Connections are fun, and humans are very good at making them.

Let’s start at the end, and move backwards. (picture a poster-board with pushpins and yarn...)

I just learned about a band! The Knife is a Swedish electronic music duo, consisting of siblings Karin and Olof Dreijer, and I am currently enjoying some of their music as I type.

I discovered the act through their 2003 album, Deep Cuts.

But why was I searching for “deep cuts”, you might wonder?

Well, that was because of the New Order song Crystal.

What?

I had not previously heard the song (or at least did not remember it), but the official video for the song is tied to a deep-cut about another band. In that video, there is a fictional band lip-synching the song, with the band name showing on the bass drum.

This, I discovered, is the origin of the name of the band, The Killers.

Which is how we get to Lockheed Martin.

Huh?

Or rather, the Lockheed Martin Cyber Kill Chain.

As Information Security matures as a discipline, one necessary part of that growth is the development and evolution of frameworks for understanding how to build and protect complex computer networks in a formal way.

The Cyber Kill Chain was described in 2011 by computer scientists at Lockheed-Martin, as a model for defending computer networks. It is based on the military concept of the kill chain as a way to generically define an attack, in order to break the attack into phases for planning, and also as a model for defence, by identifying points at which it is possible to “break” the chain in order to thwart an attack.

In military terms, a kill chain might consist of:

1. Identification of target

2. Dispatching forces to target

3. Initiation of attack on target

4. Destruction of target

In the context of computer networks, the Cyber Kill Chain attempts to describe the essential features of an attack. These include:

1. Reconnaissance (target selection, research, vulnerability identification)

2. Weaponization (selection or creation of tools to exploit vulnerabilities)

3. Delivery (transmission of weapons to target)

4. Exploitation (triggering of weapon to exploit vulnerability)

5. Installation (installation of access point or backdoor, usable by the intruder)

6. Command and Control (enabling intruder to maintain persistent access)

7. Actions on Objective (actions, including data exfiltration, data destruction, etc)

The value of this model is that it abstracts the strategy and actions from the details of execution, which allows the development of generalizable strategies and provides a framework for the ongoing evolution of our understanding of both attack and defence. With the benefit of hindsight, it is possible to identify weaknesses in the model, but I would say that the greatest value is in getting defenders to take on the mindset of attackers – both by viewing the defending network as an attacker and by viewing the attack as a series of events which can be disrupted.

Critiques of the model include the fact that the first phases usually happen outside the network, making identification and prevention difficult. Similarly, the assumptions in the model may perpetuate traditional ideas around defending systems which are no longer effective, or fail to account for risks such as insider threats.

On the other hand, the Kill Chain offers an excellent framework for addressing attacks from specific actors. Now, while most people focus a lot of attention on the “attribution” of attacks to specific groups, there is a lot of debate regarding the value of this activity.

In general, for most organizations, the ultimate identity of the attacker is irrelevant, as it has no impact on what actions you take to defend the organization. If you are facing attacks which are attempting to steal intellectual property, does it matter whether the actors are criminals or state actors? And if they are state actors, does it matter whether they are Chinese, or Russian, or Iranian?

For most organizations, the answer is no.

That said, it is important to recognize the difference between identification of threat actors and attribution of those threat actors to specific criminal organizations or nation states.

When security researchers identify threat actors, they describe the tactics and techniques used by those actors, and the strategies they tend to follow. As more information becomes available, a more detailed and complete profile of that threat actor emerges. Identifying a threat actor as being associated with criminal organization X or state actor Y is a separate step.

So, if an organization identifies an attack, and is able to associate that attack with a specific threat actor, they can now use information previously gathered about that threat actor to search for other IoC (“Indicators of Compromise”) associated with that actor.

Now THAT is valuable – it can help identify other areas in your network to check, in order to be confident that the threat actor has been removed, and can also help assess whether activity found is likely to be part of a known campaign, or is likely to represent a separate threat actor.

Let’s say that your organization finds evidence of an attack attempting to install malware on your network, and you are able to associate it with threat actor X. After researching X, you find that one of their standard activities is to try to rewrite server logs in order to cover their tracks, so you go looking for evidence pointing in this direction, find it, and fix it.

Without this information, you might not have thought to check for specific attacks on the server logs, or may have found evidence of attacks on the server logs and believed that you were facing two separate actors.

Getting back to the Kill Chain, if you know that a given threat actor is likely to attack your organization, you can take the available information about that threat actor to describe the kill chain they follow, and identify ways in which it can be disrupted. Trying to do this for all threat actors would be prohibitively expensive (both in time and cost), but targeted use of this tool can be extremely helpful for specific risks.

So, if you know that threat actor X is likely to attack your organization, and you know their TTP (Tactics, Techniques, and Procedures), you can use that information to describe the kill chain they follow, and then focus on disrupting their entire strategy by breaking the chain at a single point.

Now, THAT is a deep cut!

Cheers!