CYBER KILL ZONE

Hayden Smith • Jan 03, 2024

Are you in a Cyber Kill Zone?


At Hunted Labs, we think a lot about how we can best position our clients against a cyber attacker.


In any fight, your positioning is paramount to beating your opponent, maintaining an advantage, and hopefully, can help you from being caught flat footed in any future attack. We will quickly break down what a kill zone is historically, our definition of a Cyber Kill Zone at Hunted Labs, and the top five indicators your organization is sitting in a Cyber Kill Zone.


What is a Kill Zone?


A Kill Zone is the area of a military engagement with a high concentration of fatalities, or the area of the human body where entry of a projectile would kill. As we think about how this applies to cybersecurity, there are key things we need to consider like easy fundamental steps to keep ourselves out of the kill zone.

What is the Cyber Kill Zone?

The industry has been using the “Cyber Kill Chain” for a long time and for a good reason because it helps provide logic and rationale to systematically break down the elements of a cyberattack. However, when an engineer is using the “Cyber Kill Chain”, it usually is used for describing the phases of how an attack took place after the fact. In order to take a proactive approach to security and cyberattacks in general, we must start looking at our Cyber Kill Zone.


The Cyber Kill Zone is an area of weakness within your organization, that when exploited, has the potential to cause severe and/or catastrophic impact.


The fundamental difference between a Cyber Kill Zone and a Cyber Kill Chain is that you can proactively identify a Kill Zone as a part of your planning process, maneuver out, and train your engineers on how to act if caught in a Cyber Kill Zone incident.

Alas, how do we know if our organization is located squarely in the Cyber Kill Zone and is my organization about to end up on the cold metal table being dissected in a post-mortem?


Let’s take a look at our list of top five Cyber Kill Zone indicators, yet non-exhaustive list below.


Indicators you are in a Cyber Kill Zone:


  1. No visibility in software being consumed, used, deployed throughout your environment: If you aren’t doing this by now, you have no idea that you are diligently and intentionally putting your organization in a poor position. Software development deployment is extremely fast. You can look at any package repository, such as NPM, and see an explosion in packages insecurely published/consumed within the past two to three years. Consumption of open source software and third party code will continue to increase. Organizations need automated discovery of vulnerabilities and alerting of those vulnerabilities, and better yet, exploit information front and center. If you aren’t gaining visibility by inventorying and inspecting software consumption within the software supply chain of your organization, then you could be sitting squarely in the Cyber Kill Zone.
  2. Not Actively Tracking Known Vulnerabilities and Exploits: This is one of the most pervasive problems plaguing development teams today. It’s not entirely their fault as security scanners typically prompt alerts for CVE’s that are not important due to lack of an exploit. The likelihood of the attack is slim or they are bombarded by false positives found by the multiple scanners they use in their environment. Few organizations take advantage to 1) gather the data from multiple sources 2) clean the data of false positives 3) take action based on vulnerability and exploit information 4) provide technical mitigations for those impacted bits of software. This can be more difficult to overcome for items 1–3, because of the scale of software environments today that could have hundreds of thousands of pieces of software in use across hundreds of thousands of assets. However, a great first step out of the Cyber Kill Zone is to adopt CISA’s free list of Known Exploited Vulnerabilities that can be used by any organization to thwart near term cyber threats. There is a lot of movement here on this topic, specifically with the evolution of EPSS and VEX which will hopefully help organizations improve their security posture.
  3. Failing to Address New Attack Trends: If you are seeing your organization (this could be your security team, dev team, ops team, or all of the above) having trouble making decisions to overcome new trends in attacks then this could be a symptom of a larger problem in your culture to adapt to emerging threats. Or, a larger problem that your team doesn’t have the capabilities to address the threats at all. Many larger enterprises will be stifled by this issue which will prevent them from taking proactive action to out maneuver future attacks. Additionally, many will waste the time of their engineers and the money of their organization searching for the “unicorn” security tool that doesn’t exist rather than choosing a tool best suited to their team’s capabilities. For these organizations, once an attack does occur, it actually becomes a compounding factor which normally leads to a really big incident response company gathering a seven figure payday to clean up someone else’s cyber-in-decision. This can be avoided and you can move yourself out of the kill zone.
  4. Invincibility Syndrome: I like to call this “invincibility syndrome” when teams, clients, or the old salty guy waiting to retire starts yelling at the back of the room about how they do not have to worry about “XYZ” problem yet or this is how they did it when they did the moon landing. This is a cultural, yet pervasive problem that could be as impactful as the threat itself. Things like “This is how we did it last time/we’ve always done it this way,” “This won’t happen to us” “We don’t have to worry about that yet”… Brace for impact.
  5. Lack of proper training tailored to your organization: So many times we have seen organizations not properly instruct their employees on which tools/resources are approved for use by the organization. Everyone has personal preferences on which tools are best, but that doesn’t mean that they should be used within the current environment. I cannot express enough how many times we’ve seen employees (from past lives) and clients alike, sending confidential data/information/secrets/api tokens to personal email accounts. Many times, it’s a lack of understanding where to go and which current tools should be used. Just because a company may have a policy about it, doesn’t mean employees will actually read it.


