Post on 11-Apr-2017
What is the Cyber Kill Chain? The Cyber Kill Chain is a taxonomy designed to
measure the effectiveness of the
Defense-in-Depth strategy.
Layer 3
Layer 2
Layer 1
How far
can I get?
What is the origin of the Kill Chain? The Cyber Kill Chain was socialized by Lockheed Martin.
It is based on military doctrine.
It was developed as a method for describing an intrusion
from an attacker’s point of view.
It can inform Cyber Security and Intelligence Analysis.
Searches LinkedIn for System Administrators at USAA.
Guesses their USAA email addresses based on name.
Obtains domain name and creates website with malware.
Crafts spear phish.
Sends spear phish to targeted email addresses.
Administrator clicks on link and goes to evil website.
Zero day exploit on website executes on Administrator’s PC.
Administrator’s PC is compromised.
Root Kit is installed on Administrator’s PC.
Root kit connects back to Threat Actor’s server to obtain
further instructions.
Threat Actor looks for data on Administrator’s PC.
Threat Actor starts compromising other USAA machines.
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Establish C2
Actions on Objectives
Cyber
Kill Chain Stages
What can the Kill Chain do? Each phase of the kill chain can be mapped to
corresponding defensive tools and actions.
Defensive “Courses of Actions” are based on the
Information Operations principles of:
Detect, Deny, Disrupt, Degrade, Deceive & Destroy
An analyst who knows the stage of the Kill Chain has a
basic understanding of what is being attempted and what
response is called for.
Courses of Action Matrix Phase Detect Deny Disrupt Degrade Deceive
Reconnaissance Firewall
NIDS Web Logs
Firewall NIPS
* * *
Weaponization DNS Monitoring
Website Monitoring * * * *
Delivery Antivirus
NIDS Vigilant User
NIPS Proxy
In-Line Antivirus * *
Exploitation NIDS
Antivirus Antivirus
System Patching Antivirus
System Patching Restricted User
Accounts *
Installation Antivirus
Application Logs * Antivirus * *
Establish C2 CIC
Malware Sandbox NIDS
Firewall NIPS * *
Actions on Objectives Application Logs Firewall VLANs
VLANs *
What can the Kill Chain do? The sooner in the kill chain you can disrupt the attack,
the better.
Tracking similarities across kill chain phases can give
Fellow College Park Analysts insight into:
• Threat Actor Tactics, Techniques and Procedures (TTP)
• Campaign Analysis
Why do we need the Cyber Kill Chain?
“Measurement is the first step that leads to
control and eventually to improvement.”
If you can’t measure something, you can’t understand it.
If you can’t understand it, you can’t control it.
If you can’t control it, you can’t improve it.”
- H. James Harrington
"Circumstantial evidence is occasionally very
convincing, as when you find a trout in the
milk, to quote Thoreau's example.”
-Sir Arthur Conan Doyle
How will (CSO’s) operationalize?
Integrate into Cases 1
2
3
Integrate into Wiki
Integrate into Stand-Up Briefing’s