CSO Perspectives (Pro) 3.14.22
Ep 72 | 3.14.22

Kill chain models.


Rick Howard: I've been doing this InfoSec thing for a long time now, close to 30 years. And I have to say I'm one of those lucky people to have found a profession that I legitimately love. When friends and family accuse me of being a workaholic, I accept their criticism. My only response is that when you love what you do, is that work? I mean, I could be spending my free time jousting with 7-year-olds in Fortnite or bingeing mediocre superhero TV shows to bring joy to my life. But the cybersecurity profession brings joy to me, too. Come to think of it, I routinely get my butt kicked by 7-year-olds playing video games, and I find time to load up hours of Agent Carter in "Agents Of S.H.I.E.L.D." I guess it really comes down to balance. What's the appropriate amount for each. For me, sometimes, Peggy Carter gets the priority. Other times, reading the next Cybersecurity Canon Hall of Fame book does. I'm not saying that I always get the mix right. My wife would have an opinion on that, I wager. But when I put all that activity in the work bucket, I don't think so.

Rick Howard: All of that is a long way around the horn to introduce my favorite all-time cybersecurity topic, a topic that gives me great joy, adversary playbooks and the models we use to convey that information to each other, to leadership and to the world at large. Like I said, I love most of the things we all do or have to do in this field to be successful. But the one item that really gets my juices flowing is tracking adversaries across the intrusion kill chain and devising strategies and tactics to defeat them. Years ago, when I was just a wee InfoSec lad trying to figure this stuff out, doing battle with cyber-adversaries in real time was the closest thing I would ever get to fulfilling my fantasies of being a super spy like James Bond or being a super sleuth like Sherlock Holmes or being a world-class battlefield strategist like General Patton. 

Rick Howard: Zero trust, resilience and risk forecasting are all fascinating ideas, and I love the challenges associated with each. But intrusion kill chain prevention for me is on another level of excitement. So I figured it was time to give the senior security executive an overview of just exactly where we are as an industry on how to pursue this first-principle strategy so that all of you can start asking the right questions to your own team members on how well they're doing collecting intelligence on the known 250 or so hacker groups that have been causing all the trouble in the world for the past couple of decades, from nation-states to crime to hacktivism. How do we collect all of that intelligence into adversary playbooks, study them and then, the best part, devise ways to crush them? Or as George C. Scott yelled in the 1970 movie "Patton" as he defeated Rommel's army in the African Desert... 


George C Scott: (As Patton) Rommel, you magnificent bastard, I read your book. My name is Rick Howard, and I'm broadcasting from the CyberWire's secret sanctum sanctorum studios, located underwater, somewhere along the Patapsco River near Baltimore Harbor. And you are listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. 

Rick Howard: An adversary playbook collates all known intelligence on a hacker group's attack sequence across the intrusion kill chain - tactics, techniques, indicators of compromise, attack time frame and context about motivation, as well as attribution. Ryan Olson and I published this paper back in 2020 called "Implementing Intrusion Kill Chain Strategies by Creating Defensive Campaign Adversary Playbooks." Ryan is a longtime colleague and friend of mine and currently the intelligence vice president at Palo Alto Networks. He's in charge of Unit 42. And he's way smarter than I am. But together we noticed that although we both believe that the intrusion kill chain prevention strategy is something that all of us should be pursuing, there wasn't a lot of success stories proving that we should. The industry was bogged down. Implementing a robust program was still too hard. 

