Tackling the Cyber Kill Chain with Managed Security Services

Historically, IT organizations focus on prevention within information security. However, this focus puts the organization at risk with today’s rapidly evolving threat landscape. Organizations must have enough resources across their staff and technology to address new challenges with an advanced threat landscape.

Managed security services can fill these gaps. Ultimately, offering the people, process, and advanced technology needed to handle today’s advanced threats.

To evaluate if managed security services is an valuable addition to your current security program, you need a good understanding of the cyber kill chain and how threat actors operate across each phase.

The cyber kill chain is a military-inspired concept developed by Lockheed Martin in 2011. It describes seven phases that a threat actor will follow to target and penetrate an organization. If a threat actor can navigate through each of these phases, it is considered a successful attack.

Here’s a summary of the seven phases within the cyber kill chain and possible security controls you could implement to mitigate threat actors:

1. Recon – adversaries collect as much information about a target as possible and identify the attack types that will work the best to obtain access and steal data
   1. Potential Controls: threat intelligence feeds, perimeter controls, identity and access management, system hardening, honeypots
2. Weaponization – during this stage a threat actor creates malware and other advanced threats used to implement their plan developed in the reconnaissance phase
   1. Potential Controls: vulnerability scanner, patch management system, Intrusion Detection Systems, identifying threat actor’s malicious tools on Dark Net, reverse engineering 
3. Delivery – a threat actor then targets users and endpoints by delivering social engineering schemes like phishing, cross scripting, and other forms of compromise
   1. Potential Controls: Next-Gen Firewalls, Next-Gen IPS, Email and Web Gateway Security, DDoS mitigation tools, Network Behavioral Analysis, User Entity and Behavior Analytics (UEBA), DNS Security, NetFlow and Packet analysis, and security awareness training
4. Exploit – the threat actor leverages their weapon to obtain deeper access into your IT environment
   1. Potential Controls: SIEM and log management, firewalls, EPP, Web application firewalls (WAF), Advanced Threat Detection technologies, UEBA, and threat intelligence
5. Install – at this stage, the adversary attempts to achieve persistence by expanding throughout the IT environment. Containment and incident response are critical for a defender at this stage.
   1. Potential Controls: EPP solutions, Managed Detection & Response (MDR), Identity and Access Management (IAM) tools, Incident Response, Backups, Incident Reporting
6. Command and Control – a threat actor overrides control within the IT environment and collects as must sensitive data as possible.
   1. Potential Controls: DNS Security, SIEM and Log Management, application security, NBA tools, reputation filtering, network monitoring
7. Act – the threat actor successfully exfiltrated data
   1. Potential Controls: Data Loss Prevention (DLP) tools, SIEM, UEBA, Database Activity Monitoring and Protection (DAP), NBA tools, NGFWs, and Backup and Restore 

Threat Hunting in the Detection Phase

Threat hunting is a proactive and often machine-based approach to seeking out malicious activity throughout your network and data assets. Threat hunting requires dedicated resources that can focus on the task of finding threats that can bypass your perimeter defenses.

A managed security services provider will dedicate in-house analysts to threat hunting. Also, the team of analysts at an MSSP will use automation and workflows to pinpoint alerts that matter, so your organization isn’t wasting time on false alerts.

A security services provider can extend its cutting-edge technology solutions, such as the latest SIEM technology, next-gen endpoint protection, advanced security analytics and heuristics, artificial intelligence, and more directly to your organization. Imagine the benefits of having these technologies supporting your security posture. 

Finally, the benefit of using an MSSP is that they can improve your Mean-Time-To-Detect (MTTD) which is a critical cybersecurity metric or KPI to develop within your organization. By improving MTTD, the organization can potentially reduce the dwell time of a threat actor within your environment leading to less data and revenue lost.

Containment, Incident Response, and Remediation

Finding malicious threats within your environment is only half the battle, you need a plan to contain, respond, and remediate these threats quickly and effectively. The other important cybersecurity metric your organization should be paying attention to is the Mean-Time-To-Respond (MTTR). This tells you how fast your organization is responding to active cyber threats.

The Ponemon Institute published a breach cost report finding that the average MTTR for an organization was 66 days. Could your business sustain a threat actor within your environment for 66 days? What financial and organizational impact would this have on your business?

An MSSP can fill the gaps in your incident response and remediation process. If you don’t have a process, then an MSSP can adapt and tailor its incident response process, used for thousands of other clients, just for your organization.

When you consider every point of compromise in the cyber kill chain, a threat actor must complete an array of tasks to compromise your organization. If your organization can create a balanced approach to detection, response, and remediation then you will be in the right place to handle an advanced threat landscape.

If you don’t have enough resources internally, a managed security services provider can put a stop to threat actors at each point in the cyber kill chain. An MSSP can also offer you insight into how vulnerable your organization is to advanced threats with a vulnerability assessment. This could be a good starting point to understand if your organization could benefit from an MSSP.