The cyber attack kill chain defense
By Jim Ricotta for Enterprise CIO Forum
The “Kill Chain” is a traditional warfare term most often used by the US Air Force in defining the command and control process for targeting and destroying enemy forces in order to make it most difficult for the enemy to continue in battle. A well-known and successful execution of this strategy was in the initial air attacks on Iraq during Operation Desert Storm, which targeted command bases and communications networks. The result was that cut-off ground units in the field, lacking orders and control, quickly lost the will to fight. Of late, Kill Chain has been applied by both the US Military and leading cyber threat defense teams at Mitre and Lockheed Martin to define a new defensive strategy for guarding against advanced persistent threats (APT) and other targeted cyber attacks.
In cyber attack, the “Kill Chain Defense” exploits the fact that a successful attack must complete all stages from planning and malware introduction to expansion and one or more command and control phases, until the target is identified, manipulated and exfiltrated. The goal of a kill chain defense is to break one or more stages in the attack chain to stop the progress of the attack and force the opponent to start over. It is important to remember three things in this method: 1) the bad guy must make the entire chain work to succeed; 2) you need only kill one link to stop them; and 3) having detection and kill capability at each point in the enemy’s attack chain gives you the highest probability of success in this defense.
Excerpt appears with permission from John Dodge.