Rick Howard: We wrote the paper to outline the next steps needed in the industry to erase some of the roadblocks for automated consumption of that kind of intelligence in real time that also facilitated the analysis of that intelligence and the means to automatically deploy new and updated security controls to our already deployed defensive posture within our DevSecOps infrastructure because of it. When you create advisory playbooks, though, three exemplars have emerged as accepted best practice to model the intelligence - Lockheed Martin's intrusion kill chain paradigm, MITRE's ATT&CK Framework and the Department of Defense's Diamond Model. But when the community talks about adversary playbooks, you get the sense that all these models are different approaches to the same thing, and that just isn't true. One's a strategy document, Lockheed Martin. One's an operational construct for defensive action, MITRE. And one's a methodology for cyberthreat intelligence teams, the Diamond Model. For adversary playbooks, you don't choose one model over the other. All of these models work in conjunction with each other. If the metaphor for preventing the success of cyber-adversaries is an elephant, each of these exemplars represents different parts of that elephant. So let's take each one in turn. 

Rick Howard: 2010 was a big year in cybersecurity. The world learned about the U.S.-Israeli cyber campaign, Olympic Games, commonly referred to as Stuxnet, designed to slow down or cripple the Iranians' nuclear bomb production capability. Google sent out shockwaves when it announced that it had been hacked by the Chinese government. John Kindervag, while working for Forrester, published the seminal paper "No More Chewy Centers: Introducing The Zero Trust Model of Information Security." And Lockheed Martin published their groundbreaking paper "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, written by Eric Hutchins, Michael Cloppert and Rohan Amin. I can't emphasize enough the size of the seismic shift in cyber defense thinking in the general public after the Lockheed Martin paper came out. Before the paper, we were all consumed with the idea that we were trying to prevent bad technical things from happening to and inside our networks, using a model that we all called defense in depth. 

Rick Howard: The idea was that we would deploy multiple detection and prediction tools within our environment. If one failed, then the second one would kick in. If that one failed, then the third would take over, all the way down until you couldn't afford any more tools. We were preoccupied with stopping malware and zero-day exploits and bad URL links without any consideration to how cyber adversaries actually conducted their business from beginning to end. The common notion was that the adversary only had to be lucky one time to have success, like using a zero-day exploit, while the defender had to be precisely correct all the time, meaning we had to protect against not just one zero-day exploit, but all of them. The Lockheed Martin paper made the case that the opposite was true. The authors demonstrated that adversaries had to string a series of actions together in order to be successful. All the defender had to do was break the sequence somewhere along the chain - the kill chain, which completely reversed the common notion. 

Rick Howard: In the original paper, the authors describe the kill chain as seven distinct phases of adversary activity - reconnaissance, research, identification and selection of targets, weaponization, build tools to leverage those targets, delivery, transmission of the developed weapons to the targeted environment, exploitation, pull the triggers on the weapons, installation, position tools to maintain long-time persistence, command and control, or C2, establish connections to the outside world, and finally, actions on the objective - lateral movement inside the network and data exfiltration. 

Rick Howard: According to the authors, quote, "Network defense techniques, which leverage knowledge about these adversaries, can create an intelligence feedback loop, enabling defenders to establish a state of information superiority, which decreases the adversary's likelihood of success with each subsequent intrusion attempt," end quote. You see how they use the phrase decreases the adversary's likelihood of success. That fits in nicely to our overall first principle strategy of reducing the probability of material impact due to a cyber event. 

Rick Howard: From the paper, quote, "Intelligence-driven computer network defense is a risk management strategy that requires a new understanding of the intrusions themselves not as singular events, but rather as phase progressions," end quote. If the playbook for the infamous adversary group Sandworm contains 100 items in the attack sequence, and as a network defender, you deploy prevention and mitigation for all 100 items, then it doesn't matter if Sandworm starts using a brand new zero-day at step 37 that nobody knew about previously. All the mitigations you already had in place for steps 1 through 36 and steps 38 through 100 will prevent Sandworm's success. That's genius, and that's the good news. 

Rick Howard: The bad news is that although the Lockheed Martin kill chain is brilliant as a conceptual model, it's severely lacking in one major aspect - operations. There isn't a lot of detail in the original white paper about how to operationalize the concept. Things like how to collect adversary playbook intelligence, analyze the data, make prudent decisions about how to prevent playbook actions and actually deploy the mitigation plan are left to the reader as an exercise. But that's a nitpick. The paper wasn't designed for that. The authors disrupted the industry by upending commonly understood best practices and proposed a strategy that was better suited to preventing material impact to our organizations. The operations void would be filled with other big thinkers. 

