Using an Expanded Cyber Kill Chain Model to Increase Attack Resiliency

Presented at SOURCE Seattle 2016, Oct. 13, 2016, 11:40 a.m. (40 minutes).

The legacy Cyber Kill Chain model provides a framework for understanding how an adversary breaches the perimeter to gain access to systems on the internal network. However, this model is incomplete and can lead to over-focusing on perimeter security, to the detriment of internal security controls.

In this presentation, we’ll explore an expanded model including the Internal Kill Chain and the Target Manipulation Kill Chain. We’ll review what actions are taken in each phase, and what’s necessary for the adversary to move from one phase to the next. We’ll discuss multiple types of controls that you can implement today in your enterprise to frustrate the adversary’s plan at each stage, to avoid needing to declare “game over” just because an adversary has gained access to the internal network.

The primary limiting factor of the traditional Cyber Kill Chain is that it ends with Stage 7: Actions on Objectives, conveying that once the adversary reaches this stage and has access to a system on the internal network, the defending victim has already lost. In reality, there should be multiple layers of security zones on the internal network, to protect the most critical assets. The adversary often has to move through numerous additional phases in order to access and manipulate specific systems to achieve his objective. By increasing the time and effort required to move through these stages, we decrease the likelihood of the adversary causing material damage to the enterprise.


Presenters:

  • Sean Malone - FusionX
    Sean Malone has conducted full real-world red team attacks against dozens of different organizations. He knows how the adversary thinks and operates, because he has been that adversary countless times in his work as a consultant. Sean works with these organizations to improve their security far beyond check-box requirements and compliance minimums. His reshaping of enterprise security architecture consistently results insignificantly decreased attacker success rates. This comprehensive knowledge of an attacker’s mindset, combined with his in-depth understanding of the landscape of a corporate security environment, leaves him uniquely suited to design and implement effective security programs for any corporation.

Similar Presentations: