While “The Cyber Kill Chain” sounds like the latest Die Hard installment (we get it Bruce, you’re tough – move on) it’s actually an incident-response analysis model developed by Lockheed Martin. It lays out seven stages cyber attackers go through when they set out to bust into your system.
The stages also sound like something out of an action movie. (Not to make light of cyber attacks for obvious reasons, but it’s possible that the team behind this model got a wee bit carried away and could benefit from some fresh air and vitamin D.)
- Command & Control (or C2)
- Action on Objectives
It sounds exciting and frightening but in reality attackers can breeze through steps one to six in relatively little time. For example, when sending a virus or malware out via email with a catchy subject line such as, “Nigerian prince wants to give you $1 million,” or the ever-enticing, “Oprah loves this and you will too!” Step seven – carrying out the actual cyber crime itself, can take days or months. Not really action movie worthy.
Some view the Cyber Kill Chain as a useful framework for knowing where and how to break the chain and prevent an attack. The chain also shows that there are plenty of opportunities to get out ahead of attackers (stages one to six) rather than waiting till they’ve reached stage seven and reacting after the fact. Others suggest that it’s too intrusion-centric and old-school; a build-a-wall-around-it way of thinking about security that focuses mainly on malware, which is not the primary threat it once was.
Instead of focusing on perimeters we should be using breach detection systems that detect changes in user behavior early on. The more data you collect about your systems long before an attack occurs, the more quickly you will be able to detect an anomaly and shut down it down before any damage can be done.
Whichever way you see it, the answer is clear: prevention is better than response. (Even if it doesn’t make for a good action movie or 6.) Yippee ki-yay… well, you know.