Breaking the ‘Kill Chain’: Staying Ahead of Hackers in 4 Steps

Breaking the ‘Kill Chain’: Staying Ahead of Hackers in 4 Steps


Billions of dollars have been spent on research to protect endpoint devices. It is legitimate to ask why these efforts haven’t really worked. It comes back to attackers innovating faster than defenders.

When technology emerges to protect devices more effectively, it takes years for new technologies to become pervasive enough to blunt the impact of attackers across a broad market. The reactive nature of traditional malware defenses — in terms of finding attacks, profiling them, and developing signatures to block them on devices — makes the existing mitigations too little, too late.

Attackers now randomly change what attacks look like using polymorphic malware, so looking for malware files cannot solve the problem.

Additionally, attackers have new and increasingly sophisticated means to contact their command and control (C&C) systems and obscure data during exfiltration, making detection harder. Attackers also do a lot more testing to make sure attacks work before they use them.

Endpoint security technologies can be bought for a very small investment, so attackers refine their malware to ensure it works against a majority of defenses. This forces security professionals to look for different ways to break the kill chain. You can do this a couple different ways:

1. Impede delivery

If the attacker cannot deliver the attack to a vulnerable device, the chain is broken. For tactics like phishing this might be by blocking the email before it gets to an employee, or training employees not to click things that would result in malware delivery.

2. Stop compromise

Even if the attack does reach a device, if it cannot execute and exploit the device, the chain is broken. This involves a different approach to protecting endpoints.

3. Block C&C

If the device is compromised, but cannot contact the command and control infrastructure to receive instructions and updated attack code, the attack’s impact is reduced. This requires the ability to analyze all outbound network traffic for C&C patterns and to watch for contact with networks with bad reputations.

4. Block exfiltration

The last line of defense is to stop the exfiltration of data from your environment. Whether via data leak prevention technology or some other content or egress filtering to detect protected content, if you stop data from leaving your environment there is no loss.

The earlier you can break the kill chain the better. But in the real world, you need a multi-faceted approach, probably encompassing all the options listed above.



source :

Share to: