How Zero Trust Allows Organizations to Address Each Step in the Cyber Kill Chain

In this blog post we look at the Cyber Kill Chain, how security models that assume trust only help in mitigating Steps 1 to 6 in the chain – i.e. everything up to the point of initial compromise – and how a Zero Trust approach to security both significantly up levels existing controls that focus on pre-compromise, while also providing key capabilities that are necessary to support post-compromise detection and response. As a result, organizations adopting Zero Trust are likely to be better prepared to detect and contain malicious intruders.

We all understand the value of defense-in-depth to prevent attacks from taking hold. Of course, this is why we have invested in next-generation firewalls (NGFWs) to protect the perimeter, endpoint security for employee devices, and email and web security tools to protect productivity, amongst the many other security investments we make.

The value of these preventative tools and defense-in-depth is captured in the Cyber Kill Chain, intended to identify and prevent cyber intrusions. Formalized by Lockheed Martin in 2011, the Cyber Kill Chain has, for the last decade, defined how organizations map out their security controls and, as a direct result, determine how they measure their cyber resiliency. Here are the seven steps:

1. Reconnaissance: An attacker gathers information on the target before the attack.
2. Weaponization: The cyber attacker creates their attack, such as an infected Microsoft Office document and phishing email or piece of malware.
3. Delivery: Transmission of the attack, like the sending of an actual phishing email
4. Exploitation: The actual ‘detonation’ of the attack, such as an exploit running on a system.
5. Installation: The attacker installs malware on the victim (not all attacks require malware).
6. Command and Control: The now compromised system “calls home” to a Command and Control (C&C) system for the cyber attacker to gain control.
7. Actions on Objectives: The attacker now has access and can move on to their actions to meet their objectives.

Falling back on the old adages of “a chain is only as strong as its weakest link” and “defense is the best form of attack”, the Cyber Kill Chain puts a premium on thwarting attackers progressing from left to right, or put another way, before they gain an initial infection or access inside an environment. The expectation that if you can stop a malicious actor at any point before step 7 (Actions on Objectives), you have successfully thwarted an attack.

The net result of this has been a strong (and perhaps over-) emphasis on preventative controls until recently – firewalls, anti-virus, web gateways — that don’t assume breach; rather they assume all attacks can be detected and blocked. Yet, all of these tools suffer from the same limitation: they are, at their best, preventing the ‘known bad’. They depend on the following assumptions:

1. The building housing my office and workforce is trusted.
2. The network perimeter is hard and trusted.
3. The network inside this trusted perimeter is trusted.
4. The devices attached to this trusted network are trusted.
5. The applications running on these trusted devices are trusted.
6. The users accessing these trusted applications are trusted.
7. Attackers are predictable, and repeat the same behaviors.

The objective of preventative controls is to keep the bad actors out and thereby maintain the implied trust level. But what happens if an attacker morphs from ‘known bad’ to ‘unknown bad’ – how do these lines of defense stack up then? Modern, sophisticated attacks (from the Target breach through to Cloud Hopper and everything in between and beyond) are designed to specifically exploit this false sense of trust to fast forward to Steps 6 and 7 on the Kill Chain, bypassing controls that look to prevent Steps 1 through 5. And these preventative controls are always playing catch up.

Before we proceed further, it’s important to stress that preventative measures are an important and essential part of any organization’s cyber defenses, but they are no longer the be all and end all. In fact, they are just the start. And that is because the assumptions they were built on no longer hold, especially in 2020 when the global pandemic has forced a complete revolution in how organizations in every sector work, resulting in a new normal:

1. My company is no longer located in specific locations.
2. A perimeter exists but it is not all encompassing.
3. The network often isn’t exclusive to my organization.
4. Devices I do not control exist on my network.
5. Often the applications the business is using are not hosted, owned and managed by me.
6. Users are everywhere.
7. Attackers are unpredictable, and always looking for new avenues of attack.

With these new assumptions showing that little can be absolutely trusted, we exist in a situation where the probability of preventing a breach is low – and so our focus must shift to detection, response, and containment. And here is where we bring in Zero Trust.

It’s important to split Zero Trust into 3 key areas:

1. Controls
2. Monitoring
3. Automation and Orchestration

Zero Trust controls

Zero Trust controls can nominally line up to the preventative controls that originated from the perimeter model of yore, but the starting point is different:

• The perimeter model assumes that everything on the inside can be trusted, and thus puts an overweighted emphasis on the strength of the perimeter – it is a one-size-fits-all approach.
• With Zero Trust, this assumption of implicit trust just does not exist – so we are forced to be smarter:
• What most needs protection?
• Who needs to access it?
• Where from?
• When?
• Why?
• What are the interdependencies?

