Identity, cyber kill chain and all that…

This is a call to action.

By now it’s common knowledge that identity is the weakest link in any network. But identity is also the weakest link in almost any security framework — because it’s missing from most, and under-represented in the rest.

Unless rigorous and comprehensive identity protection is natively incorporated and tightly integrated into the mainstream security layers and applications, data breaches and mega-hacks will continue to occur en-mass, regardless of how much has been invested in security.

Malware History in Perspective

“In the beginning there was the Computer Virus. IT was formless and empty, darkness was over the surface of the deep. Then came the Malware (network-aware). Then came the APT (identity-aware)…”

The early-days virus had been kind of a naive bubble-boy — it attacked singularly only the machines it directly infected, and caused mild local damage (deleting info or on rare occasions portions of the hard-disk etc.).

The 2nd generation, which came to be generically known as malware, was qualitatively different — it was a “network-aware” malware. Not only did it carry its attacks through the network, it also used network-based attacks as part of its malicious activity. This is still the most common form of malware.

The 3rd generation, commonly known as APT and/or targeted attack, is again qualitatively different than the 2nd generation malware — it is “identity-aware” malware, on top of all of its other sophisticated, sorry — “advanced” — properties. It doesn’t really matter whether the malware itself is identity-aware or the campaign it’s part of. The effect is the same.

Targeted Attacks Not Only Exploit Identity — They Depend on Identity

Today’s main target of attacks are users, not only in the sense of end-points or network-nodes — the identity itself is being attacked. This is starkly different than previous generation malware, where every user who happened to come across the malware got infected.

All of the recent mega data breaches used targeted individuals and specific identities in order to penetrate the target networks and carry on the attacks. These attacks begin with either an identified user (this is the “targeted” part), or a virtual place where “users of interest” go to — typically a website — in order to trap a relevant user (this is the less-targeted approach, aka “watering hole”).

Thereafter the user is:

  • Infected with the malicious payload which takes over his/hers machine.
  • Has his/hers identity stolen, by means of stealing the relevant security & access credentials and impersonating that user to access the coveted resources as well as help cover-up traces of attack.

This is the identity perspective of the cyber kill chain. Targeted attack is a head-on attack on identity.

As long as the user’s identity keeps being compromised, the attack continues (unless detected, always AFTER the fact, through other attack properties — this is where malware detection, network security and threat intelligence kick in).

Identity is a centerpiece in modern advanced malware. Every targeted attack attacks identity, and is DEPENDED on a compromised user and exploited identity in order to be carried out.

The Missing Link

Yet identity protection, in its deepest and broadest sense, is alarmingly missing from mainstream security means and applications. Security vendors do not seem to rush to deal with it. Endpoint security is not identity-aware at all. Heavier-weight security layers (gateways, servers, threat intelligence, “correlation engines” etc.) at best merely inherit the trivial policies from the organization’s directory.

Similarly, identity is hardly mentioned in the voluminous mountains of security literature/blogosphere/media. Yes, lip-service is paid every now and then, but there hasn’t been any serious discussion, analysis or call to action to add identity, in its deepest sense, to the mainstream security applications/technologies.

If identity protection enjoyed the attention given to APTs and targeted attacks, the public awareness and efforts to mitigate the “identity crisis” would be at a completely different level.

A case in point: Looking at the dissected-to-death “cyber kill-chain”, the one amazing and glaring missing link is identity. The parts of identity that are exploited and attacked are referred to in an off-hand technical manner: “Target-environment”, “victim’s system” and “vector of attack” (e.g. the user’s machine), “harvested mail address” (e.g. part of the user’s credentials) etc. As a matter of fact, Lockheed-Martin’s original paper laying down the principles of the cyber kill-chain, doesn’t even mention the word “identity”…

So in a manner of speaking, the weakest link is the one that’s not even there: Identity.

How many more mega-attacks should occur before identity will be added to the DNA of network security, malware detection/protection and security mindset? An industry-wide effort to fix this glaring flaw must be undertaken, with a great sense of urgency.


  1. At the same token, it’s time Identity protection adopts a much broader approach than its by-now-incredibly-obsolete narrow and binary approach to IAM.
  2. As to what exactly is “identity” — we’ll deal with that another time…


“You don’t know what you don’t know, because you can’t see what you can’t see”: Threat detection is reaching a negative inflection point

In this blog post I present a few bold (and quite disturbing) figures about the current state of affairs of malware and its detection. I assert that given the unbearably and unacceptably long time it takes to detect malware (IF at all detected), and the growing cost and complexity of its detection, it’s time to admit that current malware detection technologies have more than exhausted themselves and that it’s time for new detection paradigms to emerge.

The perplexity

Reading the threat and malware reports frequently published by security vendors and security-research labs leaves the reader perplexed. Not one report resemble the others in terms of defining the main threats and the quantitative analysis of the levels and dynamics of the threats.

It seems that each vendor has a “unique angle” on the threat landscape, probably based on its technological solutions and its own security knowledge-base.

There doesn’t seem to be any agreement about the scope and breadth of the threats, save for one conclusion: The threat level is rising and so is its severity.

The harsh reality: Malware true state of affairs

Here are a few bold figures published very recently by prominent security players:Continue reading