’ security posture.
However, in the battle against cyber-criminals, there is a way for security teams to gain the advantage — namely the intrusion kill chain.
What is an intrusion kill chain?
‘Kill chain’ is a military term used to define the stages of an offensive attack and in 2011, Lockheed Martin applied the kill chain concept to cybersecurity, mapping the process cyber attackers use to breach a business network.
Understanding each of these stages empowers security teams to identify and intercept threats at multiple points; providing more opportunities to thwart them.
Cloud-enabled businesses are even better placed to make a kill chain approach effective. They have access to a wide range of security controls offered by their providers, maximizing the opportunity to tackle threats throughout each stage of an attack. However, to do so, they need to understand what the stages of the intrusion kill chain look like.
Stages of the intrusion kill chain
Lockheed Martin’s model included seven phases, however, this needs to be updated for businesses who are using the cloud, with its inherent security benefits:
- Reconnaissance — Pre-intrusion: This phase represents the work attackers do to research and select their targets. It can include activities such as port scans and vulnerability scans of publicly accessible systems.
- Reconnaissance — Post-intrusion: After attacker’s intrusion attempts have been successful they perform reconnaissance inside their victim’s environment to build a map for themselves.
- Weaponization — Here attackers plan and acquire the tools they’ll use to try to exploit the weaknesses they have identified in the business network. For example, develop malware that will be used to steal system login credentials from victims.
- Delivery — In this phase, attackers transmit their weapon to the intended victim using tactics such as phishing emails, malicious email attachments and drive-by download sites.
- Exploitation — Once the weapon has been delivered to the target it will seek to exploit vulnerabilities. Examples include targeting a vulnerability in an operating system or web browser. Weapons can also be designed to trick people into making poor trust decisions.
- Installation — Once vulnerabilities have been successfully exploited, many attackers will attempt to remain undetected in the business network as long as possible, installing tools that will allow them to maintain remote access to the IT environment.
- Command and Control — Here attackers maintain illicit access to their victims’ business network and could remotely control compromised IT infrastructure.
- Actions on Objectives — At this point the attackers are in a position to achieve their objectives which can include data theft, compromising data integrity, disrupting operations, or perpetrating attacks on other victims.
Breaking intrusion kill chains
By breaking down an intrusive attack in this manner, security teams can create an informed defensive strategy for each stage of the kill chain, making it easier to catch the bad guys. The defensive measures open to them can be broken down into eight phases: detect, deny, disrupt, degrade, protect, respond, restore and contain.
At the detect phase, restricting access to core security information can stop many attempted attacks in their tracks. Similarly, at the deny phase, training staff on commonly used attacks such as phishing can prevent malware from being delivered. In the disrupt phase, the restriction of administrative privileges can often prevent attackers from exploiting weaknesses.
However, to create a comprehensive defensive plan across the full the kill chain it is worth working with your cloud provider. That is because the majority of providers are able to identify which services and features will help organizations to detect, deny, disrupt and contain attacks.
Finally, AWS would advise that security teams should focus their defensive measures towards the start of the kill chain. By doing so they can significantly reduce the damage caused by even a partially successful attack.
Stopping cyber-criminals whilst they are still gathering data on your network means they will not be able to use that data to exploit vulnerabilities in your IT infrastructure. This reduces the recovery time, effort, cost, and damage associated with each attack.
For businesses looking to bolster their cybersecurity strategy and make better use of their security resources, at AWS we believe that the intrusion kill chain strategy is an important option to consider. Better understanding your adversary and taking a systematic approach to tackling them makes it much more difficult for attackers to be successful.
Focusing on the kill chain additionally provides encouragement in an age when the cyber-security battle can sometimes seem unwinnable.