Word Notes 5.31.22
Ep 102 | 5.31.22

Intrusion Kill Chain (noun)


Rick Howard: The word is: Intrusion kill Chain

Rick Howard: Spelled: Intrusion as in a breach of a network or system. Kill as in to terminate or put an end to. And Chain as in a sequence. 

Rick Howard: Definition: A cybersecurity first principle strategy focused on disrupting known adversary activity at one of several phases of an attack sequence. 

Rick Howard: Example sentence: The organization stopped the attack at the installation phase of the Intrusion Kill Chain. 

Rick Howard: Origin and context: 2010 was a big year in cybersecurity. The world learned about the U.S. Israeli cyber campaign Olympic games, commonly referred to as Stuxnet designed to slow down or cripple the Iranian's nuclear bomb production capability. 

Rick Howard: Google sent out shockwaves when it announced that it had been hacked by the Chinese government, John Kindervag, while working for Forrester, published his seminal paper, "No More Chewy Centers: Introducing The Zero Trust Model Of Information Security," and Lockheed Martin published their groundbreaking paper, "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” written by Eric Hutchins, Michael Cloppert, and Rohan Amin. 

Rick Howard: I can't emphasize enough the size of the seismic shift in cyber defense thinking in the general public after the Lockheed Martin paper came out. Before the paper, we were all consumed with the idea that we were trying to prevent bad technical things from happening to and inside our networks using a model that we call defense-in-depth.

Rick Howard: We were preoccupied with stopping malware and zero day exploits and bad URL links without any consideration of how cyber adversaries actually conducted their business from beginning to end. The common notion was that the adversary only had to be lucky one time to have success like using a zero day exploit while the defender had to be precisely correct protected against all the possible zero day exploits all the time.

Rick Howard: The Lockheed Martin paper made the case that this just wasn't true. The authors demonstrated that adversaries had to string a series of actions together in order to be successful. All the defender had to do was break the sequence somewhere along that chain, the kill chain, which completely reversed the common notion. 

Rick Howard: According to the authors, " Network defense techniques which leveraged knowledge about these adversaries can create an intelligence feedback loop, enabling defenders to establish a state of information superiority which decreases the adversary's likelihood of success with each subsequent intrusion attempt."

Rick Howard: The bad news is that although the Lockheed Martin kill chain model is brilliant as a conceptual model, it's severely lacking in one major aspect: operations. There isn't a lot of detail in the original white paper about how to operationalize the concept. 

Rick Howard: Things like how to collect adversary playbook intelligence, analyze the data, make prudent decisions about how to prevent playbook actions, and actually deploy the mitigation plan are left to the reader as an exercise, but that's a nit pic. The paper wasn't designed for that purpose. The authors disrupted the industry by upending commonly understood best practices and proposed a strategy that was better suited to preventing material impact to our organizations.

Rick Howard: The operation's void would be filled with other big thinkers from Mitre and their ATT&CK framework and the Department of Defense with their Diamond Model 

Rick Howard: Nerd reference: At the Integrated Cyber Conference in 2018, hosted by the Johns Hopkins Applied Physics Laboratory, yours truly gave the keynote speech about the future of network defense. In this section, I discussed the kill chain elements from the Lockheed Martin intrusion kill chain paper. 

Rick Howard: The Lockheed Martin folks realize that as adversaries, the blackhats of the world, attack their victims networks, regardless of the tool set they used. And regardless of the motivations that drove them to do it, they all basically got to do the same five things to break into a network and be successful.

Rick Howard: They have to recon the victim's network, looking for weakness. They craft a weapon that will leverage those weaknesses and deliver it to some end point somewhere; a laptop, a server, a printer, anything, it doesn't really matter. Once they get there, they trick the user into running that weapon against them and allows them to compromise that end point.

Rick Howard: I call that establishing a beachhead. Now, the adversary is not successful yet. But now they are inside your network. From there, they usually create a command and control channel back out to the internet to download more tools that will help them finish their mission. And from there, the intrusion kill chain paper says actions on the objective.

Rick Howard: And there's lots of things that can happen here, but generally it's move lateral in the victim's network, looking for the data they've come to steal or to destroy. And once they find it, they exfiltrated out. 

Rick Howard: Word Notes is written by Tim Nodar, executive produced by Peter Kilpe, and edited by John Petrik, and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.