The Cyber Kill Chain Is Getting Shorter As the Skills Gap Widens

July 10, 2019
| |
3 min read

The pressure keeps mounting for individuals with cyber skill sets as well as organizations that can’t afford or attract them as employees. At the same time, cybercriminals are consolidating the cyber kill chain by launching attacks more quickly through predefined, weaponized packages, which puts pressure on IT and security teams to find answers in a shorter amount of time but with the same bench of staff.

According to Alert Logic’s “2018 Critical Watch Report,” attackers have expedited the first five stages of the cyber kill chain, creating a “compressed model [that] renders the standard methods of detecting and interrupting an attack ineffective. Instead, the attack response must shift from detect and deny to disrupt, degrade, deceive, or contain.”

Nearly a year later, these predefined, weaponized attacks have only increased and are becoming more popular while security teams face the same hardships resulting from the cybersecurity skills gap. As a result, they are often left burnt out or motivated to look for work elsewhere.

While the cybersecurity skills gap is a years-old challenge, organizations are facing a new conundrum: The cyber kill chain is getting shorter. How can the industry address these dual problems?

Keeping Pace With Cybercriminals

Given the increased commoditization of attack vectors, threat actors are able to do a better job with initial entry and cleaning up after themselves.

“This creates an environment where, if you are going to introduce yourself into that system, you have to be watching things differently,” said Jack Danahy, Alert Logic’s senior vice president of security.

And, despite the decrease in dwell time the industry has witnessed over the past year, Danahy said that’s not really a fair indication of effectively stopping attacks.

“We saw a rise in ransomware, and, by its nature, ransomware doesn’t have a lot of dwell time, so in the aggregate, it created a situation where it seemed as though these attacks were being detected much more quickly,” Danahy said.

As ransomware use has declined, attackers have returned to more traditional data exfiltration attacks, which have gotten a lot more stealthy. The initial attack vector itself is fast, whether it’s through the use of phishing or another social engineering tactic. Once a machine is exploited, attackers can either lay low and slow or exfiltrate data quickly.

“We’ve seen that there is a really rapid path of minutes or hours to initial data exfiltration, but if what I’m looking for is transactional information, I may want to stay for a long time,” Danahy said.

Unfortunately, many security teams, particularly in smaller organizations, aren’t going to have the level of security needed to respond as rapidly as criminals are able to attack.

Train From the Inside Out

A big part of the challenge for many organizations is a lack of skilled security staff. If organizations can’t find the talent outside, they should consider those within the ranks of the broader IT staff who might be candidates for training. Upskilling internally can help take the burden off of already-overworked cybersecurity specialists.

Keeping up with the level of technology adoption is equally problematic given the widening skills gap, particularly as organizations create more multicloud environments that require multiple security teams to fully protect. By identifying what you are able to do well with the staff available, you can start to change the way you think about partitioning security tasks.

Working with trusted partners can provide organizations with a combination of skills that truly enhances overall security posture. As the Alert Logic report put it, “Your chance of winning against attackers increases without adding staff overhead. That’s the power of having an adaptive battle team that focuses on security 24x7x365.”

Despite advancements in technology, however, employees will always play a critical role in stopping attacks at different stages of the cyber kill chain, especially during the delivery phase. Lance Spitzner, director of SANS Security Awareness, recently wrote in a blog post, “To date, the vast majority of organizations and security professionals have taken a technology approach to leveraging kill chain models, ignoring the human side … it is people and not technology that are the first line of defense in detecting and stopping many of these attacks.” Organizations can benefit greatly from the watchful and informed eyes of attentive insiders who know how to identify and report potential threats.

Training employees on social engineering tactics and the ways they can be deceived by people they engage with via email, over the phone, via text or even in person will help them recognize when they are being targeted by malicious actors, giving humans a leg up on technology when it comes to certain types of attacks.

Kacy Zurkus

Zurkus is an influential writer covering a range of security topics with a focus on mitigating risks to businesses. Her work has been published in a variety ...
read more