Kill chain models.
I’ve been doing this infosec thing for a long time now, close to thirty years. And I have to say, I'm one of those lucky people who has found a profession that I legitimately love. When friends and family accuse me of being a workaholic, I accept their criticism. My only response is that, when you love what you do, is that work? I mean, I could be spending my free time jousting with seven year olds in Fortnite or binging mediocre superhero TV shows to bring joy to my life, but the cybersecurity profession brings joy to me too. Come to think of it, I routinely get my butt kicked by seven year olds playing video games and I find time to load up hours of “Agent Carter” and “Agents of S.H.I.E.L.D.” I guess it really comes down to balance. What’s the appropriate amount of each? For me, sometimes Peggy Carter gets the priority. Other times, reading the next Cybersecurity Canon Hall of Fame book does. I'm not saying that I always get the mix right (my wife would have an opinion on that I wager), but would I put all of that activity in the “work” bucket? I don’t think so.
All of that is a long way around the horn to introduce my favorite all-time cybersecurity topic, a topic that gives me great joy, adversary playbooks and the models we use to convey that information to each other, to leadership, and to the world at large. Like I said, I love most of the things we all do, or have to do, in this field to be successful. But the one item that really gets my juices flowing is tracking adversaries across the intrusion kill chain and devising strategies and tactics to defeat them.
Years ago, when I was a wee infosec lad trying to figure this stuff out, doing battle with cyber adversaries in real time was the closest thing I would ever get to fulfilling my fantasies of being a super spy like, James Bond, or being a super sleuth, like Sherlock Holmes, or being a world class battlefield strategist, like General Patton. Zero trust, resilience, and risk forecasting are all fascinating ideas and I love the challenges associated with each. But, intrusion kill chain prevention, for me, is on another level of excitement.
Three adversary playbook models working together.
An adversary playbook collates all known intelligence on a hacker group’s attack sequence across the intrusion kill chain: tactics, techniques, indicators of compromise, attack time frame, and context about motivation as well as attribution. From a paper that Ryan Olson, a long time colleague, and I published in 2020, "Implementing Intrusion Kill Chain Strategies by Creating Defensive Campaign Adversary Playbooks," they provide a standard framework designed for this intelligence and eases the burden of sharing that collection with other network defenders. It further facilitates the automatic consumption of that intelligence on the other end, allows the receiver to write code to absorb it systematically, and provides the means to automatically deploy new and updated security controls to their already deployed defensive posture within their DevSecOps infrastructure.
When you create adversary playbooks though, three exemplars have emerged as accepted best practice to model the intelligence:
- Lockheed Martin's intrusion kill chain paradigm
- MITRE’s ATT&CK framework
- The Department of Defense’s Diamond Model
But, when the community talks about adversary playbooks, you get the sense that all these models are different approaches to the same thing and that just isn’t true. One's a strategy document (Lockheed Martin), one’s an operational construct for defensive action (MITRE) and one’s a methodology for cyber threat intelligence teams (Diamond). For adversary playbooks, you don’t choose one model over the other. All of these models work in conjunction with each other. If the metaphor for preventing the success of cyber adversaries is an elephant, each of these exemplars represent different parts of the elephant. Let’s take each one in turn.
Lockheed Martin's intrusion kill chain disruptive idea.
2010 was a big year in cybersecurity. The world learned about the U.S. / Israeli cyber campaign (Olympic Games, commonly referred to as Stuxnet) designed to slow down or cripple the Iranian’s nuclear bomb production capability. Google sent out shockwaves when it announced that it had been hacked by the Chinese government. John Kindervag, while working for Forrester, published his seminal paper, "No More Chewy Centers: Introducing The Zero Trust Model Of Information Security," and Lockheed Martin published their groundbreaking paper, "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” written by Eric Hutchins, Michael Cloppert and Rohan Amin.
I can’t emphasize enough the size of the seismic shift in cyber defense thinking in the general public after the Lockheed Martin paper came out. Before the paper, we were all consumed with the idea that we were trying to prevent bad technical things from happening to and inside our networks using a model that we called defense-in-depth. The idea was that we would deploy multiple detection and prediction tools within our environment. If one failed, then the second would kick in. If that one failed, then the third would take over, all the way down until you couldn’t afford any more tools.