Rick Howard: MITRE released the first version of the ATT&CK framework in 2013, three years after the original Lockheed Martin paper. The acronym stands for adversarial tactics, techniques and common knowledge. At first glance, the casual reader would just assume that the framework is a slight improvement on the original Lockheed Martin model. The framework extends the original phases and corrects some of the limitations. It eliminates the recon phase and clarifies and expands the actions on the objective stage, with more clarity and detail. That's all true. But the framework's significant innovation is an extension of the list of information requirements intelligence analysts collect for adversary playbooks. They added tactics, techniques and procedures. 

Rick Howard: Before the framework, we would all collect indicators of compromise without any relation to known adversary behavior. They're not bad per se, but they are ephemeral, and hackers can easily change them at the drop of a hat and did and still do. By the time infosec teams deployed countermeasures, the bad guys had likely already changed their behavior. MITRE's extension to the kill chain model includes the grouping of tactics, the why, the techniques used, the how, and the specific implementation procedures the adversary group used to deploy the tactic. That intelligence is not as ephemeral, is tied to known adversary group behavior and is conducive to designing impactful countermeasures. 

Rick Howard: Where the Lockheed Martin kill chain model is conceptual, the MITRE ATT&CK Framework is operational. And has an added benefit, MITRE committed itself to sharing any and all framework intelligence that its own teams were collecting, as well as members of the Defense Industrial Base, or DIB. According to the U.S. Cybersecurity and Infrastructure Security Agency, CISA, the DIB is a worldwide industrial complex of more than 100,000 companies and their subcontractors that provide goods and services to the U.S. military. All are prime targets for nation state cyber-operations activity. MITRE's intelligence teams sift through the intelligence collected by the DIB companies and eventually publish it into the ATT&CK Framework Wiki as open-source intelligence for anybody to use. Although the wiki tracks several crime groups, that's not the focus. It primarily covers how APT groups - or Advanced Persistent Threat groups - run their own playbooks. In other words, they're tracking nation-states. Most importantly, though, the framework standardizes the taxonomy vocabulary for both offense and defense. Before the framework, each offender in government organization had their own language. Any intelligence product coming out of those organizations couldn't be shared with anybody else without a lot of manual conversion grunt work to make sense of it all. Talk about the Tower of Babel. We were all looking at the same activity and couldn't talk about it collectively in any way that made sense. The MITRE ATT&CK Framework fixed that. The bottom line is that the MITRE ATT&CK Framework has become the industry's de facto standard for representing adversary playbook intelligence and being the trusted source for that intelligence. In other words, it has helped us to operationalize the cyberthreat intelligence process. 

Rick Howard: That said, there's still a lot of work that needs to be done. Users of the wiki still need to automate the process of collecting the attack intelligence and using it to upgrade their internal defenses. Further, the intelligence collected by MITRE is not in real time. They only update the Wiki every few months. But since adversary groups don't wholesale change their attack playbooks that often, that's not a major concern at the moment. Still, it would be better if they updated the wiki in a continuous manner. Lastly, it would be better if MITRE covered all hacking groups like crime and hacktivism, not just the groups that operate at the nation-state level. They cover roughly 150 nation-state adversary playbooks today, but that leaves about a hundred other groups uncovered, and that's a big gap. Still, we've come a long way since 2010. The Lockheed Martin research team gave us the new strategy, and the MITRE team helped us to operationalize it. The remaining task is how to collect the adversary playbook intelligence with some rigor. In other words, can we formalize the process so that all cyberthreat intelligence teams can use the same basic procedures and can easily share and compare their nodes with peers and colleagues? That's where the diamond model comes in. 

