By now most of us have heard of the phrase kill chain. For those of you that haven’t heard of it, the kill chain is a phase-based model used to describe the stages of a data breach attack.
The goal is to break the attack chain by using the appropriate level of key controls for your industry. Lockheed Martin is credited with introducing the model and widely publicized how they thwarted an attack by using their homegrown Cyber Kill Chain framework.
The stages are typically characterized as:
- Reconnaissance
- Establish a foothold
- Identify interesting data
- Distribute malware
- Exfiltrate data
- Persist Undetected
Working with a security company I recently completed a qualitative assessment of our program using 24 key controls aligned with the six stages of the kill chain model. The process began with an inventory of our key controls. We discussed how the controls were implemented in relation to each stage. Next, the company rated the maturity of our controls for each stage. Finally, we discussed our industry and specifically our enterprise.
The final report provided us with a prioritized list of recommendations. It is important to note that you may have a low maturity rate for a given chain, but depending on your industry, the low maturity for a key control may not be identified as your number one priority.
For example, in the higher education space, often characterized as “open,” an optimized perimeter defense may not be possible or desirable. Compare that with the perimeter of the Financial or Government sectors.
It does not mean that higher education should ignore the perimeter controls, however, an institute may want to counter an intentionally more porous perimeter with an increased emphasis on their internal network controls. It is important to note that prioritization of the recommendations is not determined strictly on the maturity scores.
Happily the final report I received echoed the priorities identified in my existing information security roadmap and gave credence to my call for prioritizing the implementation of a key control that hadn’t been getting the appropriate focus.
Most importantly the CIO and the Board liked that it wasn’t a check box assessment, instead they felt it gave them an actionable prioritized list of where they should put their resources to reduce the chances of a data breach occurring.
Data breaches have become a perennial headline and are on the minds of the CIO and our Board. The kill chain model is another way to assess your security program, using the results to focus your limited resources to break the attack chain.
The assessment will either reinforce the priorities you have already established or expose gaps you hadn’t identified. If your environment is like mine, the model will resonate with your executives. Like their CISOs, the rest of the C suite wants confirmation that the security spend is prioritized on stopping a data breach by breaking the chain, instead of breaking the company’s bank.