Does the methodology matter? Cyber kill chain vs Cyber attack lifecycle

Within cybersecurity circles, there are preferences over the type of methodology to employ in recommending security in light of legal requirements, internal policies, and even audit recommendations. The type of methodology to consider will ultimately depend on several factors including an organization's cybersecurity maturity (informed by past experiences) and the level of risk occasioned by existing infrastructure and data to be protected.

Among the many methodologies that exist, the cyber kill chain and the cyber attack lifecycle emerge as the most commonly referenced. These two methodologies find use within enterprise environments as well as by attackers, who, as you are aware, prefer procedural familiarity. For attackers, each of these methodologies informs the step-by-step execution of an attack that consequentially builds on their unique styles that emerge as tactics, techniques, and procedures (TTP). For organizations, these methodologies help determine the stage an attack is in and hence, the course of action to take to address a potential network breach and data loss. But which methodology should an enterprise understand exactly?

The cyber kill chain

The cyber kill chain is a well-known creation of Lockheed Martin that maps the stages of a cyber attack in mimicry of military warfare action. This chain cascaded through 7 steps namely:

1. Reconnaissance - Information collection e.g. domains and email addresses
2. Weaponization - Malware/payload creation
3. Delivery - Weapon transmission via media e.g. devices and websites
4. Exploitation - Weapon triggering in light of discovered vulnerabilities
5. Installation - Backdoor creation through malware to induce persistence
6. Command and Control - Remote communication between weapon and attacker through an established channel
7. Actions on Objective - Mission realization

The cyberattack life cycle

The cyberattack lifecycle is a creation of Mandiant Consulting, an American cybersecurity company owned by FireEye. The cycle outlines stages of attack in an almost similar fashion as the cyber kill chain, albeit with the appreciation that an attack process is rarely linear or abstract.

Enterprises should grasp these two common attack methodologies because attackers will diversify their attacks to maximize the success of their objectives. While the cyber kill chain is straightforward, attackers will rarely employ a linear mode of attack. Through trial and error, attackers may, for example, fail to compromise the target on the first attempt hence requiring more time and resources to gain later access and establish a foothold. Also, while an attacker may achieve network penetration, they may have to iterate until they manage to gain privileged access or maintain persistence. Even within a compromised network, attackers may have to do a new round of reconnaissance just to get a grasp of the network topology and existing resources.

Bottom line

In the case your enterprise is under attack, your teams should aptly identify Indicators of Compromise (IoC) such as IP addresses, domains, and URLs and determine the stage an attack is currently in. The ability to defend against an attack will depend on how quickly you identify and intercept an attack (mostly through intrusion detection systems) and the actions you take, whether disconnecting from the network/internet, purging attackers by blocking external access, or automatically deploying prevention systems. Such actions will depend on your cybersecurity playbook if it exists, and internal policies concerning data and network breaches.

Ultimately, resultant from information gathered and activities identified, both the cyber kill chain and the cyber attack lifecycle methodologies should inform your decision to improve the organization's cybersecurity posture.