LAS VEGAS: The modern IT security landscape is often thought of as an adversarial battlefield, which is why it makes sense to ascribe military terms to IT security conflict.
“The Library of Sparta is a euphemism for the corpus of military doctrine, ” said Tom Cross, director of security research at Lancope, who is presenting a session at the Black Hat USA conference that covers the use of military processes and strategies in a cybersecurity landscape. As Cross told eSecurityPlanet in an interview, “People have begun to apply concepts to the world of military doctrine to cybersecurity.”
One of the most often cited military concepts in cybersecurity is the term “kill chain.” In the U.S Air Force, a kill chain is the set of steps required in order to shoot a missile. There are multiple steps in the Air Force’s kill chain. First there is a determination of what is being targeted, followed by a determination that the weapon is properly aimed at the target and confirmation that the target is correct. After the missile is fired, there is confirmation that the target was actually hit.
“When we apply the term kill chain to cybersecurity, we’re thinking about the stages that an attacker has to go through as they break into a network,” Cross said. “It’s helpful to lay out all the steps, as it lets us as defenders think more carefully about our control sets.”
Kill Chain’s Role in Cybersecurity
In Cross’ view, each step of the attacker’s operation is an opportunity for defenders to identify the attacker’s presence. If an organization can align its controls to the attacker’s kill chain, it’s possible to identify where there might be a gap, he said.
The concept of the kill chain also gives defenders a way to organize information collected about a given attacker. With the right organization and understanding of the kill chain, it is possible to more easily identify if a number of separate attacks are actually related.
“One of the interesting aspects of the kill chain is it turns asymmetry on its head,” Cross said.
Organizations think they have to be aware of all vulnerabilities on a network to prevent attacks while an attacker only needs to be successful once in order to get in, Cross said, noting this isn’t actually true.
“The kill chain says that an attacker has a bunch of different steps they have to go through to get into the network and access data,” Cross said. “The attackers are trying to be covert, but each stage of their process is an opportunity for an enterprise to detect them.”
Looked at from that perspective, rather than thinking that cybersecurity favors offense, Cross said that understanding the kill chain gives defenders the advantage.
While there is a benefit to using some military strategies like the kill chain for cybersecurity, Cross emphasized that corporations are not military units.
“Corporations have a different culture and different priorities,” he said. “I’m not suggesting that corporations should behave like the military, but corporate security professionals can learn a lot from understanding how the military thinks about what they do.”
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.