Attack lessons: Shared responsibility and the cyber kill chain
Dr. Josephine Wolff joins BlueCat’s Andrew Wertkin to dissect significant cybersecurity attacks from the last decade and what we can learn from them.
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.Cybersecurity experts Dr. Josephine Wolff and BlueCat CTO Andrew Wertkin analyze two landmark breaches—Ashley Madison and DigiNotar—to illustrate systemic lessons about how attacks unfold and how organizations and ecosystems respond. They argue that focusing solely on a single breached organization or the initial intrusion moment overlooks the broader cyber kill chain, where DNS, content hosts, software developers, and other entities present multiple stages for prediction, detection, prevention, and response. The discussion highlights real operational impacts—regulatory enforcement for misleading privacy claims in the Ashley Madison case and catastrophic trust failure for DigiNotar after fraudulent certificates and DNS manipulation—showing why layered defenses and attention to DNS behavior are critical.
What were the main differences between the Ashley Madison and DigiNotar breaches discussed in the webinar?
Ashley Madison’s 2015 breach involved publication of profile information for 36 million users and triggered an FTC enforcement action because the company had publicly promised account-deletion services that in practice retained users’ data. The core issue highlighted was deceptive public claims about privacy rather than only technical insecurity. By contrast, DigiNotar was a Dutch certificate authority compromised in 2011 after attackers exploited a vulnerability in a public-facing content management system, tunneled into the CA’s network, and issued over 500 fraudulent digital certificates used for man‑in‑the‑middle attacks, causing browser vendors to blacklist the CA and leading to the company’s collapse.
How does the cyber kill chain framework change how organizations should think about defense, according to Wolff and Wertkin?
Wolff and Wertkin emphasize that the cyber kill chain frames attacks as a series of escalating stages rather than a single moment of compromise, meaning there are multiple opportunities to predict, detect, prevent, or respond. This approach shifts defense from blaming one breached organization to recognizing many implicated actors—DNS operators, content hosts, software developers, and certificate authorities—each creating attack surface or defensive opportunity. Consequently, organizations should adopt layered, pervasive strategies across reconnaissance, delivery, command-and-control, and integrity mechanisms (for example DNSSEC and DNS monitoring), rather than relying on a single technology or promise of security.
What roles can DNS play in attacks and defenses, and what practical steps did Wertkin suggest?
The article describes DNS as involved at multiple points in the kill chain—delivery, command-and-control, reconnaissance, and in integrity mechanisms like DNSSEC which provides cryptographic authentication and integrity for DNS queries. Wertkin recommends practical network hygiene and discovery steps such as performing port scans to find open services and reverse DNS mapping to reveal hostnames that might interest attackers. Monitoring different types of DNS behavior can help detect anomalies across kill-chain stages, and applying consistent technologies and strategies across those stages can help prevent cascading attacks.
Dr. Josephine Wolff
Andrew Wertkin
Last month, cybersecurity expert and author Dr. Josephine Wolff joined BlueCat CTO Andrew Wertkin for our Lessons from the Aftermath webinar to dissect significant cybersecurity attacks from the last decade and what we can learn from them.
Wolff and Wertkin took a deep dive into two watershed breaches: Ashley Madison and DigiNotar. They reveal two key takeaways. First, that we tend to place too much emphasis on individual organizations as the only line of defense against cyberattacks. And second, that we tend to hyper focus on a single moment of attack where the perpetrator got their foothold.
Instead, a cyber kill chain approach views attacks as a series of escalating stages, with an opportunity to predict, detect, prevent, or respond to incidents at all of them.
A dating website for people seeking to have affairs, Ashley Madison was hacked in 2015, with profile information from 36 million users published online. Prior to the breach, the then-CEO had made very public claims about the site’s security and privacy, touting a paid service to delete your account from the website. All of the supposedly deleted data was still stored when the breach occurred, resulting in charges from the U.S. Federal Trade Commission.
“It was this moment for organizations to reevaluate how they publicly presented their data security and even to consider whether there were risks to making too strong promises, or potentially misleading promises, from an enforcement perspective,” Wolff says. “Because a lot of what the Federal Trade Commission can enforce is around unfair, deceptive business practices. A lot of the complaint they ended up filing against Ashley Madison really hinged on this idea that the company had been very deceptive, which is different than being very insecure.”
On the other hand, DigiNotar, a Dutch certificate authority, took their security very seriously, with complex segmentation and firewall rules for their network. But it was still possible for somebody to exploit a vulnerability in a content management system on their external facing website and tunnel through to their secure network to issue fraudulent digital certificates. More than 500 fake DigiNotar certificates were found in 2011, including a set for Google.com.
The rogue digital certificates were used to conduct man-in-the-middle attacks. Perpetrators flooded DNS servers with fake records to send users to the wrong sites (so, for example, intercepting a user’s request to go to Google.com and sending them to their own webpage designed to look like Google’s instead). Just under 700,000 different IP addresses were redirected, impacting about 400,000 individuals, almost all of them living in Iran.
Browsers blacklisted DigiNotar certificates, and the company went out of business.
“Most companies that undergo data breaches or security incidents do not then go out of business. But for a certificate authority, where trust is its whole business, it actually turns out to be a massive big deal for them. And not just for DigiNotar, but also for all of the browsers—Chrome, Firefox, Internet Explorer—that were implied because they have listed DigiNotar in their list of root certificate authorities that could be trusted by all of their users,” Wolff says.
It’s important to recognize here the nuances of these attacks and how many entities are implicated, Wolff adds.
“There’s often this implied sense that there’s one company that’s responsible for all of it and it was their fault and their security failures that allowed this to happen,” she says. “There were all these other things going on that made it possible to do what these people did that were not just about the decisions of those two companies but also about the decisions of DNS operators, content hosts, and software developers. It becomes clearer how complicated and also how many opportunities there are for thinking about defense in this space.”
DNS can play a number of roles in the cyber kill chain. This might include delivery command and control, reconnaissance, or Domain Name System Security Extension (DNSSEC), which uses cryptography to provide authentication and integrity for DNS queries.
Wertkin suggests doing port scans for looking for anything that’s open. Or reverse mapping the network via DNS to find host names that might be of interest to hackers.
“It’s multiple areas along that kill chain—there’s different types of DNS behavior we might see,” Wertkin says. “Any of these areas in the kill chain aren’t segmented to one technology or one strategy. It’s the same sort of technologies and strategies can be used pervasively across them, especially as they link across into cascading effects.”
For more, be sure to view our Lessons from the Aftermath webinar.
—–
Wolff is an assistant professor in the public policy and computing security departments at Rochester Institute of Technology, a fellow at the New America Cybersecurity Initiative, and the author of You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches. Andrew Wertkin is BlueCat’s chief strategy officer.
Published in:
Rebekah Taylor is a former journalist turned freelance writer and editor who has been translating technical speak into prose for more than two decades. Her first job in the early 2000s was at a small start-up called VMware. She holds degrees from Cornell University and Columbia University’s Graduate School of Journalism.
Related content
How to map your network with user-defined links in Integrity X
Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.
Automate your DDI modernization path by migrating with Micetro
Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.
Your journey to intelligent NetOps begins at Cisco Live
Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.
Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)
Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.