We were preoccupied with stopping malware and zero day exploits and bad URL links without any consideration to how cyber adversaries actually conducted their business from beginning to end. The common notion was that the adversary only had to be lucky one time to have success (like using a zero day exploit) while the defender had to be precisely correct all the time (protect against all the possible zero day exploits all the time). The Lockheed Martin paper made the case for the opposite. The authors demonstrated that adversaries had to string a series of actions together in order to be successful. All the defender had to do was break the sequence somewhere along that chain (the kill chain) which completely reversed the common notion. In the original paper, the authors described the kill chain as seven distinct phases of adversary activity:
- Reconnaissance: Research, identification and selection of targets.
- Weaponization: Build tools to leverage those targets.
- Delivery: Transmission of the developed weapon(s) to the targeted environment.
- Exploitation: Pull the triggers on the weapon(s).
- Installation: Install tools to maintain persistence.
- Command and control (C2): Establish connection to the outside world.
- Actions on objectives:Lateral movement inside the network and data exfiltration.
According to the authors, “Network defense techniques which leverage knowledge about these adversaries can create an intelligence feedback loop, enabling defenders to establish a state of information superiority which decreases the adversary’s likelihood of success with each subsequent intrusion attempt.” See how they used the phrase, “decreases the adversary’s likelihood of success?” That fits in nicely to our overall first principle strategy of reducing the probability of material impact due to a cyber event. From the paper, “Intelligence-driven computer network defense is a risk management strategy that … requires a new understanding of the intrusions themselves, not as singular events, but rather as phased progressions.”
If the playbook for the infamous adversary group Sandworm contains 100 items in the attack sequence and, as a network defender, you deploy prevention and mitigation for all 100 items, then it doesn’t matter if Sandworm starts using a brand new zero day at step 37 that nobody knew about previously. All the mitigations you already had in place for steps 1-36 and steps 38-100 will prevent Sandworm’s success. That is genius and that’s the good news.
The bad news is that although the Lockheed Martin kill chain is brilliant as a conceptual model, it’s severely lacking in one major aspect: operations. There isn’t a lot of detail in the original white paper about how to operationalize the concept. Things like how to collect adversary playbook intelligence, analyze the data, make prudent decisions about how to prevent playbook actions, and actually deploy the mitigation plan are left to the reader as an exercise.
But that’s a nit-pick. The paper wasn’t designed for that. The authors disrupted the industry by upending commonly understood best practices and proposed a strategy that was better suited to preventing material impact to our organizations. The operations void would be filled with other big thinkers.
The MITRE ATT&CK Framework.
MITRE released its first version of the ATT&CK framework in 2013, three years after the original Lockheed Martin paper. The acronym stands for Adversarial Tactics, Techniques, and Common Knowledge. At first glance, the casual reader would just assume that the framework is a slight improvement on the original Lockheed Martin model. The framework extends the original phases and corrects for some of the limitations. It eliminates the recon phase and clarifies and expands the actions on the objective stage with more clarity and detail. That’s all true.
But, the frameworks’ significant innovation is an extension of the list of information requirements intelligence analysts collect for adversary playbooks. They added tactics, techniques, and procedures. Before the framework, we would all collect indicators of compromise without any relation to known adversary behavior. These are not bad per se but they are ephemeral and hackers can easily change them at the drop of a hat and did. By the time infosec teams deployed countermeasures, the bad guys had likely already changed their behavior.
MITRE’s extension to the kill chain model includes the grouping of tactics (the “why”), the techniques used (the “how”), and the specific implementation procedures the adversary group used to deploy the tactic. That intelligence is not as ephemeral, is tied to known adversary group behavior, and is conducive to designing impactful countermeasures. Where the Lockheed Martin Kill Chain model is conceptual, the MITRE ATT&CK framework is operational.
