There's only one "If" in cyber security: If your organization has data of value, it will be breached. (And here's a quick hint, your organization has data of value.)

This simple, if seemingly gloomy, statement has become generally accepted in cyber security circles. Eventually, the thinking goes, a determined adversary will be able to breach most network defenses. That does not mean, however, all is lost. Intrusion does not necessarily lead to a data breach.

This can produce a difficult, reactive environment to work in. Many types of attack vectors exist, and it only takes one success for an attacker to gain a foothold and leverage it across network domains, escalate user privileges and eventually exfiltrate data.

Organizations with mature cyber practices in place are well positioned to ward off most minor low-level threats conducted through standard malware distribution channels. Still, constantly playing defense against an unrelenting quantity of attacks can be taxing.

What can be done beyond constant vigilance?

In 2011 Lockheed Martin advanced cyber thinking by providing an analysis framework that looked beyond simple attack repellent and dove deeper into understanding each step of an attack. When viewed from this perspective, the advantage can tilt back to the defender.

Despite criticism hurled its way in recent months, several aspects of the Kill Chain can still be used to keep the advantage on the good guys' side—in particular when faced with Advanced Persistent Threats (APT) where determined adversaries conduct focused intrusion campaigns.

1) Indicators Are Where It’s At

Indicators are triggers on events that alert cyber analysts to potentially bad situations. They are tangible evidence that an intrusion has occurred.

Most mature organizations suffer from an overload of installed security products that create or aggregate transaction logs, produce a plethora of alerts and generate visual outputs via some type of dashboard. Without appropriate filters, analysts can be overcome by alerts and overlook key aspects that require further human intervention. Each organization needs to take the time to translate what is ‘normal’ in their environment, and create a series of indicators to focus cyber analysis.

Indicators range from unknown IP addresses being used to move data, to repeated attempts to alter access credentials to some type of frequency or volume violation on file transfers. Taken together this security intelligence can be translated into tactics to enhance the security posture of an organization.

2) APT Attacks Are Carried Out by Humans

Even with all the attack automation capabilities via Python or Perl scripts, it is important to remember attacks are ultimately carried out by humans – who have a wide range of technical skills, aptitudes and preferences. As such, dealing with this type of threat requires a similar determined defense.

As Sun Tzu wrote "Know your enemy and know yourself and you can fight a hundred battles without disaster." Putting a human profile on an attack can lead to a better understanding of your adversary.

When taking a long term strategic view, behavior patterns can emerge based on time of day, the work week and even the holiday calendar. Mandiant has noted this type of attack behavior in their reports which indicate adversaries do alter their behavior based on external factors. Matching indicators to attack behavior patterns can uncover how an attacker looks to move through your network.

3) Zero Day Attacks are Performed Strategically

Zero Day attacks, where a threat is using a previously unreported vulnerability to conduct an attack, are often termed indefensible. How can you prevent an exploit that is unknown? Here, the issue is to be able to profile your APT attackers. In this case, as the Kill Chain authors note, gathering information on an adversary's Tactics, Techniques and Procedures (TTP) can be invaluable.

In the hacker community, "zero day" payloads are valuable commodities. As with any valuable item, they are not going to be deployed until conditions are right and the attacker feels some sense of assurance they will be successful. Thus, identifying the early steps of the Kill Chain – 1 through 3 become key to stopping a zero day attack. Repeated patterns of behavior, such as reusing the IP address of a Command and Control server, can be used to identify intrusions and cut off access or trigger special data protections and alerts.

4) Active Defense Is Possible

Matching countermeasures to adversarial actions is in some respects the highest possible means of cyber protection. By having a working definition of what is ‘normal’ in operations, and then using automated indicators, human analysts can be deployed where their creativity and technical skills are best used.

With regards to the cyber kill chain, being able to mitigate just a single step in the chain disrupts an attack and thwarts the adversarial goals.

Thinking with strategic intent allows cyber engineers and analysts to get in front of their attackers and institute an active defense instead of simply waiting for alerts to occur and having to slog through huge volumes of data in transaction logs looking for the ‘real’ events.

Even years after its publication, the Lockheed Cyber Kill Chain model is a solid framework which can translate strategy into a series of tactical actions that creates liabilities for an attacker and disrupts their carefully crafted actions.

The Cyber Kill Chain is a registered trademark of Lockheed Martin. NJVC is not implying endorsement by or association with Lockheed Martin. All opinions are the writer's and not necessarily NJVC's.

About the Author

Robert J. Michalsky has served government and commercial customers for more than 30 years. As NJVC Principal, Cyber Security, he quantifies and pursues new business opportunities in cyber security. Mr. Michalsky spent more than 15 years providing cyber security-related IT engineering services for classified Intelligence Community and Department of Defense customers. Read More | Contact Us