At Hunted Labs, we think a lot about how we can best position our clients against a cyber attacker.
In any fight, your positioning is paramount to beating your opponent, maintaining an advantage, and hopefully, can help you from being caught flat footed in any future attack.
We will quickly break down what a kill zone is historically, our definition of a Cyber Kill Zone at Hunted Labs, and the top five indicators your organization is sitting in a Cyber Kill Zone.
What is a Kill Zone?
A Kill Zone is the area of a military engagement with a high concentration of fatalities, or the area of the human body where entry of a projectile would kill. As we think about how this applies to cybersecurity, there are key things we need to consider like easy fundamental steps to keep ourselves out of the kill zone.
What is the Cyber Kill Zone?
The industry has been using the “Cyber Kill Chain” for a long time and for a good reason because it helps provide logic and rationale to systematically break down the elements of a cyberattack. However, when an engineer is using the “Cyber Kill Chain”, it usually is used for describing the phases of how an attack took place after the fact. In order to take a proactive approach to security and cyberattacks in general, we must start looking at our Cyber Kill Zone.
The Cyber Kill Zone is an area of weakness within your organization, that when exploited, has the potential to cause severe and/or catastrophic impact.
The fundamental difference between a Cyber Kill Zone and a Cyber Kill Chain is that you can proactively identify a Kill Zone as a part of your planning process, maneuver out, and train your engineers on how to act if caught in a Cyber Kill Zone incident.
Alas, how do we know if our organization is located squarely in the Cyber Kill Zone and is my organization about to end up on the cold metal table being dissected in a post-mortem?
Let’s take a look at our list of top five Cyber Kill Zone indicators, yet non-exhaustive list below.
Indicators you are in a Cyber Kill Zone:
-
- No visibility in software being consumed, used, deployed throughout your environment: If you aren’t doing this by now, you have no idea that you are diligently and intentionally putting your organization in a poor position. Software development deployment is extremely fast. You can look at any package repository, such as NPM, and see an explosion in packages insecurely published/consumed within the past two to three years. Consumption of open source software and third party code will continue to increase. Organizations need automated discovery of vulnerabilities and alerting of those vulnerabilities, and better yet, exploit information front and center. If you aren’t gaining visibility by inventorying and inspecting software consumption within the software supply chain of your organization, then you could be sitting squarely in the Cyber Kill Zone.
- Not Actively Tracking Known Vulnerabilities and Exploits: This is one of the most pervasive problems plaguing development teams today. It’s not entirely their fault as security scanners typically prompt alerts for CVE’s that are not important due to lack of an exploit. The likelihood of the attack is slim or they are bombarded by false positives found by the multiple scanners they use in their environment. Few organizations take advantage to 1) gather the data from multiple sources 2) clean the data of false positives 3) take action based on vulnerability and exploit information 4) provide technical mitigations for those impacted bits of software. This can be more difficult to overcome for items 1–3, because of the scale of software environments today that could have hundreds of thousands of pieces of software in use across hundreds of thousands of assets. However, a great first step out of the Cyber Kill Zone is to adopt CISA’s free list of Known Exploited Vulnerabilities that can be used by any organization to thwart near term cyber threats. There is a lot of movement here on this topic, specifically with the evolution of EPSS and VEX which will hopefully help organizations improve their security posture.
- Failing to Address New Attack Trends: If you are seeing your organization (this could be your security team, dev team, ops team, or all of the above) having trouble making decisions to overcome new trends in attacks then this could be a symptom of a larger problem in your culture to adapt to emerging threats. Or, a larger problem that your team doesn’t have the capabilities to address the threats at all. Many larger enterprises will be stifled by this issue which will prevent them from taking proactive action to out maneuver future attacks. Additionally, many will waste the time of their engineers and the money of their organization searching for the “unicorn” security tool that doesn’t exist rather than choosing a tool best suited to their team’s capabilities. For these organizations, once an attack does occur, it actually becomes a compounding factor which normally leads to a really big incident response company gathering a seven figure payday to clean up someone else’s cyber-in-decision. This can be avoided and you can move yourself out of the kill zone.
- Invincibility Syndrome: I like to call this “invincibility syndrome” when teams, clients, or the old salty guy waiting to retire starts yelling at the back of the room about how they do not have to worry about “XYZ” problem yet or this is how they did it when they did the moon landing. This is a cultural, yet pervasive problem that could be as impactful as the threat itself. Things like “This is how we did it last time/we’ve always done it this way,” “This won’t happen to us” “We don’t have to worry about that yet”… Brace for impact.
- Lack of proper training tailored to your organization: So many times we have seen organizations not properly instruct their employees on which tools/resources are approved for use by the organization. Everyone has personal preferences on which tools are best, but that doesn’t mean that they should be used within the current environment. I cannot express enough how many times we’ve seen employees (from past lives) and clients alike, sending confidential data/information/secrets/api tokens to personal email accounts. Many times, it’s a lack of understanding where to go and which current tools should be used. Just because a company may have a policy about it, doesn’t mean employees will actually read it.
If you find yourself identifying with one of these top five indicators of being in the Cyber Kill Zone, then please standby for part two of this blog which will discuss how to maneuver your team out of the Cyber Kill Zone!
By properly identifying your Cyber Kill Zone, hopefully you will find yourself outside of the Cyber Kill Chain.
Happy Hunting!