Gartner Blog Network


Introducing Gartner’s Cyber Attack Chain Model

by Ramon Krikken  |  August 8, 2014  |  8 Comments

Anton Chuvakin and I just finished some exciting new research on security monitoring: “Selecting Security Monitoring Approaches by Using the Attack Chain Model” [subscription required], in which we provide advice on how to pick security monitoring solution types an organization should be using. It was definitely a challenge, because making “use X, Y, and Z but not A, B, and C” statements is generally impossible with out extensive personalized analysis – after all, we can’t predict which combination of solutions gives the greatest efficacy at the lowest cost. We needed a simple but still useful decision-making tool … and so the Cyber Attack Chain was born.

To be fair, as many of you already know, the attack chain concept isn’t new and unique. The Lockheed Martin Cyber Kill Chain is well-established, and many other (often derived) models have been developed since its inception. So why not use the Lockheed Martin Cyber Kill Chain, or a derivative, and call it good? Three reasons: the “act on objectives” stage needed to be split out so we could better distinguish various attack; the reconnaisance and weaponization stages didn’t provide us with as much value as we liked; and – last but not least – “Cyber Kill Chain” is now trademarked.

Below is a cut-out of a larger figure presenting the attack chain model. Six phases, split into two main categories borrowed from John Howard’s “An Analysis of Security Incidents on the Internet 1989 – 1996“: unautorized access (creating access you don’t yet have) and unauthorized use (abusing access you already have). The high-level split provides a way to distinctly map “prep” and “act.” The last three phases allow us to better map distinct actions and objectives, bringing it in line with the detail level of the earlier three phases.

Image

In our research, we also provide a mapping of common types of attack to the attack chain phases, and a matrix of security monitoring technologies with attack phases on one axis and attack channels/targets on the other. We hope to reuse (and possibly expand) the models in future research. Without going into too much detail, three of the goals for all this are to show that:

  • Once inside a cyberattack any actions are defined by a common attack phasing model. It is not possible to execute a cyberattack and not touch any phase at all.
  • As important as the phases an attack must follow are the phases it does not have to follow. The shortest path to successful attack may only be a single phase long.
  • Threat matters mainly for what happens before, after, and outside the realm of cyber attack phases. Attack models can and should be used independent of threat models.

As always, we’re open to any suggestions and comments. This is a living body of research and if our baby is ugly (or just not as quite as pretty as we think it is), then let us know!

Category: 

Ramon Krikken
BG Analyst
2 years at Gartner
15 years IT industry

Ramon Krikken is a Research VP the Gartner for Technical Professionals Security and Risk Management Strategies team. He covers software/application security; service-oriented architecture (SOA) security; structured and unstructured data security management, including data masking, redaction and tokenization...Read Full Bio


Thoughts on Introducing Gartner’s Cyber Attack Chain Model


  1. […] Source: Introducing Gartner's Cyber Attack Chain Model […]

  2. […] please go and read a related post from my co-author Ramon Krikken – he reveals more details on our approach and the attack chain […]

  3. […] please go and read a related post from my co-author Ramon Krikken – he reveals more details on our approach and the attack chain […]

  4. […] please go and read a related post from my co-author Ramon Krikken – he reveals more details on our approach and the attack chain […]

  5. […] please go and read a related post from my co-author Ramon Krikken – he reveals more details on our approach and the attack chain […]

  6. Andre Gironda says:

    Why is exfiltration a narrative for this model? Can’t a cyber attack succeed without exfiltration?

  7. Andre – absolutely agreed that exfiltration isn’t required. It’s simply in there to cover the movement of data back to an attacker. The “shortest attack path” is a single privileged operation or resource access, which is an important point of discussion in the paper.

  8. […] “cyber kill chain” is a sequence of stages required for an attacker to successfully infiltrate a network and […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.