Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Identifying the Weakest Links in Cyber Kill Chains®

In today’s security environment, with highly motivated cyber attackers employing increasingly sophisticated techniques to break through commonly deployed defenses, just one skillful intruder can infiltrate your systems with one carefully crafted attack path to a relatively unimportant asset. Last week on our blog, Marcus Ranum explained the “cyber kill chain®”1 framework, originally created by Lockheed Martin as a methodology for describing the process and exploitation of advanced persistent threats to information systems. Based on the military concept of a “kill chain,” the model details each step of a cybercriminal’s operation, from reconnaissance through delivery, to command and control and ultimately action. The idea is that by understanding the intruder’s intent and methodology, CISOs can intercept and disrupt the attacker at the earliest possible stage of intrusion, thwarting the attack before actual exploitation. If you can eliminate a link in the chain, the path is destroyed.

Attack paths

Attack paths – paths that intruders take to penetrate information systems over time to execute attacks on a target – are increasingly more complex. Think of attack paths like the classic traveling salesman problem. The salesman has to visit 10 cities in 4 days; what is the most efficient route to travel? Network security faces a similar challenge. What is the most efficient path that a cybercriminal may plot to infiltrate your systems?

Identify the weakest exploitable links and prioritize the critical vulnerabilities to be plugged, patched, and mitigated

For example, a typical multiple-hop attack path might involve a hack into a mail server that then accesses a client on the same network as the email server. Even though the client may not be active on the Internet, an intruder can follow an attack path/chain to access the vulnerable client.

The weakest link

If the goal of the cyber kill chain model is to disrupt or break the chain before major damage occurs, then the method is to divide and conquer: stop the intruder as early in the chain as possible to break his path of destruction. There are many tools in your security arsenal to combat attack chains. Front-line defenses include antivirus software, firewalls, patch management, logging, continuous network monitoring, file tampering monitoring, and configuration management. All of these tools are important, but what is the most effective point in the chain to break attack paths? Which vulnerability do you plug first to minimize attack path intrusions?

Scanning network systems for vulnerabilities is relatively easy to do when looking for one-hop attack vectors. Running regular or continuous scans on all assets will reveal weaknesses that are open to hacking. But when you start tracing multiple-hop paths or chains on a complex network configuration, ranking vulnerabilities and prioritizing fixes, the possible attack paths seem endless. Disrupting cyber kill chains is certainly more challenging but not daunting.

Three metrics for breaking kill chains

You can simplify the work of isolating and stopping kill chains by first prioritizing and tracking three critical metrics. These metrics identify the most vulnerable points in attack chains. Scan for these key metrics and you will address the most serious attack path vulnerabilities:

  1. The number of Internet facing computers/servers that are exploitable – Identify servers on the network perimeter, in the DMZ, or deployed deep in your network and Internet addressable. Audit for services that are exposed to the Internet via open ports where an attack path could jump into your internal network.
  2. The number of Internet browsing computers with exploitable clients – Identify all assets that connect externally to the Internet and the ports that are used. Identify specific client side applications such as Skype, Facebook, YouTube, etc. Alert on devices that browse the Internet with unsupported or outdated software.
  3. The number of internal trusted systems that have exploitable services – Detect clients that are trusted by specific servers or ports to identify the most important clients on your network. Then determine which of these trusted systems have exploitable security issues (e.g., publicly known exploits, critical vulnerabilities, outdated applications, unpatched clients, old antivirus software) and which connect to the Internet.

Focusing on these three metrics adds assurance to your security management plan by identifying points of vulnerability in your networks. These metrics do not reveal actual attack chains; they isolate single hop vectors that may be used in combination to form deadly kill chains. Armed with this data, you can identify the weakest exploitable links and prioritize the critical vulnerabilities to be plugged, patched, and mitigated. Breaking just one link in a chain kills the attack.

Tenable tools and resources

A good scanner such as Tenable’s Nessus can discover and gather data on systems that share common properties (such as Internet browsing) via credentialed audits. Tenable’s SecurityCenter Continuous View can be leveraged to follow up on the assets discovered by Nessus, classify the vulnerabilities, filter data from Nessus, report and alert on the weakest points, and correlate log and event data for analyzing potential attack paths. The Tenable paper on Predicting Attack Paths provides details on using Nessus and SecurityCenter Continuous View Attack Paths Dashboard to identify, prioritize, and mitigate attack chain weaknesses. You can also use several new SecurityCenter dashboards to monitor these three metrics.

See Breaking Kill Chains Dashboards and Breaking Kill Chains How To Guide for complete implementation details.

Kill chains can be defeated link by link. By identifying and repairing the weakest link in a potential chain, you can stop intruders in their tracks.

1 CYBER KILL CHAIN is a registered trademark of Lockheed Martin Corporation.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training