Incorporate Cyber Kill Chain Methodology

In this era of computers, cyberspace or the internet has become a perilous place as a multitude of cyber-attacks are wreaking havoc in all sorts of industries. We do have various security setups like honeypots, network intrusion detectors, etc. But how do we stop an attack that is spanned over years? All security measures that we have mostly do not consider the psychological perspective of an attack. We can get the idea from the various detectors that we are being attacked but they don’t tell you what to do next? How to stop this ongoing attack?

The cyber kill chain is a method that deals with these questions. The cyber kill chain divides the attack into phases and helps to organize the workforce in times of emergency.


On the defender side, we actually don’t see what the attackers are doing instead we have to figure these things out through the security control outputs given from time to time. Attackers give out signals or beacons when something goes wrong throughout the attack, for example: if an attacker uses a noisy network scanner it will be picked up by the NIDS and flagged as a passive attack, and from this, we can assume that the attack, if persistent, is currently in its recon stage only. And going forward we can trace the bad actor or blacklist him/her to disrupt the chain.

We have listed below how to combine the threat intelligence systems with kill chain methodology efficiently:
  • Prioritizing  Alerts: We see or trace attacks through alerts provided by the security mechanisms. But there can be a whole lot of alerts mixing the positives with a lot of false positives. Prioritizing alerts can help to segregate the alerts, for example, an alert seemingly indicating a later stage of the kill chain should have more priority than the one indicating a former phase. 
  • Prioritizing Escalation: Creating a proper escalation procedure for threats is very important. The cyber kill chain methodology can quickly determine the severity of the threat and the impact. Thus helping to decide upon a level to escalate the issue based on the threat.
  • Measuring the efficiency: Attempted attacks on the system should be well documented, investigated, and analyzed using the cyber kill chain framework. The phase at which the attacks are stopped should also be documented and the goal should be to stop the attack in the earlier phases. 
  • Measuring the toughness: Even if an attack is stopped at earlier phases, it is safe to ask questions like: Is the system resilient? How well the system would have defended if an attack is discovered in later stages? Were security mechanisms in place? Would we be able to handle the attacks even if the attackers change some strategies?
  • Tracking and Identifying campaigns: We can also apply the framework by grouping intrusion from the same adversary together as a campaign. And then tracing and identifying the motives based on the movements of the adversary by considering the campaign as a whole. This broad view can provide the attack style of the adversary as well as various tactics, techniques, and procedures (TTP) they use against the organization.

Also check,


Attackers won’t necessarily follow the steps from the implemented attack chains. Sometimes, they skip steps or sometimes they backtrack. Many attacks sometimes combine multiple steps together into one single action. That is to say, the attacks are becoming dynamic day by day and hard to predict. Cyber Kill Chains now are based upon linear predictive models whereas the attacks are completely random. Thus, Cyber Kill Chain models if based upon stochastic processes can become an effective countermeasure for the everchanging cyber-attacks.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment