Using "cyber kill chain" to build strategy for cyber security
“Enforcing security is open ended, and hence very difficult” .. This is what I usually hear.
But we all know security is not something which we have recently started enforcing, it has been there from times of wars. How would they have planned for the same?
The strategy and hence the enforcing pattern becomes very clear, when we think from attackers point of view.
Here are the five stages an attacker plans to breach a protected area.
- Finding weak points: Finding open ports on a machine, or finding the email address of an employee.
- Gaining access: Use of social engineering toolkit to get access to credentials, or using metasploit to find vulnerability in a machine.
- Internal movement access: Now after getting access, the attacker will try to get access to other machines of protected premises, via eg remotely logging in.
- Setting up backdoor in internal systems: Now that attacker is able to access internal machines, they would like to setup a direct and silent access (backdoor) to these compromised internal assets
- Taking actions: Here is when an attacker will try to steal something or do some harm.
If we counter protect each layer then, can’t we say security is enforced?
- Educate and use firewalls: Educate employees not to disclose their information. Blocking unused ports. And also setting up honeypots and firewalls after that.
- Extra layer of authentication: Use MFA, or security keys. Define source IPs or org managed systems for further access into protected premises.
- Apply Network ACLs: Use subnetting, routing rules. Authenticated one should access only a specific minimal part of premises.
- Microsegmentation: Protect east west movement and other similar mechanisms like instance whitelisting to ensure who can access what even within premises. In nutshell, enforce, zero trust.
- Authorization and Encryption: Enforce Resource based and Role based access controls for least privileged access to various assets. Data encryption (in rest and in fly) is a must to enforce. Monitoring and detecting anomalies is a good add on.
If you want to get more clarity, please google “https://www.google.com/search?q=kill+chain” that has been used in historical wars. Some says its 7 stages, but i thought to make it 5 to make it more generic. It doesn't really matter.
Thank you.
CEO & Co-Founder @ ColorTokens, Inc. | Board Member | Builder
4 年Ramesh - Good article. It might be worth looking from the perspective of API/services security. These days around >50% of applications are calling API services. I think moving forward API security should be one of the fundamental elements when architecting an application security plan. For cloud-native apps, it is no less than your network security.