IS Decisions logo

IS Decisions Blog

Using defense in-depth to stop the intrusion kill chain

A layered defense can help stop an intrusion kill chain at the perimeter, with the user and at the endpoint.

Published September 27, 2017
Using defense in-depth to stop the intrusion kill chain

The intrusion kill chain focuses on a portion of an external attack that culminates with an attacker gaining complete control over one of your endpoints and, therefore, a foothold within your network.

To make this possible, a few things need to happen first. These include:

  • Gather information about the endpoint environment to identify any possible exploits,

  • Combine exploits (based on the reconnaissance done in the last step) and deliverable payloads (read: malware),

  • Leverage phishing emails and compromised websites to deliver the weaponized malware,

  • The actual installation of malware on an endpoint,

  • Establish a channel to further manipulate the endpoint remotely (commonly known as command & control).

In general, IT can stop this kill chain only at the delivery and installation points in the intrusion kill chain. But because the creators of these attack tools are working to improve their ability to infiltrate your network, it’s critical to have more than just a single layer of defense in place.

Using defense in-depth

The whole philosophy of defense in depth revolves around the proactive assumption that one or more layers of security will fail. It’s also about putting different types of security in place to create those layers. This should include different types of solutions, as well as solutions from different vendors.

There are three basic layers at which you can place your defenses to defeat the intrusion kill chain.

At the perimeter

Attacks first need a means of entry to your network. The two most logical points of access are those that logically extend past the company’s firewall: websites and email.

Users are free to surf to just about any website they desire, pulling in content and code directly into their workstation. And email follows a similar route, only differing in that email is pushed to the user. And, in many cases, it’s a combination of the two an email attachments only malicious content could be a link to a compromised website.

What’s needed here is a few different solutions in place that protect the user from themselves. These include an email gateway with AV, attachment scanning and sandboxing, as well as a web gateway that checks outbound URLs for malicious content.

With the user

Assuming malicious code has successfully made its way past your perimeter, it logically exists on the endpoint, waiting to be opened so it can run its evil bits of code.

The next line of defense is the user. If IT can train a user to spot a phishing email, users can also act as a layer in your defensive strategy. Phishing training and testing services exist to keep users in a constant state of awareness, helping to limit the effectiveness of phishing attacks hosting malware.

At the endpoint

Even the highly trained user can fall prey to some very creative phishing scams. Spear phishing scams use inside knowledge of the people within an organization, making it even tougher to spot a malicious email.

So, the last layer of your defense in the intrusion kill chain is to have additional AV software (likely using a different vendor than that of your gateways previously mentioned), as well as some form of an endpoint protection solution that leverages application whitelisting to ensure no malicious processes can run.

Stop the intrusion kill chain

To minimize the risk of data breach, ransomware, etc., you’re in far better shape if you stop malware from ever running. By putting a layered defense in place, you maximize your chances of stopping a threat before it starts.

Should your current defenses fail, the next step is to stop the horizontal kill chain, a set of activities that allow an attacker to gain privileged access within your network.