The endpoint attack chain… simplified

CorporateEnduserEndpoint ProtectionIntercept XIX2

Understanding the different steps attackers take is crucial to guarding against attacks.

Chain

A comprehensive, defense in depth strategy using layers of overlapping protection has proven to be one of the best approaches to cybersecurity. This is why studying the attack chain, or cyber kill chain, to understand the different steps attackers take, is so crucial.

The cyber kill chain identifies seven stages of a cyberattack:

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploit
  5. Installation
  6. Command and Control
  7. Actions

However, the standard cyber kill chain is often more complicated than is necessary. Instead, it is sufficient to begin with a simpler, endpoint-specific attack chain that’s made up of just three major steps.

“I now behold this chain of events that I must break”
– Every Grain of Sand by Bob Dylan

1. Delivery and Instructions

This stage begins with the attackers gaining a foothold in an environment by delivering their weapons and sending instructions to them, telling them what to do.

As defenders, we have several opportunities – without needing to utilize endpoint security – to stop the attack at this stage, including phishing education, network security and email protection.

However, if the attacker gets past these layers in our defense we can still use endpoint security to block exploits used for distribution, detect malicious URLs and prevent weaponized documents. We also have an opportunity to detect communications with command and control servers.

2. Exploit and Execution

Next, attackers look to exploit endpoints and execute malicious code.

Endpoint defenses are often heavily focused on stopping malicious executables, either using foundational approaches like signatures or newer approaches like machine learning.

However, other complimentary techniques should also be applied at this stage including anti-exploit technology to prevent credential theft, privilege escalation and application abuse.

3. The Boom!

Finally, we get to the “boom!”, also known as the action or post execution phase, where attackers inflict damage.

Even if an attacker is able to make it this far, there are layers of defense that can be applied. Data loss prevention (DLP) can be used to stop exfiltration of sensitive data.

Additionally, behavioral techniques, such as ransomware protection, can detect malicious activity in action and stop the attacker before they achieve their goals. Post execution analysis can also be applied to understand the details of the specific attack chain.

Often, endpoint defenses concentrate primarily on stopping executables; however, there are many other opportunities along the attack chain to disrupt an attack. Some defensive techniques might be very advanced, or they could be foundational approaches that have been in place for several years.

Regardless, the same mission is accomplished. If your layered defenses intercept an attack anywhere along the attack chain, you disrupt the entire attack.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.