As an information security professional, you’re likely to have heard about the cyber kill chain framework being used for identification and prevention of cyber intrusions.
The model was established by Lockheed Martin and follows the military approach of the same name: describing and tackling each stage of a threat. These stages are referred to as reconnaissance, weaponisation, delivery, exploitation, installation, command and control – and finally, actions on objectives.
While the model fits both physical and cyber threats, it’s important to note that not all steps of the kill chain are used in every cyber attack. For example, the first and last stages ‘Recon’ and ‘Persist’ typically feature only in targeted attacks. The duration of an attack can also vary, depending on its nature. Opportunistic attacks must be executed quickly, and the end value to the malicious actor often hinges on the number of the victims rather than their ‘quality’.
The kill chain terminology has had some criticism in cybersecurity use; some say that it reinforces traditional perimeter-based and malware-prevention based defensive strategies and doesn’t adequately protect against insider threats. However, the model has evolved significantly since its inception, and today it helps us to understand the modus operandi and to combat both targeted attacks carried out by APTs, and opportunistic threats like ransomware, phishing or cryptojacking.
But of course, cyber attacks are evolving as quickly as the technology they target and it’s understandable that infosec professionals are now calling for a greater understanding of the ways in which the kill chain has changed with the advent of cloud applications. If not properly secured, cloud services can increase the attack surface for an organisation – and at multiple phases of the kill chain.
So, let’s take a look at how organisations can use the kill chain approach to tackle this new breed of attacks on their critical cloud applications.