The ‘kill chain’ has been a very popular way – especially in government circles – to look at cybersecurity risk, mainly because it forces system owners to look at risk and mitigation not just as a series of controls and checkboxes, but as a more holistic approach to managing risk.
The ideas has been that, when you consider an attack on a system, look at the vulnerabilities at each stage of the chain, because although a particular attack may be unsuccessful using one approach, it would be naïve to think an attacker cannot pivot to use a number of different approaches at each stage to gain a foothold to the next.
With that said, the kill chain relies and focuses too heavily on the ‘intrusion’ aspect of risk (the first 6 stages do this), and it ignores the fact that sometimes intrusion is actually quite simple.
Even more disconcerting is the question, how do you deal with the problem once they are in?
Once the attacker has breached your perimeter, traditional kill chain-based prevention solutions like firewalls, honeypots, and antivirus because almost entirely meaningless. Once in, attackers can quickly bypass these solutions and are often free to operate in your environment unimpeded.
Small businesses often focus on the ‘wall’, but without a strategy to at least watch what is happening inside the castle, you’ll never know if the attackers happened to find a backdoor or underground tunnel. Even worse, someone may have voluntarily open the door for them.
Instead, consider focusing on the detection of new or ongoing attacks: in other words, operate under the assumption that the attackers have already breached your perimeter (especially since, statistically speaking, they probably already have). Deploy a monitoring and breach detection system and consider data exfiltration monitoring approaches that detects or analyze changes in behaviors on the system, unusual data flows, or changes in the way the system is being used. It’s these subtle changes that – while painfully slow and often stretched over long periods of time – can be the most valuable indicators of compromise.