Rick Howard: At the same time that the Lockheed Martin research team was working on their intrusion kill chain model, around 2006, three researchers working for the U.S. Department of Defense in parallel started coming to similar conclusions but in a slightly different context. They were trying to establish a formal mathematical method for cyberthreat intelligence work that they could apply to, quote, "Game Graph and Classification Clustering Theory to improve analysis and decision-making," end quote. And with the Lockheed Martin researchers, the diamond model authors were also first-principle thinkers. They asked the question, quote, "what is the basic atomic element of any intrusion activity?" end quote. By the time they published their disruptive paper, "The Diamond Model of Intrusion Analysis" in 2011, Sergio Caltagirone, Andrew Pendergast and Christopher Betz had their answer, something they called an event that has four core elements - adversaries, infrastructure, capability and victims. 

Rick Howard: In the paper, they portrayed the event as a diamond-shaped graphic with the four points of the diamond, the vertices, representing the core elements. Outside lines connect the vertices, and there is one horizontal inside line between the left and right vertices. In 2009, Pendergast, now working for a commercial intelligence company, Threat Connect, updated the diagram with an additional inside vertical line connecting the top and bottom vertices. The lines represent relationships between the core elements. According to Professor Messer - a great name for a small cybersecurity training company that produces excellent infosec content on YouTube - the lines connecting each vertex establish a relationship pair. Adversaries, the top vertex, develop attack capability, the left vertex, and apply it to exploit infrastructure, the right vertex. Adversaries also build and maintain their own infrastructure. Victims, the bottom vertex, run and maintain infrastructure, the left vertex, and are exploited by the capability, the right vertex. Finally, adversaries, the top vertex, exploit victims on the bottom vertex. 

Rick Howard: The idea is that as intelligence teams describe cyber incidents, they are filling in the blanks of these relationship pairs. According to the paper, quote, "this allows the full scope of knowledge to be represented as opposed to only the observable indicators of the activity," end quote. The authors were riffing on something called attack trees, originally proposed by Bruce Schneier - a Cybersecurity Canon and lifetime achievement winner, by the way, and my first boss in the civilian world after I retired from the U.S. Army. Side note - my first job out of the Army, I was hired as the global SOC director for one of the first managed security service providers, Counterpane, where Schneier was one of the founders. And Bruce is a brilliant man. He has written many books on the topic of cybersecurity, and he is an excellent speaker in front of big crowds. But he was not so good on the one-in-one conversation front - you know, because he's kind of a nerd like me. He would come into the SOC from time to time for the purpose of, you know, pumping up the troops, build morale by shaking hands and talking to each analyst. And it always went badly. At a certain point during one of his visits, I pulled him aside and said, hey, Bruce, you can handle the book writing and the public speaking and the thought leadership duties; I'll handle the one-on-one morale sessions, end note. 

Rick Howard: Schneier's idea was that attack graphs, quote, "attempt to generate all possible attack paths and vulnerabilities for a given set of protected resources to determine the most cost-effective defense and the greatest degree of protection," end quote. It's a terrific idea, but back then it didn't scale. The diamond model author's attempt to formalize the language around cyber incidents was the first step to improve that situation. In their model, they build activity threads that combine intelligence and traditional attack graphs into activity attack graphs by merging, quote, "traditional vulnerability analysis with knowledge of adversary activity," end quote. And this is the point where it becomes apparent that the diamond model is not an alternative to the Lockheed Martin kill chain model or the MITRE ATT&CK Framework; it's an enhancement. The diamond model's atomic element, the event, with its four core features, is present at each phase of the intrusion kill chain. From the diamond model paper, quote, "the kill chain provides a highly effective and influential model of adversary operations, which directly informs mitigation decisions. Our model integrates their phased approach and complements kill chain analysis by broadening the perspective, which provides needed granularity and the expression of complex relationships amongst intrusion activity," end quote. 

