Most modern attacks will follow the same pattern to breach and exploit your network. It’s known as the cyber kill chain, and with the right defenses you can break it before it causes harm.
Digital transformation is a double-edged sword.
From one perspective, it helps organizations improve their efficiency and output and allows them to compete more effectively in today’s marketplace.
From another perspective, it has made companies more vulnerable than ever. It has dissolved the network security perimeter, exploded the number of technology assets that cybercriminals can exploit, and increased the impact of incidents that do occur.
As a technology leader, this is your problem to solve. You must secure your digital infrastructure and operations without bottlenecking your company’s ongoing, accelerating transformation.
It’s a big problem, but there’s a framework that can help you manage it — the cyber kill chain. With a working knowledge of what the cyber kill chain is, how it can help you evolve your defenses, and the tactics you can follow to bring it to life, you can make your technology environment more secure.
Understanding Links in the Kill Chain
The cyber kill chain is easy to understand.
It’s a framework that outlines the moving parts most modern cyberattacks follow as they infiltrate a network, expand their foothold, and achieve their objective — whether that’s mass data exfiltration, system shutdowns, ransom demands, or all the above.
The cyber kill chain provides a sophisticated understanding of how modern threats operate and how to stop them. Instead of assuming you can still stop a cyberattack by simply fortifying your perimeter defenses and blocking potential breaches, the cyber kill chain shows you how to build complex, multistage defenses that block attacks that have already breached your network — before they cause significant harm.
Let’s take a look at each link.
- Reconnaissance: The attacker looks for vulnerabilities, gathers information, and learns how to best exploit weaknesses, allowing them to expand throughout your network.
- Weaponization: Threat actors package malware or malicious code in a delivery mechanism—like a compromised file—to launch the attack.
- Delivery: The weaponized package infiltrates your network via phishing email attachments, infected websites, corrupted USB drives, or the like.
- Exploitation: The malware or malicious code gets triggered by an event, slips through gaps in defenses, and exploits operating systems and applications.
- Installation: The malware or malicious code installs itself on a user’s (or application’s) endpoint, giving the attacker a viable presence on the network.
- Command and Control (C2): The attacker establishes a connection back to a remote system that they then use to control the malware they planted.
- Actions on Objectives: Threat actors then proceed with their attack and exfiltrate data, spread laterally through the network, install ransomware, or seek additional vulnerabilities.
While this may sound like a lot of steps to complete, many elements of the kill chain are automated, allowing threat actors to move through them at speed. Under certain conditions, an attacker can complete the chain across an entire network in less than an hour.
That’s the bad news.
Here’s the good news: If you break one link in the cyber kill chain, you can stop an attack before it causes harm. To do so reliably, you need to build the defenses at each link in the chain and deploy those defenses when you discover an in-progress attack.
Breaking the Links
Most links in the cyber kill chain can be broken through a few actions.
- Reconnaissance: Identify services attackers might use to get information about your network, like Windows Management Instrumentation or sendmail. Then, detect where these services could be exploited — or are currently being used inappropriately — and block those pathways.
- Weaponization: Shrink and harden your attack surfaceto reduce known vulnerabilities in operating systems and applications to reduce the number of avenues attackers can exploit. Maintain good IT hygiene by continually patching and updating your systems.
- Delivery: There’s no single action that kills every attack vector. Everyone — from end users to security team members to management — must stay vigilant and follow a multipronged approach that includes user education, threat-informed physical security practices, and organization-wide risk management.
- Exploitation: Reputation services and antivirus software can help identify and block malicious software, while behavioral monitoring and threat hunting can identify abnormal usage or indicators of compromise. At heart though, many exploits are stopped simply by practicing good cyber hygiene.
- Installation: Detection tools can help identify and stop malware installations and unwanted configuration changes. Reputation services and threat intelligence services can identify malicious software, and building an approved whitelist can stop vulnerable applications from entering your environment.
- C2 Communications: Deploy Zero Trust to block all unauthorized communications by default. With this approach, firewalls and network monitoring tools can also be used to detect and block suspicious network activity — like communications with unknown DNS servers or unusual remote hosts.
- Actions on Objectives: Lock every door and window in your network. This makes threat actors work harder to take even small steps, and it increases the chance they will be detected before they can execute an attack. Set up alerts to spot anomalous activities and align your alerts to threat intelligence from organizations like CISA.
Implementing these basic fundamentals will allow you to break attack chains and stop security incidents before they cause significant harm. Build them over time, and you will dramatically improve your security posture against the vast majority of threats.
However, if you need to improve your defenses quickly — or if you have limited resources for new initiatives — then you can focus your efforts around one action: improving your cyber hygiene.
When In Doubt, Focus on Hygiene
I want to be clear — there’s no silver bullet to stop today’s threats. Cyber criminals deploy complex, multistage attacks, and stopping them requires equally layered, multipronged defenses.
But improving your cyber hygiene will make the single biggest impact, helping you defend against most steps in most kill chains. By keeping your assets patched, updated, and as free from vulnerabilities as possible, you will:
- Reduce threat actor access to your information-gathering and sharing services
- Eliminate openings criminals can use to breach and move within your network
- Lower the effects when malicious code (inevitably) enters your network
- Develop greater visibility into the software configurations in your environment
- Make it harder to move undetected through your network
In short: Improving your cyber hygiene will improve your defenses at every link of the cyber kill chain even if it’s the only action you take to better secure your network.
Nic Surpatanu is Chief Product Officer at Tanium