The Cybersecurity Kill Chain and Advanced Persistent Threats

Criminal enterprises and well-resourced state actors have found it extremely simple and lucrative to target vulnerable organizations for shutdowns and ransomware attacks. Even the most sophisticated firewalls and network security management can be thwarted by a determined actor on a spear phishing mission. People are the most vulnerable attack points in any organization, and it is hard for even the smartest executives to be fully vigilant a hundred percent of the time on all their communication media, despite any amount and frequency of security training.

As technology and networks get more complicated, it is becoming exponentially harder to secure systems. Although there is an explosion of tools and vendors to help, the solutions are often expensive, piecemeal, stitched-together, and require sophisticated and dedicated employees racing around the clock to be even modestly effective against the attacks.

If you are running an IT security organization you probably find yourself outgunned and understaffed when there is an ever-growing backlog of unaddressed threats. The persistent firefighting mode causes burnout and turnover in staff that was trained for your environment and tools; starting over with a new employee can also be very expensive in terms of bringing them up to speed and delay in effectiveness.

Organizations that have not yet been breached cannot rest easy that they are secure. A cybersecurity breach is not a one-and-done event. It is a slow and deliberate process performed by sophisticated actors, who go through a process dubbed a “kill chain” (depicted in the picture above) by security analysts. The net effect of the kill chain is that a breached organization may not discover the breach until it is too late unless they are extremely vigilant or they have a means to disrupt the kill chain.

In a situation where a huge backlog of unaddressed security alarms exists, a breach may have already occurred, but the organization may not discover it for months or until it is too late. This could happen even in an organization that has spent a lot of resources on setting up their own security operations center, hired several competent resources, and in general been mostly compliant with best practices in risk management. (It is not unusual for a new customer of ours to discover such breaches early in our pilot implementation phase.)