Attack lessons: Shared responsibility and the cyber kill chain

Dr. Josephine Wolff joins BlueCat’s Andrew Wertkin to dissect significant cybersecurity attacks from the last decade and what we can learn from them.

Josephine Wolff

Dr. Josephine Wolff

Andrew Wertkin

Andrew Wertkin

Last month, cybersecurity expert and author Dr. Josephine Wolff joined BlueCat CTO Andrew Wertkin for our Lessons from the Aftermath webinar to dissect significant cybersecurity attacks from the last decade and what we can learn from them.

Wolff and Wertkin took a deep dive into two watershed breaches: Ashley Madison and DigiNotar. They reveal two key takeaways. First, that we tend to place too much emphasis on individual organizations as the only line of defense against cyberattacks. And second, that we tend to hyper focus on a single moment of attack where the perpetrator got their foothold.

Instead, a cyber kill chain approach views attacks as a series of escalating stages, with an opportunity to predict, detect, prevent, or respond to incidents at all of them.

A dating website for people seeking to have affairs, Ashley Madison was hacked in 2015, with profile information from 36 million users published online. Prior to the breach, the then-CEO had made very public claims about the site’s security and privacy, touting a paid service to delete your account from the website. All of the supposedly deleted data was still stored when the breach occurred, resulting in charges from the U.S. Federal Trade Commission.

“It was this moment for organizations to reevaluate how they publicly presented their data security and even to consider whether there were risks to making too strong promises, or potentially misleading promises, from an enforcement perspective,” Wolff says. “Because a lot of what the Federal Trade Commission can enforce is around unfair, deceptive business practices. A lot of the complaint they ended up filing against Ashley Madison really hinged on this idea that the company had been very deceptive, which is different than being very insecure.”

On the other hand, DigiNotar, a Dutch certificate authority, took their security very seriously, with complex segmentation and firewall rules for their network. But it was still possible for somebody to exploit a vulnerability in a content management system on their external facing website and tunnel through to their secure network to issue fraudulent digital certificates. More than 500 fake DigiNotar certificates were found in 2011, including a set for

The rogue digital certificates were used to conduct man-in-the-middle attacks. Perpetrators flooded DNS servers with fake records to send users to the wrong sites (so, for example, intercepting a user’s request to go to and sending them to their own webpage designed to look like Google’s instead). Just under 700,000 different IP addresses were redirected, impacting about 400,000 individuals, almost all of them living in Iran.

Browsers blacklisted DigiNotar certificates, and the company went out of business.

“Most companies that undergo data breaches or security incidents do not then go out of business. But for a certificate authority, where trust is its whole business, it actually turns out to be a massive big deal for them. And not just for DigiNotar, but also for all of the browsers—Chrome, Firefox, Internet Explorer—that were implied because they have listed DigiNotar in their list of root certificate authorities that could be trusted by all of their users,” Wolff says.

It’s important to recognize here the nuances of these attacks and how many entities are implicated, Wolff adds.

“There’s often this implied sense that there’s one company that’s responsible for all of it and it was their fault and their security failures that allowed this to happen,” she says. “There were all these other things going on that made it possible to do what these people did that were not just about the decisions of those two companies but also about the decisions of DNS operators, content hosts, and software developers. It becomes clearer how complicated and also how many opportunities there are for thinking about defense in this space.”

DNS can play a number of roles in the cyber kill chain. This might include delivery command and control, reconnaissance, or Domain Name System Security Extension (DNSSEC), which uses cryptography to provide authentication and integrity for DNS queries.

Wertkin suggests doing port scans for looking for anything that’s open. Or reverse mapping the network via DNS to find host names that might be of interest to hackers.

“It’s multiple areas along that kill chain—there’s different types of DNS behavior we might see,” Wertkin says. “Any of these areas in the kill chain aren’t segmented to one technology or one strategy. It’s the same sort of technologies and strategies can be used pervasively across them, especially as they link across into cascading effects.”

For more, be sure to view our Lessons from the Aftermath webinar.


Wolff is an assistant professor in the public policy and computing security departments at Rochester Institute of Technology, a fellow at the New America Cybersecurity Initiative, and the author of You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches. Andrew Wertkin is BlueCat’s chief strategy officer.

An avatar of the author

Rebekah Taylor is a former journalist turned freelance writer and editor who has been translating technical speak into prose for more than two decades. Her first job in the early 2000s was at a small start-up called VMware. She holds degrees from Cornell University and Columbia University’s Graduate School of Journalism.

Related content

Detect anomalies and CVE risks with Infrastructure Assurance 8.4 

The Infrastructure Assurance 8.4 release features an anomaly detection engine for outliers and a CVE analysis engine to uncover device vulnerabilities.

Read more

Get fast, resilient, and flexible DDI management with Integrity 9.6

With Integrity 9.6, network admins can get support for new DNS record types, architect and configure multi-primary DNS, and automate IP assignments.

Read more

Deepen your security insight with Infrastructure Assurance 8.3

BlueCat Infrastructure Assurance 8.3, with an enhanced analytics dashboard, including interactive widgets and top 10 alerts, is now available.

Read more

Security, automation, cloud integration keys to DDI solution success

Only 40% of enterprises believe they are fully successful with their DDI solution. Learn how to find greater success with new research from EMA and BlueCat.

Read more

Our commitment to Micetro customers and product investment

From CEO Stephen Devito, a word on BlueCat’s ongoing commitment to supporting Micetro customers and Micetro’s evolution as a network management tool.

Read more

Seven reasons to rethink firewall monitoring and boost automation 

With BlueCat Infrastructure Assurance, you can better protect your network with automated alerts and suggested remedies for hidden issues in your firewalls.

Read more