Why detection is the most critical part in the kill chain

In 2011, Lockheed Martin analysts introduced a seven step intelligence-driven process called the ‘cyber kill chain.‘ The seven stages are as follows:


Identifying targets, gathering data (including spear phishing/social engineering attack research), and evaluating structures.


Identifying vulnerabilities, creating/finding exploits, and developing a manner of infecting targets.


Transferring exploits onto target devices.


Executing the exploit code (often in a multiple phases), and attempting to go undetected by existing breach defense systems.


Installing a backdoor in order to persist on the network.

Command and Control

Enabling communication between the exploit and its network so it can receive instructions.


Carrying out the primary purpose of the attack, which can include stealing money and intellectual property, destabilizing a competitor, and so on.

While every step in the kill chain is crucial and not to be overlooked, the final steps are often where we find the largest gap in an advanced threat protection strategy. These latter stages actually provide the most accurate picture of who is infecting your environment, while requiring the least amount of time and effort to remediate. Let’s take a look at the end of the kill chain, and why detection in particular is really the most important and valuable part to the business.

CISOs want to believe if they get prediction and prevention right, then it’s all going to work. Sophisticated CISOs understand that life actually gets better if they admit that one way or another, their network will get compromised, it’s simply inevitable. Target retail stores are one of the principal examples of this, highlighting the real financial toll that can actually occur.

> See also: Antimalware is becoming irrelevant in the mobile era

Target had prevention methods in places, but was completely overwhelmed by the number of alerts (false positives) being generated. So much so, that it muted some of the noise and ultimately missed the attack which at the time seemed benign. There is no way for Target (or anyone else for that matter) to completely prevent malware attacks from taking place.

As such, it is incumbent upon enterprise security professionals to adopt a new paradigm: one that continues to leverage intelligent prevention methods, tools and technologies, and augment those with solutions that emphasize detection. If Target had put more emphasis on detecting threats that were already beaconing out, (an actual compromised device and not a potential false positive) they could have potentially avoided one of the most costly breaches in history.

The good news, however, is that enterprises can resolve this paradox without re-inventing their network security architecture. A company need only expand their gaze to the bigger picture, or in this case further down the Kill Chain. One way to achieve this is by regularly analysing outbound traffic to identify anomalies and pinpoint compromised devices — but before the compromise becomes a breach, not after. Once equipped with this critical threat data, enterprises can automatically address it earlier in the kill chain to remediate the threat, and ensure that a similar attack does not happen again.

> See also: The kryptonite of cyber resilience: web supply chain attacks

More than 10 months after Target suffered a massive security attack, more major retail chains (Dairy Queen, Michaels, Home Depot, KMart and others) are suffering breaches.

Dairy Queen confirmed that 395 of their stores have been breached. The first known day of compromise was the 1st August, 2014, the last day being in the 6th October. The attackers were in their network for at least 66 days, and per store minimum time to detech and respond to the breaches rook 24 days, with a maximum of 64 days.

Once again, much like previous breaches, the statistics of the Dairy Queens’ breach shows the necessity of moving from trying to prevent an attack to try and detect and respond as quickly as possible.

Ultimately, it comes down to this: just as offices need to detect physical break-ins to keep criminals from committing espionage, enterprises need to put more focus on detecting APTs and other advanced threats to keep adversaries from penetrating their network and exfiltrating sensitive information, such as 11GBs of credit and debit card data affecting 110,000 Target customers.

This shift of focus from prevention to detection is more than just a change of course. Given the ever-worsening cyber threat landscape, coupled with the enormous strategic and financial value of intellectual property, it’s a view more and more enterprises today understand they must adopt.

Shifting the network defense perspective from prevention to detection ideally entails one that doesn’t require new hardware or software to purchase and install, and new security analysts to recruit and retain. 

> See also: How Home Depot and JP Morgan could have avoided the worst

Enterprises that rely only on prevention-focused perimeter security tools such as next generation firewalls, IPS, and secure web gateways are actually positioning themselves to be the next victims of cyber criminals who are able to now get past perimeter security defenses with startling ease. For example, malware such as DGA.Changer is an example of bypassing traditional security devices.

By looking at the end of the kill chain (analysing outbound traffic), enterprises can turn their reactive approach into a proactive stance — which is the only one they can afford to take if they want to reduce risk, protect their assets and costs to the business, and stay at least one step ahead of the bad guys.

Aviv Raff, CTO & Co-Founder at Seculert

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...