As the globe becomes ever more networked and interconnected, the scope of the digital breaches and intrusion attempts is widening. Adversaries become more resourceful and persistent; hence, the question becomes ‘when’ a major breach will happen rather than ‘if’ it will. In 2011 the Cyber Kill Chain® (CKC) model was created as a novel way of understanding these digital intrusions. Originally developed by the American defence company Lockheed Martin, it has become a popular model amongst network defenders and information security professionals as it systematically explains the phases of a breach in seven steps and outlines specific mitigation methods. The CKC model came under a certain degree of criticism in recent years, and this development is unsurprising. Today’s threat environment is drastically different from past ones because it is increasingly more dynamic. Both threat actors and the attack vectors evolve at an unprecedented pace. Selfpropagating virus code of the past could have been considered an IT annoyance, but today’s intrusions often have enormous business costs, and at times pose national security risks. In such a fast-evolving environment, any proposed solution runs the risk of becoming outdated equally fast. The criticism CKC has received seems misplaced, however, and mostly depends on an orthodox understanding of the model. It should not be taken at face value; rather it should be understood as a stable conceptual framework that could still help defenders recognise and stop emerging attack vectors. Ultimately, the Cyber Kill Chain is what the network defenders make of it.
One misapprehension about the Cyber Kill Chain is that it emphasises a perimeter-centric defence mentality. Moreover, some of the recent major breaches are used as an indication that the industry needs to move beyond it. It is indeed true that if enterprises concentrate too much on the perimeter, and too little elsewhere, they are bound to be compromised. A closer examination of some of the breaches, however, indicates that they were not the result of excessive focus on perimeter defences, but rather a lack thereof. In 2013, investigators found that the reason Target Corp. was breached was because one of its vendors used free on-demand and not real-time protection against malware. Attackers were able to create a relatively unsophisticated cyber kill chain to deliver a payload and reach their objective, since Target Corp. itself had weak security tainted with missing patches, vulnerable systems and default passwords. Likewise in 2014, Home Depot was breached with a similar but slightly more sophisticated kill chain that took advantage of a Windows zero-day exploit. Again, antivirus solutions were misconfigured, and there was no meaningful credential or vulnerability management.
In both cases, the quality of enterprise security could have been elevated by applying the CKC model because even its most classical reading actually considers the adversary to be persistent—or expected to breach the perimeter several times. It therefore offers network defenders ways to disrupt intrusions not just at the perimeter, but also along every phase of the kill chain even after the attackers establish a presence in the network. Understanding and applying the legacy CKC model gives the network defenders not one but several opportunities to disrupt campaigns, and learn from them when they cannot. More importantly, CKC as a framework offers a good starting point for conceptualising what lies both within and beyond the perimeter of enterprise networks. Some have even suggested that the model could be sensibly leveraged against threats at the earliest preparation phase, when network defenders normally do not have much influence. A second but related criticism is that the legacy CKC is too malware-centric. Furthermore, it cannot account for new and emerging attack vectors. These arguments have some merit. The legacy CKC model was designed primarily to prevent persistent software that resides in memory and communicates with some external direction from within the network. While it is necessary to remember that persistent malware is still a very significant issue, today’s threat environment also includes other attack vectors that do not rely solely on payload delivery.
Some of these attack vectors could be identified as protocol attacks, influencing data through transient vulnerabilities, insiders and DDoS. We cannot expect CKC to be a silver bullet solution to all, but it could once again be used meaningfully to explain and understand some of these asymmetric cyber attacks. Researchers, in fact, have suggested leveraging all seven steps of the legacy CKC in order to identify and break DDoS chains at various stages. Others proposed expanding the CKC to account for internal network exploitation or insiders. Utilising the Cyber Kill Chain at such a conceptual basis attests to the fact that it remains a powerful framework in a fast-changing threat environment.
Packed with malware of various functions, a crushing majority of the attacks on enterprises today still come from external threat actors. In that sense, the legacy Cyber Kill Chain still has plenty of practical applicability. But perhaps its biggest strength comes from promoting an intelligence and knowledgebased understanding of threat campaigns and attack vectors. This understanding is particularly crucial in a field such as cybersecurity where we face more unknowns than knowns on a regular basis. Being able to identify and evaluate the threat environment is critical to establishing robust enterprise security, and the Cyber Kill Chain remains a relevant tool for network defenders who want to play to its strengths in understanding both conventional and emerging cyber threats.