Top 3 Reasons to Alert Based on the Cyber Kill Chain Model

cyber kill chain

Updated June 2021

Picture this – It’s 8 AM on Monday and you’re sitting at your desk with a fresh cup of coffee, ready to start a new week. You log in to your workstation, hopeful that your team can kick-off the proactive DNS threat hunt you’ve planned out. Once you’ve opened the usual web browser tabs and tools, reality hits you – there’s over 100 alerts to comb through of varying fidelity and stemming from multiple technologies. No side projects today.

Sound familiar?

Cyber Kill Chain specified by Lockheed Martin

Cyber Kill Chain specified by Lockheed Martin

If so, you’re not alone. Alert fatigue is overwhelming security teams. According to 451 Research, 43% of enterprises are unable to act on at least 25% of the alerts generated by their security products. Alert fatigue can cascade into security teams being forced to “work in the moment” or merely hop from alert to alert, without having time to proactively generate benchmarks, metrics, or even set goals.

There’s still hope though. By mapping alerts to the Cyber Kill Chain, you can optimize your alert monitoring while also generating metrics and benchmarks for your security posture that allow you to show improvement over time. The Cyber Kill Chain was developed by Lockheed Martin and shows the chronological stages that a security incident progresses through.

Below are the top 3 reasons why your security team should alert based on the Cyber Kill Chain model.

1. Produce Meaningful Metrics Around True Positive Incidents

When it comes to alerting, it’s tough to set a goal on how many true positive alerts are optimal. Too few true positive incidents suggest that alerts are poorly configured and not detecting cyber attacks. Too many true positive incidents suggest that the environment is incredibly vulnerable and at high-risk for a significant incident. Mapping alerts to the Cyber Kill chain enables you to more granularly examine true positive incidents and extract meaningful metrics.

One valuable metric to goal-set for is early stage detection, which is when incidents are detected during the early phases of the kill chain, rather than the later stages. Early stage detection means that the incident has a smaller scope and impact. Scope, impact, and overall severity will increase as the triggered alert is mapped to later stages. The crucial requirement to get meaningful metrics around early stage detection is that the monitored alerts are mapped to the cyber kill chain.

2. Better Understand Visibility Gaps

Companies today are investing in new technologies, tools, and even geographic locations at a faster rate than security teams can keep up with. With new technologies comes new alerting and monitoring, adding to an already unorganized wave of e-mail alerts. Because of this, it’s hard for organizations to quantify visibility into their environment.

When alerts are based off the Cyber Kill Chain model, organizations are given an understanding of where they have visibility from an attacker’s perspective, and where the organization has gaps. For instance, with alerts mapped to the Cyber Kill Chain, an organization may realize that monitoring is lacking on the reconnaissance stage. This represents a visibility gap and can lead to prioritizing new alerts or technologies to improve the overall information security posture and respond quickly with an incident response..

3. Prioritize New Alerts, Technologies, and Integrations

Building off the identified visibility gaps, an organization can strategically decide what new additions or purchases will have a direct impact on visibility and kill chain coverage. When an organization maps alerts to the Kill Chain and finds that coverage of reconnaissance-based activities is lacking, they would explore deploying new alerts, investing in perimeter defenses, and even forwarding additional perimeter log sources to their SIEM in order to improve visibility. When changes are made based on the visibility gaps identified after mapping alerts to the Kill Chain, there’s a quantifiable value-add that the organization can track.

Many organizations fall into the routine of enabling and deploying alerts without a roadmap or plan, which can lead to alert fatigue and reactive security teams. By taking a different approach and prioritizing alerts, technologies, and integrations based on visibility gaps, organizations reduce the likelihood of alert-fatigue and burn-out.

The Cyber Kill Chain is at the Core of ReliaQuest GreyMatter

The ReliaQuest GreyMatter SaaS security platform measures against the Cyber Kill Chain to see progress against your organization goals and identify gaps so you know where to focus your efforts to decrease risk. The ReliaQuest Detect Content Library contains over 600 technology agnostic alerts that are mapped to the Cyber Kill Chain. ReliaQuest customers have full access to our content library as well as continual R&D, tuning, and enhancements of the deployed alerts. ReliaQuest GreyMatter incorporates alert mappings in order to decrease alert fatigue and provide actionable metrics for organizations to strategically improve visibility, speed detection and response, and mature security programs.

To learn more about understanding visibility gaps and applying security metrics that matter, view the white paper:The CISO’s Guide to Metrics that Matter in 2021


For more information check out our blog on Cyber Kill Chain: Steps to Leveraging Security Monitoring