Updated kill chain model could help improve cybersecurity

An updated kill chain model based on an analysis of cybercriminals’ behaviour could help businesses stay ahead of evolving cyber attacks.

The Cognitive Attack Loop — developed by cybersecurity firm Carbon Black — identifies and breaks down three phases of cybercriminal behaviour — “Recon and Infiltrate”, “Maintain and Manipulate” and “Execute and Exfiltrate” — and provides advice on how chief information security officers (CISOs) and security professionals can combat each phase.

It’s outlined in a white paper, called Cognitions of a Cybercriminal: Introducing the Cognitive Attack Loop and the 3 Phases of Cybercriminal Behaviour, which likens each action to those seen in a poker game.

For example, in the Recon and Infiltration phase, cybercriminals select a target (or a poker table), “gather intel” on the best way to access that target (look for tells) and “exploit” their vulnerabilities (raise the stakes to see what the table’s response is). They might also attack an organisation via email, phone or other electronic means. This method is called social engineering and in this case, the criminal might be “making outlandish bluffs or faking a tell to throw you off your game”, according to the white paper.

In the Maintain and Manipulate phase, attackers will likely attempt to expand their control over the target system and adapt their behaviours to evade the target’s defences (change strategies after a player has called their bluff). This may involve turning off security controls, adapting command and control protocols or hiding tools in the file system.

Finally, the Execute and Exfiltrate phase involves capturing more information (taking us back to the start of the cycle), moving data away from the target’s environment and into the attacker’s (taking the player’s chips), destroying information and using false actions to cover their tracks (bowing out of future hands or using fake tells to muddy your understanding of their behaviours).

The white paper also described security as a cycle of “prevention, response and detection” and suggests CISOs: obtain behavioural data that can be used for automating customised watchlists and pattern recognition, develop penetration tests to identify all viable attack paths and proactively learn about new threat behaviours and trends.

Carbon Black’s Chief Cybersecurity Officer and the paper’s primary author, Tom Kellermann, believes this approach will help defenders better understand the root cause of attacks, the way cybercriminals think and their intent — allowing defenders to pick up cybercriminals’ tells for faster attack detection and stronger, more adaptive security.

“The more insight defenders have into cybercriminal behavior, the more effective technology can be in recognising and stopping suspicious activity,” Kellermann said.

“The patterns we see in attack data transcend any individual attack and allow us to provide protection against a broad set of threats without relying on specific pre-discovered indicators of compromise (IOCs).”

The white paper can be found via Carbon Black’s website.

Image credit: © stock.adobe.com/au/chinnarach