• January 6, 2016

Disrupting the Bad Guys: The Cyber Kill Chain

By Andrzej Kawalac, Chief Technologist, Enterprise Security Services, Hewlett Packard Enterprise

Traditionally, organizations have focused on securing the infrastructure. A massive 80 percent of security budgets are spent protecting the network. Yet, we appear to be breached at will by a relentless, dynamic cyber adversary whose focus goes beyond yesterday’s points of entry. While enterprise security teams are getting better at securing applications, they are still struggling to secure the end user and data from digital interactions.

To that end, they also need to focus more time and effort on understanding the adversaries. The average hacker is 24 years old and lives and breathes this new style of digital interaction. To disrupt these adversaries at every step, we utilize an approach known as the cyber kill chain.

Hewlett Packard Enterprise’s cyber kill chain focuses on five steps—research, infiltration, discovery, capture, and exfiltration—with a sixth element that facilitates the entire methodology: the cybercriminal marketplace. Throughout our research and experience, we’ve found that the kill chain has evolved most alarmingly and rapidly in the last few years when it comes to who the adversary is, how long it can take to discover the adversary, and the overall marketplace. Here are the specifics:

  • The adversary: The adversary has grown in size, scope, and destructive ability. Examples include nation states, advanced persistent threats (APT), and the rise of cyberterrorism and integration of physical and cybercriminal cartels.
  • Discovery: The depth and breadth of breaches has grown more sophisticated. They use advanced malware that is able to actively mask its presence and move laterally within an organization’s network.
  • Cybercriminal marketplace: The online marketplace for information, services, malware, and recruitment using anonymity and e-currency (bitcoin) is enabling a foundation for cybercrime. Sharing across borders has also opened up huge opportunities for criminal activity. It doesn’t matter who you are or where you live—cybercrime exploits international law. It shows no loyalty to industry or geography.

By understanding the steps threat agents go through when committing a cybercrime—how a criminal infiltrates the environment, steals data, and then uses it for his own gain—HPE can position the enterprise to engage in both proactive and reactive responses. The cyber kill chain helps us understand what the threat is looking for, how the adversary can obtain what it wants, and who the target is.

Know Your Enemy

The kill chain was first used by the military to map out and understand the structure of an enemy attack. In the technological context, the cyber kill chain helps us outline and analyze the general way in which a cyber attack occurs. By using this model, we can gain understanding of gaps, risks, and potential outcomes. The video, “Disrupting the Cyber Kill Chain with HPE Security,” offers a great explanation from some of our HPE security experts on the merits and use of the kill chain.

The information criminals buy and sell runs the gamut from credit card and financial services data to executive profiles, vicious malware, and attack software.

Understanding that cybercrime is bigger than the enterprise is perhaps the hardest part. It takes a median 205 days to identify that a breach has taken place. This is like allowing a burglar to snoop around your house at will for months.

As cybercriminals continue to evolve and adapt, the challenge for enterprises to keep up is a big one. HPE can help you stay ahead of the threats with tools and strategies, like the cyber kill chain, that are proven to protect.

Learn more about how to protect the enterprise from cyber threats and fight back.