GAINING THE ADVANTAGE
Applying Cyber Kill Chain® Methodology to Network Defense
THE MODERN DAY ATTACKER
Cyberaacks aren’t new, but the stakes at every level are higher than ever. Adversaries are more
sophiscated, well-resourced, trained, and adept at launching skillfully planned intrusion campaigns called
Advanced Persistent Threats (APT). Our naon’s security and prosperity depend on crical infrastructure.
Protecng these assets requires a clear understanding of our adversaries, their movaons and strategies.
Adversaries are intent on the compromise and extracon of data for economic, polical
and naonal security advancement. Even worse, adversaries have demonstrated
their willingness to conduct destrucve aacks. Their tools and techniques have the
ability to defeat most common computer network defense mechanisms.
SOPHISTICATED WELL-RESOURCED MOTIVATED
THE LOCKHEED MARTIN CYBER KILL CHAIN®
The Cyber Kill Chain® framework is part of the Intelligence Driven
Defense® model for the idencaon and prevenon of cyber
intrusions acvity. The model idenes what the adversaries
must complete in order to achieve their objecve.
Stopping adversaries at any stage breaks the chain of aack! Adversaries
must completely progress through all phases for success; this puts
the odds in our favor as we only need to block them at any given one
for success. Every intrusion is a chance to understand more about
our adversaries and use their persistence to our advantage.
The kill chain model is designed in seven steps:
fDefender’s goal: understand the aggressor’s acons
fUnderstanding is Intelligence
fIntruder succeeds if, and only if, they can proceed through steps
1-6 and reach the nal stage of the Cyber Kill Chain®.
1
2
3
4
5
6
7
RECONNAISSANCE Idenfy the Targets
ADVERSARY
The adversaries are in the planning
phase of their operaon. They
conduct research to understand
which targets will enable them
to meet their objecves.
fHarvest email addresses
fIdenfy employees on
social media networks
fCollect press releases, contract
awards, conference aendee lists
fDiscover internet-facing servers
DEFENDER
Detecng reconnaissance as it
happens can be very dicult, but
when defenders discover recon – even
well aer the fact – it can reveal
the intent of the adversaries.
fCollect website visitor logs for
alerng and historical searching.
fCollaborate with web administrators to
ulize their exisng browser analycs.
fBuild detecons for browsing
behaviors unique to reconnaissance.
fPriorize defenses around
parcular technologies or people
based on recon acvity.
1
WEAPONIZATION Prepare the Operaon
ADVERSARY
The adversaries are in the preparaon
and staging phase of their operaon.
Malware generaon is likely not done
by hand – they use automated tools.
A “weaponizer” couples malware and
exploit into a deliverable payload.
fObtain a weaponizer, either
in-house or obtain through
public or private channels
fFor le-based exploits, select “decoy”
document to present to the vicm.
fSelect backdoor implant and
appropriate command and control
infrastructure for operaon
fDesignate a specic “mission id”
and embed in the malware
fCompile the backdoor and
weaponize the payload
DEFENDER
This is an essenal phase for defenders
to understand. Though they cannot
detect weaponizaon as it happens,
they can infer by analyzing malware
arfacts. Detecons against
weaponizer arfacts are oen the
most durable & resilient defenses.
fConduct full malware analysis –
not just what payload it drops,
but how it was made.
fBuild detecons for weaponizers
– nd new campaigns and new
payloads only because they re-
used a weaponizer toolkit.
fAnalyze meline of when malware
was created relave to when it was
used. Old malware is “malware o
the shelf” but new malware might
mean acve, tailored operaons.
fCollect les and metadata
for future analysis.
fDetermine which weaponizer arfacts
are common to which APT campaigns.
Are they widely shared or closely held?
2
6
7
8
9
10
11
12
13
1
/
13
100%
![[eprint.iacr.org]](http://s1.studylibfr.com/store/data/008941439_1-31ebccdf80c83be7db1d7ff4be6abe20-300x300.png)