These are the data points we use to build a Zero Trust policy.

If we consider this from the perspective of an attacker, we can see that a significantly higher bar is being put on their ability to successfully breach – they can no longer assume that simply gaining access to the network is sufficient, whether it be to perform lateral movement, escalate privileges or call back home. As we have seen from the Bishop Fox report on the efficacy of microsegmentation, Zero Trust controls such as this force attackers to change behavior and leverage other techniques, all of which enhance the defenders chance of detection. A Zero Trust approach to controls helps reduce the attack surface available for exploit. The Zero Trust control model is an update to defense-in-depth – with layers that protect vital data, making it difficult for attackers — even if they evade preventative technologies — to move freely.

MITRE ATT&CK Framework

Before we talk about Monitoring and Automation/Orchestration in the context of Zero Trust, let’s segue to the MITRE ATT&CK framework. The starting point of the framework is an assumption of breach, and an emphasis on understanding how an attacker will behave between that time of initial compromise to successful conclusion of the mission.  This understanding helps us define detection capabilities that monitor for specific events which, either in isolation or when correlated, provide us with an indicator of abnormal behaviour that may warrant further investigation.

Zero Trust monitoring

The MITRE ATT&CK framework puts a premium on visibility – high fidelity events from as many data sources as possible (network, firewall, proxy, AV, EDR, IAM, OS, Cloud Service Provider, Application, DB, IoT, etc) to allow defensive teams to model a range of behaviors that they associate with known attacks, and continue to evolve these as further knowledge on adversaries and their methods is gained. The Zero Trust approach puts a premium on visibility that previous approaches did not, in fact a motto of Zero Trust could be “you cannot protect what you cannot see.” Thus, by starting with improving visibility as part of a Zero Trust program and combined with using the MITRE ATT&CK framework to model adversarial behaviour that the organisation may be subjected to, value can be had in the defensive end of the Cyber Kill Chain using capabilities that already exist.

The excellent BBC Podcast “13 Minutes to the Moon” covers the infamous Apollo 13 expedition in its second series and the design of the Apollo spacecraft and the entire operational team supporting serves as a good analogy to highlight the importance of detection and response, despite the best attempts at prevention. The spacecraft designed for the Apollo mission had incredible amounts of resiliency and fail-safes built into every component, with numerous failure scenarios tested to ensure that any possible, expected outcome could be recovered from. With Apollo 13, the loss of a single booster engine was compensated by the firing of the other 4, however there was nothing in the design that could have prevented the wearing out of wiring insulation which triggered the explosion that jeopardized the mission – once this occurred (akin to a breach), the crew and mission control were entirely dependent on the telemetry from the spacecraft, observations from the astronauts and the experts on the ground to detect the problem, isolate it and recover from it. This is a great example of how, with data of the correct fidelity being made available from the relevant data sources coupled with the ability to efficiently analyze this data, security operations teams are far better prepared to triage incidents more accurately, allowing them to make better (and quicker) decisions on what event (or combination of events) need to be further investigated, and which can be safely ignored.

Zero Trust automation

The rise of Security Orchestration, Automation and Response (SOAR) platforms focuses on taking the whole post-detection phase of an attack and providing the technology set to move efficiently from Detection to Response. For common malicious behavior patterns, this whole sequence could even be automated so as to free up analyst time for the investigation of more sophisticated attacks. The SOAR platforms, to deliver these efficiencies, depend on their ability to integrate with technology solutions that provide the relevant data or take the necessary responsive actions. This is why orchestration and automation are an essential (but often overlooked) pillar in Zero Trust. While being able to orchestrate, through automation, a new setup, or modify an existing setup as part of a planned change provides significant operational benefits, the real security benefit is realized when the same platforms can be quickly and consistently orchestrated to react to a security incident.

So returning to where we started:

• The traditional perimeter approach to security only addresses part of the Cyber Kill Chain, and leaves us largely blind to the post compromise stages.
• Zero Trust significantly enhances prevention by starting with an audit of what is being protected (e.g. critical data or a key application) and ensuring that controls around this are built with a suitably least privileged approach.
• Zero Trust starts with a position of ‘assume breach’ and puts a premium on solutions providing high quality logs to support post compromise detection.
• Further, the advocation that technologies aimed at helping customers achieve Zero Trust must have good orchestration and automation means that they can support SOAR platforms in the automated response to incidents.

Thus, adopting a Zero Trust approach both enhances the traditional perimeter approach which focussed on thwarting the first 6 stages of the Cyber Kill Chain, and also arms organizations with the capabilities to focus on detecting and thwarting attackers should they reach Stage 7 and attempt to take their intended actions.

For more information on Illumio’s approach to Zero Trust, visit: https://www.illumio.com/solutions/zero-trust