Anton Chuvakin and I just finished some exciting new research on security monitoring: “Selecting Security Monitoring Approaches by Using the Attack Chain Model” [subscription required], in which we provide advice on how to pick security monitoring solution types an organization should be using. It was definitely a challenge, because making “use X, Y, and Z but not A, B, and C” statements is generally impossible with out extensive personalized analysis – after all, we can’t predict which combination of solutions gives the greatest efficacy at the lowest cost. We needed a simple but still useful decision-making tool … and so the Cyber Attack Chain was born.
To be fair, as many of you already know, the attack chain concept isn’t new and unique. The Lockheed Martin Cyber Kill Chain is well-established, and many other (often derived) models have been developed since its inception. So why not use the Lockheed Martin Cyber Kill Chain, or a derivative, and call it good? Three reasons: the “act on objectives” stage needed to be split out so we could better distinguish various attack; the reconnaisance and weaponization stages didn’t provide us with as much value as we liked; and – last but not least – “Cyber Kill Chain” is now trademarked.
Below is a cut-out of a larger figure presenting the attack chain model. Six phases, split into two main categories borrowed from John Howard’s “An Analysis of Security Incidents on the Internet 1989 – 1996“: unautorized access (creating access you don’t yet have) and unauthorized use (abusing access you already have). The high-level split provides a way to distinctly map “prep” and “act.” The last three phases allow us to better map distinct actions and objectives, bringing it in line with the detail level of the earlier three phases.
In our research, we also provide a mapping of common types of attack to the attack chain phases, and a matrix of security monitoring technologies with attack phases on one axis and attack channels/targets on the other. We hope to reuse (and possibly expand) the models in future research. Without going into too much detail, three of the goals for all this are to show that:
Once inside a cyberattack any actions are defined by a common attack phasing model. It is not possible to execute a cyberattack and not touch any phase at all.
As important as the phases an attack must follow are the phases it does not have to follow. The shortest path to successful attack may only be a single phase long.
Threat matters mainly for what happens before, after, and outside the realm of cyber attack phases. Attack models can and should be used independent of threat models.
As always, we’re open to any suggestions and comments. This is a living body of research and if our baby is ugly (or just not as quite as pretty as we think it is), then let us know!
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.