Extended Detection and Response (XDR) Needs a New Kill Chain

When it comes to spotting and defeating today’s advanced cyberattacks, the predominant kill chains used in security products clearly aren’t up to the task. New attacks occur every day, and they are increasingly creative and complex. For example, the SolarWinds hack targeted a user’s email, then used that ID to navigate the company’s network, and then installed malware in the outbound software update server that gave the hackers access to every SolarWinds customer’s network.

Kill chains are supposed to facilitate identification and remediation of cyberattacks, but XDR poses new challenges. In the first place, XDR examines all areas of the infrastructure, from servers to endpoints to cloud and SaaS. Current kill chains weren’t designed to monitor and identify attacks in these multiple areas. And there are other drawbacks as well.

Many current security products use the Lockheed Martin Cyber kill chain, but it’s an old approach, having been created in 2011. It was designed to spot malware, while many attacks these days proceed laterally through the cloud, SaaS applications or email. The other kill chain in broad use is MITRE ATT&CK. MITRE ATT&CK can spot various types of intrusions, but it looks for linear attacks, while many exploits these days proceed in a non-linear fashion. Significantly, the Lockheed Martin Cyber kill chain is not compatible with MITRE ATT&CK.

In addition, these two kill chains make it hard to differentiate internal from external attacks, they do not capture complex attack progression, and they don’t enable event tagging so analysts can more easily identify new attack trends.

To fully support XDR’s new capabilities, the industry needs a kill chain that covers all detections, is MITRE ATT&CK compatible, spots internal versus external attacks, and incorporates more tactics and techniques beyond the MITRE framework. The kill chain should make it easy to spot, prioritize and neutralize security incidents. Here are some of the keys to success in designing a new XDR kill chain.

• The system needs a new Interface that shows a handful of kill chain stages – enough stages to prioritize attacks and watch their progression but not too many for an analyst to remember.
• The kill chain should capture the progression of complex attacks – alerts should appear in the context of the phased kill chain so analysts can easily prioritize them, and so C-level executives can understand them at a high level.
• The system should integrate both the Lockheed Martin Cyber Kill Chain and the MITRE ATT&CK Kill Chain while adding new tactics and techniques beyond the MITRE ATT&CK framework.
• The kill chain should clearly show external vs. external attacks to help analysts know exactly where to look to stop attackers.
• The system should allow event and incident tagging so new attack trends can be easily spotted.
• The system should normalize data from multiple security tools so it can present a consistent data set to the AI engine that classifies and reports incidents.

These features are not present in the current leading kill chains, but they are essential to enable fast and accurate identification and remediation of today’s complex attacks. Only a new kill chain will enable XDR to live up to its full potential.

About the Author

Sam Jones, Vice President of Product Management, Stellar Cyber.  Sam is an experienced product development leader with a track record of building AI and security products that customers love. He has a strong background in AI/ML, data infrastructure, security, SaaS, product design, and defense. Sam has held product and engineering positions at companies including Palantir Technologies and Shield AI, and worked for the US Air Force on cyber defense strategy. Sam earned his Bachelor’s degrees in Electrical and Computer Engineering from Cornell University.  Learn more about Sam at https://stellarcyber.ai