Security Controls to Disrupt the Cyber Kill Chain

In this era of computers, cyberspace or the internet has become a perilous place as a multitude of cyber-attacks are wreaking havoc in all sorts of industries. We do have various security setups like honeypots, network intrusion detectors, etc. But how do we stop an attack that is spanned over years? All security measures that we have mostly do not consider the psychological perspective of an attack. We can get the idea from the various detectors that we are being attacked but they don’t tell you what to do next? How to stop this ongoing attack?

The cyber kill chain is a method that deals with these questions. The cyber kill chain divides the attack into phases and helps to organize the workforce in times of emergency.


Now that we have incorporated the cyber kill framework into the system. We can identify the phase of the attack quite effectively. So, what to do after the identification of the attack phase?

We need to disrupt the kill chain and throw the attacker off the track. This is a necessary requirement for stopping attacks. There have 5 methods proposed to stop different stages of an attack:

  • Detect: To determine attempts to scan or penetrate the organization.
  • Deny: To stop attacks as they happen.
  • Disrupt: To intercept and interrupt the data communication interactions by the attacker
  • Degrade: To create measures to reduce the effectiveness of the attack.
  • Deceive: To mislead the attacker by providing wrong information or by setting up decoys.

These methods can be applied differently to each phase:

  • Reconnaissance
    • Detect: Web Analytics; Threat Intelligence; Network Intrusion Detection System
    • Deny: Information Sharing Policy; Firewall Access Control Lists
  • Weaponization
    • Detect: Threat Intelligence; Network Intrusion Detection System
    • Deny: Network Intrusion Prevention System
  • Delivery
    • Detect: Vigilant User
    • Deny: Change Management; Application Whitelisting; Proxy Filter; Host-Based Intrusion Prevention System
    • Disrupt: Inline Anti-Virus
    • Degrade: Queuing
  • Exploitation
    • Detect: Endpoint Malware Protection; Host-Based Intrusion Detection System
    • Deny: Secure Password; Patch Management
    • Disrupt: Data Execution Prevention
  • Installation 
    • Detect: Security Information and Event Management (SIEM); Host-Based Intrusion Detection System
    • Deny: Privilege Separation; Strong Passwords; Two-Factor Authentication
  • Command & Control
    • Detect: Network Intrusion Detection System; Host-Based Intrusion Detection System
    • Deny: Firewall Access Control Lists; Network Segmentation
    • Disrupt: Host-Based Intrusion Prevention System
    • Degrade: Tarpit
    • Deceive: Domain Name System Redirect
  • Actions on Objectives
    • Detect: Audit Log 
    • Degrade: Quality of Service
    • Deceive: Honeypot

Security Controls Model by Lockheed Martin

Also check,


Attackers won’t necessarily follow the steps from the implemented attack chains. Sometimes, they skip steps or sometimes they backtrack. Many attacks sometimes combine multiple steps together into one single action. That is to say, the attacks are becoming dynamic day by day and hard to predict. Cyber Kill Chains now are based upon linear predictive models whereas the attacks are completely random. Thus, Cyber Kill Chain models if based upon stochastic processes can become an effective countermeasure for the everchanging cyber-attacks.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment