If you have been in cyber security for any length of time, it is likely that you have heard about the concept of a kill chain.
Organizations today require an effective and actionable approach to defending against phishing attacks and protecting organizations from falling victim to a data breach. By using the phishing attack kill chain, you can identify and mitigate phishing attacks, and the associated risks, earlier in the process.
What is the phishing attack kill chain?
The phishing attack kill chain is a way to better understand phishing, breaking it down into distinct phases to form a process that cyber attackers take advantage of. The phases, include:
- Phase 1: The attacker identifies the available threat vectors to leverage during the phishing attack.
- Phase 2: The attacker delivers the malicious email, leveraging the identified threat vectors (URL, attachment, copy) to the user.
- Phase 3: The user opens the email and takes action.
It is important for CISOs, CIOs and other IT security leaders to understand how the phishing attack kill chain can be used and how to create defensive mechanisms across each phase to prevent phishing attempts from achieving success. The first step in breaking the kill chain is by implementing compensating controls at each phase of the attack.
What are compensating controls?
Compensating controls help to reduce risk and vulnerabilities within a process or a system. The concept comes from the world of finance, where a risk cannot be eliminated entirely but certain controls are created in place to mitigate the risk.
Compensating controls work in a similar fashion for cybersecurity. Unless you eliminate email as a form of communication within an organization, there is no way to completely stop phishing attacks from occurring. However, having a set of compensating controls that can be applied at each phase of the phishing attack kill chain, will mitigate the risks of a phishing attack being successful and suffering some form of a breach.
Let’s look now at the three phishing kill chain phases.
Phishing kill chain phases
Email itself is a vulnerable system, built over 50 years ago without security at the forefront of development. Today, this same system is critical to business communication. Email and the associated risks will never be eliminated.
Threat vectors inherently reside within email, including:
- Unauthenticated Senders
- Mail Header Data
- Links and Websites
- Message Copy
The highest and most effective compensating controls are applied at this stage. Being able to detect these anomalous or suspicious threat vectors is most effective in developing a proactive email security posture. If you can detect and provide the appropriate compensating controls, an organization can break the kill chain early, preventing an attack from being successful.
Compensating controls at this stage would be able to look for, and detect, all anomalous items within an email – across all of the threat vectors. This allows for policies to apply the appropriate risk mitigation at the delivery stage. For example, if a URL is known to be malicious, quarantine the email. If the URL is suspicious, apply link protection.
In the second phase, Delivery, the cyber criminals deliver the phishing email, attempting to bypass the existing security controls. At this point, the attacker is attempting to send a message that bypasses the email security controls that are in place.
The delivery phase takes advantage of the threat vectors in email by:
- Spoofing a Domain
- Sender Spoofing
- Email Header Spoofing
- Adding URLs/Links
- Adding Attachments
Whether it’s spoofing email headers or sender information to appear authentic to the end user, or getting a user to click on a URL attempting to harvest credentials, compensating controls at this stage in the phishing attack kill chain revolve around automating email protections.
Organization leverage compensating controls such as quarantine, or file removal, or link rewriting to mitigate risks upon delivery. Another compensating control could be to provide dynamic user alerts to inform the user of the suspicious characteristics contained within the email itself. The goal is to provide a layered approach based on the risk tolerance of an organization or set of users.
In the exploitation phase, the attacker’s goal is to cause the end user to take a specific action, whether it is clicking a URL in an email, replying to an email that comes from a fake sender, or opening an attachment that could contain malware. This is the step when the action takes place.
Exploitation is defined by:
- Opening a malicious attachment
- Clicking on a malicious link
- Responding to the email with sensitive information
This stage is often the most dangerous stage because the cybercriminals needs the user to take action in order to achieve the end goal. In order to break the kill chain at this stage, users need education in the moment they are interacting with the email.
Compensating controls at this stage include mailbox intelligence, designed to provide users with a visual representation of the risk associated with a specific email. Or, account takeover protection, that provides keystroke biometrics, making it impossible for cybercriminals to successfully use credentials to impersonate a user. And, offering users a way to report phishing attempts can help them to make better decisions when interacting with email.
In the event a phishing attempt is successful, having a remediation solution in place that can quickly search and remove all instances of the email across the entire organization, helps to reduce the mean time to detect and respond to these attacks.
Overall, organizations should consider what compensating controls are available to them across each stage of the phishing attack kill chain to mitigate risk. It is not possible to stop all phishing attacks, but it is possible for organizations to develop an approach that protects their data, informs employees and end users, and best secures their email environment.