Actions that organizations can take
These examples are only a few of the common attacker activities, IOCs, controls, and defensive responses organizations should consider when assessing their cybersecurity posture. By holistically understanding the Cyber Kill Chain framework and how each of its phases apply specifically to a unique threat surface, organizations can properly assess those threats and their impact and incorporate that knowledge into their threat modeling process.
To take a proactive approach, organizations should:
- Understand the phases. Become familiar with the Cyber Kill Chain framework, particularly how the phases, from beginning to end, apply to the organization’s unique attack surface.
- Identify potential threats. Analyze each phase and identify potential threats unique to the organization’s environment. Use the preceding examples as a starting point.
- Map threats to the organization, systems, and process. Consider how each threat could exploit a vulnerability and affect assets, data, or users.
- Prioritize threats. Perform risk assessment on threats by considering both potential impact and likelihood. Focus on threats that are most likely and have high impacts.
- Develop or enhance mitigations. Prioritize threats to either enhance existing defensive measures or develop new ones, using the preceding information as a starting point. Include mitigations at all phases of an attack for a solid defense-in-depth strategy.
- Assess effectiveness and iterate. Assess and test controls to confirm they are effective. Revise and adapt mitigations to meet the conditions of the rapidly changing threat landscape.
- Apply lessons learned. Incorporate ongoing reviews and post-mortems into the security program. Use knowledge gained from assessments and incidents to further enhance the organization’s security posture.
Limits of the Cyber Kill Chain framework
While the Cyber Kill Chain framework is an excellent tool for understanding how attackers can move through the phases of a cyberattack, it is not perfect, nor is it the only useful framework.
One criticism of the Cyber Kill Chain framework is that it overemphasizes perimeter defenses at the expense of mitigating insider threats and overall data protection. Another criticism is that it focuses on a very linear attack model with little attention to post-exploitation activity.
Like any framework, the Cyber Kill Chain framework is not the best fit for all attacks, insider threats, or social engineering attacks. Other frameworks that can be used as alternatives to, or in conjunction with, the Cyber Kill Chain framework include:
- The MITRE ATT&CK® framework, which provides detailed breakdowns of real-world tactics and techniques used by threat actors
- The Unified Kill Chain, an alternative and integrated model that expands on the Cyber Kill Chain and integrates elements from the ATT&CK framework
- The Diamond Model of Intrusion Analysis, which breaks attacks into four components: adversary, infrastructure, victim, and capability
Adapting to today’s threats
Combining the knowledge of the Cyber Kill Chain framework with incident response team threat modeling provides organizations a strong foundation on which to execute, measure, and improve their cybersecurity programs. Furthermore, understanding how to best defend against each phase of an attack enables organizations to better focus targeted defenses and controls where they will be most effective.
Building and using threat models, assessing adversaries, and testing cybersecurity controls are ongoing and iterative processes that require an investment of resources and time. But that investment is worth it. Being secure means continually adapting to today’s threats while proactively protecting against the threats of tomorrow.