In this era of computers, cyberspace or the internet has become a perilous place as a multitude of cyber-attacks are wreaking havoc in all sorts of industries. We do have various security setups like honeypots, network intrusion detectors, etc. But how do we stop an attack that is spanned over years? All security measures that we have mostly do not consider the psychological perspective of an attack. We can get the idea from the various detectors that we are being attacked but they don’t tell you what to do next? How to stop this ongoing attack?
The cyber kill chain is a method that deals with these questions. The cyber kill chain divides the attack into phases and helps to organize the workforce in times of emergency.
SECURITY CONTROLS
Now that we have incorporated the cyber kill framework into the system. We can identify the phase of the attack quite effectively. So, what to do after the identification of the attack phase?
We need to disrupt the kill chain and throw the attacker off the track. This is a necessary requirement for stopping attacks. There have 5 methods proposed to stop different stages of an attack:
- Detect: To determine attempts to scan or penetrate the organization.
- Deny: To stop attacks as they happen.
- Disrupt: To intercept and interrupt the data communication interactions by the attacker
- Degrade: To create measures to reduce the effectiveness of the attack.
- Deceive: To mislead the attacker by providing wrong information or by setting up decoys.
These methods can be applied differently to each phase:
- Reconnaissance
- Detect: Web Analytics; Threat Intelligence; Network Intrusion Detection System
- Deny: Information Sharing Policy; Firewall Access Control Lists
- Weaponization
- Detect: Threat Intelligence; Network Intrusion Detection System
- Deny: Network Intrusion Prevention System
- Delivery
- Detect: Vigilant User
- Deny: Change Management; Application Whitelisting; Proxy Filter; Host-Based Intrusion Prevention System
- Disrupt: Inline Anti-Virus
- Degrade: Queuing
- Exploitation
- Detect: Endpoint Malware Protection; Host-Based Intrusion Detection System
- Deny: Secure Password; Patch Management
- Disrupt: Data Execution Prevention
- Installation
- Detect: Security Information and Event Management (SIEM); Host-Based Intrusion Detection System
- Deny: Privilege Separation; Strong Passwords; Two-Factor Authentication
- Command & Control
- Detect: Network Intrusion Detection System; Host-Based Intrusion Detection System
- Deny: Firewall Access Control Lists; Network Segmentation
- Disrupt: Host-Based Intrusion Prevention System
- Degrade: Tarpit
- Deceive: Domain Name System Redirect
- Actions on Objectives
- Detect: Audit Log
- Degrade: Quality of Service
- Deceive: Honeypot
Security Controls Model by Lockheed Martin |
No comments:
Post a Comment