Cyber Kill Chain Demystified
Defence strategies talk about breaking the "kill chain"; first breaking the attacker's command, control, communications, intelligence, surveillance, and reconnaissance. Second, destroying attackers' weapons launchers (including aircraft, ships, and missile sites); and finally, neutralizing the weapons an attacker.
Lockheed Martin developed the cyber kill chain which became an industry-accepted methodology for understanding how an attacker will conduct the activities necessary to cause harm to your organization. A deep understanding of the cyber kill chain will to a greater extent assist the information security professional in establishing security controls that will serve to protect their organization's assets.
We will discuss the various stages of Cyber kill-chain and how it can be useful for organizations to combat cyber threats.
In this stage, the attacker observes the target from outside of the organization to identify information systems with exploitable vulnerabilities.
In the second stage of the cyber kill-chain attacker develops a malicious exploit code to the vulnerabilities discovered during the first phase of the cyber kill chain.
In the third stage, the attacker delivers malicious code from the attacker to the target information system.
During the exploitation phase, the malicious code is executed on the target network taking advantage of discovered vulnerabilities to gain privileged access to the organizational information systems.
Once the exploitation of the system has been successful, the malicious code will install itself onto the information system maintaining persistent access to the network.
6. Command And Control
In Command and control stage, the attacker has put in place a malicious software onto the target network. This software allows the attacker to fully manage the malware code in the environment and allows the attacker to move deeper and laterally in the network.
7. Actions On Objectives
The attacker may be interested in proprietary information such as engineering designs, employee, and customer Personally Identifiable Information (PII) or health care records.
It might even happen that the attacker might use the Stuxnet worm to seek out to operate industrial control systems outside of their manufacturer specifications, resulting in catastrophic failure.
Defense In-Depth Recommendations
It is recommended that an organization implement a defense-in-depth strategy to protect the organization's people, process, and technology that include:
• Implementation of an effective information security program.
• User training and awareness related to current cyber threats.
• Industry best security practices implemented throughout the organization.
An information security system and recovery plan are critical components of doing business in a digital age, be it for confidential information or personal customer information.
1. Establish an Information Security Team
2. Security Incident Management Plan Definition
3. Assess & Manage Risks
4. Annual Audits (against criteria such as ISO 27001, PCI DSS, FedRAMP, and HITRUST; as well as SOC 2® Reports using the AICPA Trust Service Principles.)
5. Benchmarking & Metrics
6. Implementation of Security System with operational intelligence & remediation playbooks.
ServiceNow Security Operations
ServiceNow® Security Operations integrates incident data from the security tools into a structured response engine that uses intelligent workflows, automation, and a deep connection with IT to prioritize and resolve threats based on the impact they pose to your organization at various stages of the cyber kill-chain.
Many organizations grapple with identifying security threats and vulnerabilities, prioritizing and coordinating with IT to remediate them.
On using Security Operations, security analysts, and incident response managers can seamlessly automate their security tools and communicate with IT by working on a unified platform.
A dedicated threat intelligence module keeps the Security intel as the top most priority while dealing with Security Incident Response.
Investing large amounts of both time and money in the identification and securing of assets means that the system is, indeed, secure; many people stop at this point only to find out later that something has been missed, and their data is gone. Vulnerability Management and Process to handle the Vulnerabilities is as important as handling incidents when it happened. ServiceNow's capabilities of having all the ITSM eco-system with CMDB under one umbrella, will help the Scanning results to be accurate with top quality.
Ultimately, one should go through all the stages of Information Security Risk Management - identify, protect, detect, respond and recover and repeat them on the regular basis. It is essential for organizations to have a policy that describes all stages of Security Risk process, the responsibilities of employees and the schedule or conditions for reviewing the program.
Security risks are inevitable, so the ability to understand and manage risks to systems and data is essential for an organization’s security posture. Developing a security program makes the risk management process more manageable and helps you protect your most critical assets against cyber risks.
If supported systems are equipped to address risks and respond effectively to security incidents, vulnerabilities , security teams figure out how to resist cyber threats better and reduce potential risks in the future.