The Problem with the Kill Chain

Cyber Kill Chain

The Kill Chain is IMHO yet another flawed term that has been adopted by the IT Security Industry to describe the methodology that attackers use against organisations to steal or compromise their assets. The term originates from the military and was first used by Lockheed Martin in 2009 to describe the steps an adversary would use to identify, prepare, engage and then destroy a particular target that they were going after. Whilst it’s use in military circles might be appropriate, in the IT Security world should we seriously be using the same terminology?  

The Kill Chain concept has been so widely used now even mainstream news outlets are starting to use it as part of normal narrative whenever major ‘cyber security attacks’ occur.

The problem I have with this is:

1. The word Kill whilst appropriate for a battlefield can never really be used in the same context to describe the methods a computer hacker or whatever other noun you wish to describe the bad guys with, would go through in order to steal data, bring down a system or otherwise. But no one actually dies in the same way they would in a theatre of war (although ‘Wanna Cry’ came close to doing that in the UK but that was an exception rather than the norm).

2. The various diagrams that are used to describe this ‘chain’ are just plain awkward and wrong and I think the people drawing them know this. There is no nice start and end in the real world, a 5 step process or however many steps you feel like! It’s a perpetual loop like a ‘hamster wheel of death!’.

3. On the same topic the Chain as depicted by Lockheed Martin is serial in nature and the real world does not operate like that. Organisations and individuals receive attacks simultaneously and from multiple sources, there is no nice serialised chain.

4. The cost of attacking systems is becoming cheaper and with the proliferation of cloud can be consumed as a service thus making the problem a lot worse.

I could go on and will probably no doubt get backlash from some quarters for saying this, but we can’t or shouldn’t except the status quo and believe that we have no chance of stopping the bad guys and therefore must put all our efforts into responding to how we thwart them at each stage of some so called flawed Kill Chain.

If we look at each stage of the Kill Chain as described by Lockheed Martin we have:

1. Reconnaissance

2. Weaponisation

3. Delivery

4. Exploitation

5. Installation

6. Command and Control

7. Actions on Objective

The problem with the Chain is that we have no real ability or control in stopping any adversary from undertaking stages 1, 2 or 3. Stages 4 and 5 whilst I can agree we have some control over and can potentially thwart, the odds unfortunately are stacked in the attacker’s favour. Stages 6 and 7 are just outcomes from the previous stages and whilst it may be possible to disrupt stage 5, stage 6 is again beyond our real control of completely preventing. Stage 7 again is an outcome of previous stages. 

By stopping one of these links in the chain as Lockheed Martin originally conveyed does not unfortunately stop the entire process as the IT world is not like the physical reality of warfare. Events are not necessarily measured in days, weeks or months they repeat themselves and can happen in milliseconds and simultaneously from multiple sources. Also an attacker might not conveniently start at stage 1 and finish at stage 7. They might be working in multiple teams or independently and start at different points along the chain.

A better way to look at this problem might therefore be to focus on:

  1. Identifying your organisation’s critical assets. By this I mean focus on the top 3 things that if lost or prevented from running would cripple your business. 
  2. Assessing the current controls your organisation has in place to protect it’s assets.
  3. Mapping the ways that attackers would realistically be able to attack those critical assets against the current controls that you have in place.
  4. Identifying any gaps that exist between the controls you currently have and how attackers could compromise those gaps.
  5. Fixing or reducing the likelihood of those critical assets from being compromised.
  6. Continuing the process.

The focus that this industry has been investing on response technology is unprecedented and has been for the last 4 years. To use the Kill Chain as some kind of reference point to build credence to the argument that protection mechanisms are failing us and that the only way is to devote efforts to responding to attacks is short sighted. We should stop focusing on the usual red, yellow, green traffic light approach to security problems from annual pen tests that provide us a nice warm fuzzy feeling, and instead start to look harder and question the status quo, be brave and dare to be different.  

Leave a Comment





13 − eight =