If you find yourself identifying with one of these top five indicators of being in the Cyber Kill Zone, then please standby for part two of this blog which will discuss how to maneuver your team out of the Cyber Kill Zone!

By properly identifying your Cyber Kill Zone, hopefully you will find yourself outside of the Cyber Kill Chain.


Happy Hunting!

Where the Wild Things Are: A Complete Analysis of Jia Tan’s GitHub History and the XZ Utils Software Supply Chain Breach

By Hayden Smith 02 Apr, 2024
The following is a story about the recent XZ Utils security breach and how things came about. For more context on the exploit, take a stroll over to here . What can I say? My mother only read me picture books growing up. Once upon a time there was a software developer, belonging to a nation-state that was an extremely patient and persistent attacker. They created a GitHub account on January 26th 2021.

Software Supply Chain Defense: Colorama, GitHub, and More

By Hayden Smith 26 Mar, 2024
Recently, there was an attack targeting 170k+ GitHub users in a very complex attack that leveraged a lot of different tricks in the book including stealing session cookies, account takeover, dependency confusion and dependency hijacking just to name a few. I think all of the NVD drama drowned this out, but it's a pretty damning indicator of persistence to commit a software supply chain attack by adversaries which have planted this since *squints at watch* early February! Attackers are patient and can fool anyone, even maintainers who are the trusted guardians of a repository. Today, we will discuss lessons learned from the attack and some easy things your teams can do to protect their organization. 1. Anyone can be a target. Yes, that means you: Again, we are really cautious about putting out any FUD, but when we find a package as widely used as Colorama, anyone can fall victim to an attack as widespread as this which impacted just your every day developers doing their own projects after logging off of the 9 to 5. It’s time to step it up. It’s time to step it up and gain visibility into your software supply chain ( Cyber Kill Zone Tenet #1). SSC Defense: Incorporate security tooling into your CLI. When you are pulling packages, validate your packages being pulled are coming from legitimate upstream sources. S/O to my good friends over at Phylum which provides a fine tool to help protect your source code via blocking malicious packages from being downloaded onto your machine: https://docs.phylum.io/ 2. The Details Matter: The only difference between the legitimate website versus the poisoned domain was Python hosted versus PyPi hosted. Here is a screenshot from the CheckMarx blog, which you can find here .

Understanding SBOMs and Your Software Attack Surface

20 Mar, 2024
Over the course of my career, I've seen a lot of cool technology, but I think most of us know in the cybersecurity community that the weakest link is typically the human.

Using Bard to Secure the Software Supply Chain

By Hayden Smith 12 Mar, 2024
SBOMs, CTI, and I

How SBOMs Help You Maneuver in the Cyber Kill Zone

By Hayden Smith 16 Jan, 2024
Prepare yourself/team/organization for a pre zero day, zero day, software supply chain attack. Knowing the software in your organization is a necessity for tracing threats in your software supply chain. See a break down of some of the OSS tooling available to help you make sense of the ever growing software supply chain attack surface.
Share by: