Fixating on the Kill Chain Model is Misleading

Written by

When Lockheed Martin applied the military Kill Chain model to cybersecurity six years ago, it changed the course of enterprise security. 

As most who are familiar with the model will be aware, it explains how security attacks develop through reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives.

If a business knows how cyber-criminals operate, it can tell when they are preparing an attack and ensure security forces block them every step of the way. This is the thinking behind the prevention-centric Kill Chain model, which most businesses currently rely on to keep their customers and data assets safe. 

However, this approach is misleading.

What’s Misleading About It?
While the Kill Chain model does offer a broad overview of how attacks work, it centers almost exclusively on how they develop before penetrating the network perimeter, not what happens if and when they get in. 

As smart device usage increases, and network perimeters become increasingly edgeless, so does the opportunity for attackers to find a way in. The number of businesses falling victim to attacks rose by 21% in the US last year and doubled in the UK over the last two years. In other words, it is becoming increasingly unlikely that businesses will be able to keep all attackers out of their network. So, the belief that a Kill Chain-based strategy — which is almost exclusively preventative — can keep businesses completely safe is misleading. 

Instead of focusing their energy solely on guarding the perimeter, CISOs also need to detect the attackers that have already made it over the wall, and to do that, they will need a different kind of model: Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™).

The Utilitarian Direction of Future Virtual Safety
Developed by US government-funded research organization MITRE, the aptly named ATT&CK™ model detects threats inside the perimeter — and it is set to transform cybersecurity. 

Designed to enable a more efficient, utilitarian way of working to the Kill Chain, ATT&CK™ is focused on the post-compromise phases of a breach. More specifically, it looks for the small but significant signs that intruders are present and up to no good, identifying patterns for the techniques attackers use to gain access to networks, remain undetected and fulfill their objective. 

After they are pinpointed, the most frequently spotted patterns – Common Attack Pattern Enumeration and Classification (CAPEC) IDs – are noted and used to compare techniques at different points in the attack chain. The techniques are then plotted into an ever-growing matrix, now covering 133 methods, which is effectively an ‘attacker identification guide’ for security professionals. 

Not only does the categorization make it easier to recognize certain types of attacks quickly, but it also allows security professionals to get ahead of them. With a precise picture of the methods attackers are using – even if these methods are unusual or less understood – CISOs can match the tool to the intrusion and deal with it before it does any damage.

There is no question that CISOs have a hard task ahead of them when it comes to keeping their networks secure. The constant march of interconnectivity is expanding organizations’ networks, creating more points of vulnerability every day and attackers are getting more adept at tapping into them. 

Just like attacker techniques, security models must evolve to succeed. 

This is why, by addressing the limitations of the Kill Chain, ATT&CK™ represents an important turning point in cybersecurity methodology that can help security professionals keep pace with – and ideally ahead of – attackers.

It may not be the final chapter, but by working to this new model, businesses can better equip themselves to deal with the ever-evolving challenges of cybersecurity. 

What’s hot on Infosecurity Magazine?