Virtually every organization needs to provide digital services to its clients. However, digitization creates enormous threats for an organization, its customers and its employees. To address these threats, organizations must implement cybersecurity strategies and standards, and comply with regulatory requirements. Organizations therefore need to increase security investment by implementing different security solutions and investing time and budget for security architecture development, implementation and monitoring by skilled and experienced cybersecurity professionals.
In information systems, an infrastructure attack is an attempt to exploit vulnerabilities in systems, applications, databases and security solutions, which can lead to the altering, disabling, destroying, stealing or gaining of unauthorized access in any system. Cyberattacks are offensive approaches by attackers to target systems. Cyberattacks include installing malware and ransomware, structured query language (SQL) injection, denial of service (DoS) attacks, Trojan, fileless malware, spyware, virus and key loggers on an end-user computer system, which can lead to an attempt to destroy the information system infrastructure of an organization.
Prevention alone cannot ensure security against infrastructure attacks. To achieve proper protection from cyberattacks, organizations must implement security in a layered approach, such as by using cyber kill chains.
Attackers follow a chain or a series of consecutive steps to perform attacks on targeted systems and organizations called attack chains. Information security professionals should know the activities performed by attackers in each step so they can design, architect and implement security in layered approaches to break the attack chain (e.g., cyber kill chain or cyberattack kill chain).
Understanding the cyber kill chain helps analysts combat cyberattacks in any form (i.e., malware, ransomware, key loggers, security breaches, attacks on application software using SQL injection, misconfiguration, broken authentication and advanced persistent threats [APTs]).
The kill chain framework was originally established to identify, prepare to attack, engage and destroy the target. Since its inception, the kill chain has evolved to better anticipate and recognize insider threats, social engineering, advanced ransomware and innovative attacks.
By understanding the cyber kill chain, information security architecture can be designed to prevent, detect, identify, contain, restore, recover, report and perform forensic investigation to learn lessons from any incident, and a layered approach can implement solutions to stop an attack at each stage of the cyberattack kill chain.
Cybersecurity assurance professionals should review their organization’s security architecture in light of the cyberattack chain so they can check measures taken by the organization in each step. Organizations should implement security awareness; data classification; internet and infrastructure use policies, processes and procedures; preventive measures to protect spreading malware in the infrastructure; monitoring logs; anti-malware; anti-APT solutions; stopping lateral movement; protection status of obfuscation; sandboxing; and prevention of data exfiltration using different security solutions.
Step-by-step review of each phase in the cyberattack chain facilitates threat hunters, cybersecurity professionals and risk practitioners to identify gaps in the implemented security architecture of an organization.
Editor’s note: For further insights on this topic, read Muhammad Mushfiqur Rahman’s recent Journal article, “Security and Risk Assessment of IT Defense Strategies Considering the Cyber Kill Chain,” ISACA Journal, volume 6, 2020.
Don't forget—Members can earn free CPE from ISACA Journal quizzes!