Using Defense in Depth to stop the Intrusion Kill Chain

The intrusion kill chain focuses on a portion of an external attack that culminates with an attacker gaining complete control over one of your endpoints and, therefore, a foothold within your network.

To make this possible, several tasks need to occur including:

  • The gathering of information about the endpoint environment to identify any possible exploits,
  • The combining of exploits (based on the reconnaissance done in the last step) and deliverable payloads (read: malware),
  • The leveraging of phishing emails and compromised websites to deliver the weaponized malware,
  • The actual installation of malware on an endpoint,
  • And finally, establishing a channel to further manipulate endpoint remotely (commonly known as command & control).

IT, generally, has the ability to stop this kill chain only at the delivery and installation points in the intrusion kill chain. But because the creators of these attack tools are working to improve their ability to infiltrate your network, it’s critical to have more than just a single layer of defense in place.

Using Defense in Depth

The whole philosophy of defense in depth revolves around the proactive assumption that one or more layers of security will fail. It’s also about putting different types of security in place to create those layers. This should include different types of solutions, as well as solutions from different vendors.

There are three basic layers at which you can place your defenses to defeat the intrusion kill chain.

At the Perimeter

Attacks first need a means of entry to your network. The two most logical points of access are those that logically extend past the company’s firewall: websites and email.

Users are free to surf to just about any website they desire, pulling in content and code directly into their workstation. And email follows a similar route, only differing in that email is pushed to the user. And, in many cases, it’s a combination of the two – an email attachments only malicious content could be a link to a compromised website.

What’s needed here is a few different solutions in place that protect the user from themselves. These include an email gateway with AV, attachment scanning and sandboxing, as well as a web gateway that checks outbound URLs for malicious content.

With the User

Assuming malicious code has successfully made its way past your perimeter, it logically exists on the endpoint, waiting to be opened so it can run its evil bits of code.

The next line of defense is actually the user themselves – if a user can be trained to spot a phishing email, they can act as a layer in your defensive strategy. Phishing training and testing services exist to keep users in a constant state of awareness, helping to limit the effectiveness of phishing attacks hosting malware.

At the Endpoint

Even the highly trained user can fall prey to some very creative phishing scams. Spear phishing scams use inside knowledge of the people within an organization, making it even tougher to spot a malicious email.

So, the last layer of your defense in the intrusion kill chain is to have additional AV software (likely using a different vendor than that of your gateways previously mentioned), as well as some form of an endpoint protection solution that leverages application whitelisting to ensure no malicious processes can run.

Stopping the Intrusion Kill Chain

To minimize the risk of data breach, ransomware, etc., you’re in far better shape if you stop malware from ever running. By putting a layered defense in place, you maximize your chances of stopping a threat before it starts.

Should your current defenses fail, the next step you need to prepare to stop is the horizontal kill chain – a set of activities that allow an attacker to gain privileged access within your network.

Stopping the Horizontal Kill Chain

Read about how to further protect your network from external attacks by identifying and stopping lateral movement as part of the horizontal kill chain.

Read the white paper