Does XDR Need A New Kill Chain?

Brian Stoner
The time has come for cyber security technology to keep up with the adversaries.  Now that we have seen so many successful multi-stage attacks, we need to reassess the way we correlate the signals we are seeing from all the security tools in our environments.  Correlation is helpful but it doesn’t always paint the complete picture.  What is the next phase in detection and response?

To understand this, we need to look at the current frameworks that help security teams organize their daily tasks.  The Lockheed Martin Kill Chain was a very popular framework when the proliferation of malware was the primary tactic.  It was very good at outlining the different stages the attackers went through to deploy their payload.  Next came the MITRE ATT&CK framework.  This is leveraged by many experts today because it is more comprehensive, describing the tactics and techniques that have grown in popularity with attackers over the last few years.

The problem with these large and sophisticated frameworks is that it is very difficult to write manual rules to anticipate and correlate all the signals from your log sources.  The volume of logs that are being collected and retained are skyrocketing.  This has become a big data challenge for even the smallest of partners.  What can be done to solve this challenge?

Integration of the security platform and the framework is the key.  Today, many platforms provide links to MITRE as part of their threat intelligence, but it is typically after the fact.  What we need to do is to organize and present the alerts in the framework real-time.  Attackers have to be successful at multiple stages of the framework to achieve their goal.  We only need to be successful stopping them in one of the stages.  The earlier the stage, the less there will be to clean up.   There are some key processes you need to accomplish this.

First, you need a standardized and enriched data set.  We no longer want analysts trying to determine how dangerous a signal is until after the fact – the solution must compare everything against a Threat Intelligence Platform and enrich the data set with that information before the record is created.  Once the data is in a standard format, an AI/ML component can correlate signals from multiple threat vectors in the environment.  The alerts are organized within the kill chain, which maps directly to the stages of the MITRE attack framework.  When an analyst sees the alert there is no question on how to prioritize it.

For partners, organizing and managing hundreds of alerts over the course of a day is a time- and resource-intensive exercise.  The solution must have ML that provides an additional layer of correlation, portraying multistage attacks as incidents and providing each incident with a risk score.  This is an additional layer of ML beyond simple alert correlation.  It will significantly reduce the amount of time SOC analysts spend grouping alerts for analysis.  Ideally, the solution should provide analysts with the ability to add or delete alerts from the incident and to tune the threat score.

Stellar Cyber is the first to provide an XDR-focused kill chain along with ML-enhanced, incident-based alert management. The time is now to leverage ML automation to detect and stop the adversaries.  If you would like to learn more, please reach out to