In this era of computers, cyberspace or the internet has become a perilous place as a multitude of cyber-attacks are wreaking havoc in all sorts of industries. We do have various security setups like honeypots, network intrusion detectors, etc. But how do we stop an attack that is spanned over years? All security measures that we have mostly do not consider the psychological perspective of an attack. We can get the idea from the various detectors that we are being attacked but they don’t tell you what to do next? How to stop this ongoing attack?
The cyber kill chain is a method that deals with these questions. The cyber kill chain divides the attack into phases and helps to organize the workforce in times of emergency.
INCORPORATE KILL CHAIN METHODOLOGY
- Prioritizing Alerts: We see or trace attacks through alerts provided by the security mechanisms. But there can be a whole lot of alerts mixing the positives with a lot of false positives. Prioritizing alerts can help to segregate the alerts, for example, an alert seemingly indicating a later stage of the kill chain should have more priority than the one indicating a former phase.
- Prioritizing Escalation: Creating a proper escalation procedure for threats is very important. The cyber kill chain methodology can quickly determine the severity of the threat and the impact. Thus helping to decide upon a level to escalate the issue based on the threat.
- Measuring the efficiency: Attempted attacks on the system should be well documented, investigated, and analyzed using the cyber kill chain framework. The phase at which the attacks are stopped should also be documented and the goal should be to stop the attack in the earlier phases.
- Measuring the toughness: Even if an attack is stopped at earlier phases, it is safe to ask questions like: Is the system resilient? How well the system would have defended if an attack is discovered in later stages? Were security mechanisms in place? Would we be able to handle the attacks even if the attackers change some strategies?
- Tracking and Identifying campaigns: We can also apply the framework by grouping intrusion from the same adversary together as a campaign. And then tracing and identifying the motives based on the movements of the adversary by considering the campaign as a whole. This broad view can provide the attack style of the adversary as well as various tactics, techniques, and procedures (TTP) they use against the organization.
No comments:
Post a Comment