Rick Howard: In practice, your own intel team might be analyzing multiple incidents that may or may not be related to each other. For each, using the Lockheed Martin strategy, you are monitoring adversary activity across all kill chain phases. You collect that intelligence by filling in the blanks of the four feature pairs from the diamond model, and you standardize the language by using the MITRE Framework's vocabulary of tactics, techniques and procedures. As the story develops, the kill chain becomes more complete with data for all the incidents. At a certain point, you might note that the diamond model event for the delivery phase and the command-and-control phase in Incident 1 is remarkably similar to the events captured Incident 2. These activity threads connect the two incidents together, may indicate that the attacks have originated from the same adversary and implies a much broader campaign against your network. According to the paper, quote, "the diamond model's events can then be correlated across activity threads to identify adversary campaigns and coalesced into activity groups to identify similar events and threats which share common features," end quote. 

Rick Howard: For the security folks out there who aren't cyberthreat intelligence experts, this process is how we get all those colorful names that splash across as headlines in the cybersecurity news space, like "Chinese APT 10 Hackers Use ZeroLogon Exploits Against Japanese Orgs" or "Ferocious Kitten: Six Years of Covert Surveillance in Iran" or "The Lazarus Group May Have Been Behind the 2019 Attacks on European Targets." When intelligence teams have high confidence that they are seeing similar activity threads across multiple incidents targeting the same victim or described in other activity threads for other victims, they assign the activity group a colorful name as a kind of shorthand for readers of the news and readers of intelligence reports, a label that says that all of this information is related. 


Rick Howard: You're listening to a song from the 1976 movie soundtrack "Rocky" called "Going the Distance." And it's totally appropriate because intrusion kill chain prevention, to me anyway, is like a 15-round prize fight between heavyweights. In order to reduce the probability of material impact due to a cyber event, our first-principle cybersecurity strategies include risk forecasting, zero trust, resilience and intrusion kill chain prevention. Out of the four, the strategy that brings the most joy to me is the last one. The others are great and necessary, but they're passive. They're like eating your vegetables or getting the oil changed in your car. You have to do them, but they're not sexy. Intrusion kill chain prevention, though, that's exciting. That's me and the adversary in the ring, duking it out every day like Rocky Balboa and Apollo Creed going toe to toe over 15 rounds. 

Rick Howard: And it's taken the network defender community over a decade to figure out how to do it in terms of strategy, operations and cyberthreat intelligence best practices. Big thinkers from Lockheed Martin, the kill chain, the Department of Defense, the diamond model, and MITRE, the ATT&CK Framework, gave us the blueprints on how to be good at this over a decade ago. It's taken that long for the rest of us mere cybersecurity mortals to get our heads around the key concepts. The bottom line is that we build adversary playbooks so that we can automatically collect threat intelligence on what adversaries are actually doing across all the Lockheed Martin kill chain phases. We operationalize that process by standardizing on the MITRE ATT&CK Framework's established vocabulary for adversary tactics, techniques and procedures. We instruct our cyberthreat intelligence analyst teams to fill in the blanks of event pairs, identify activity threats across multiple incidents and establish activity groups for common behavior in the diamond model. Finally, we automate the deployment of our mitigation plan across the entire security stack. We do all of that with the adversary intelligence trifecta - kill chain, attack and diamond. 


Rick Howard: And that's a wrap. As always, if you agree or disagree with anything I have said, hit me up on LinkedIn or Twitter, and we can continue the conversation there. Or if you prefer email, drop a line to csop@thecyberwire.com. That's C-S-O-P, the @ sign, the CyberWire - all one word - dot com. And if you have any questions you would like us to answer here at "CSO Perspectives," send a note to the same email address, and we will try to address them on the show. Next week, we will be talking about risk forecasting. You don't want to miss that. 

Rick Howard: The CyberWire "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I am Rick Howard. Thanks for listening.