As an added benefit, MITRE committed itself to sharing any and all framework intelligence that it's own teams were collecting as well as members of the Defense Industrial Base (DIB). According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the DIB is a worldwide industrial complex of more than 100,000 companies and their subcontractors that provide goods and services to the U.S. military. All are prime targets for nation state cyber operations activity. MITRE’s intelligence teams sift through the intelligence collected by the DIB companies and eventually publish it into the ATT&CK framework wiki as open source intelligence for anybody to use. Although the wiki tracks several crime groups, that’s not the focus. It primarily covers how APT groups (Advanced Persistent Threat groups) run their own playbooks. In other words, they are tracking nation states.
Most importantly though, the framework standardizes the taxonomic vocabulary for both offense and defense. Before the framework, each vendor and government organization had their own language. Any intelligence product coming out of those organizations couldn’t be shared with anybody else without a lot of manual conversion-grunt-work to make sense of it all. Talk about the Tower of Babel. We were all looking at the same activity and couldn’t talk about it collectively in any way that made sense. The MITRE ATT&CK framework fixed that.
The bottom line is that the MITRE ATT&CK framework has become the industry’s de facto standard for representing adversary playbook intelligence and being the trusted open source for that intelligence. In other words, it has helped us to operationalize the cyber threat intelligence process.
That said, there is still a lot of work that needs to be done. Users of the wiki still need to automate the process of collecting the ATT&CK intelligence and using it to upgrade their internal defenses. Furthermore, the intelligence collected by MITRE is not in real time. They only update the wiki every few months. But since adversary groups don’t make wholesale changes to their attack playbooks that often, that’s not a major concern at the moment. Lastly, it would be better if MITRE covered all hacking groups (cyber crime, hacktivism, etc), not just the groups that operate at the nation state level. They cover roughly one-hundred-fifty nation state adversary playbooks today, but that leaves about 100 other groups uncovered, and that’s a big gap.
Still, we’ve come a long way since 2010. The Lockheed Martin research team gave us a new strategy and the MITRE team helped us to operationalize it. The remaining task is how to collect that adversary playbook intelligence with some rigor. In other words, can we formalize the process so that all cyber threat intelligence teams can use the same basic procedures and can easily share and compare their notes with peers and colleagues. That’s where the Diamond Model comes in.
The Department of Defense’s Diamond Model.
About the same time that the Lockheed Martin research team was working on their intrusion kill chain model (2006), three researchers, working for the U.S. Department of Defense in parallel, started coming to similar conclusions but in a slightly different context. They were trying to establish a formal mathematical method for cyber threat intelligence work that they could apply to “game, graph, and classification/clustering theory to improve analysis and decision making.”
Like the Lockheed Martin researchers, the Diamond model’s authors were also first principle thinkers. They asked the question, “What is the basic atomic element of any intrusion activity?” By the time they published their disruptive paper, "The Diamond Model of Intrusion Analysis” in 2011, Sergio Caltagirone, Andrew Pendergast, and Christopher Betz, had their answer; something they called an “Event” that consists of four core elements arranged around the vertices of a diamond shape.
To visualize the diagram from the original paper, think of the diamond shape as one triangle sitting on top of its mirror image with four lines connecting the outer vertices and one horizontal line connecting the left and right vertices. In 2019, Pendergast, now working for a commercial intelligence company (ThreatConnect), showed the diagram with an additional vertical line connecting the top and bottom vertices.
According to Professor Messer, a small cybersecurity training company that produces excellent infosec content on Youtube, the lines connecting each vertex establish a relationship pair. Adversaries (top vertex) develop attack capability (left vertex) and apply it to exploit infrastructure (right vertex). Adversaries also build and maintain their own infrastructure. Victims (bottom vertex) run and maintain infrastructure (left vertex) and are exploited by the capability (right vertex). Finally, adversaries (top vertex) exploit victims (bottom vertex).
The idea is that as intelligence teams describe cyber incidents, they are filling in the blanks of these relationship pairs. According to the paper. “This allows the full scope of knowledge to be represented as opposed to only the observable indicators of the activity.”
The authors were riffing off something called “Attack Trees” originally proposed by Bruce Schneier, a Cybersecurity Canon Lifetime Achievement winner by the way and my first boss in the civilian world when I retired from the U.S. Army. Schneier’s idea was that attack graphs “attempt to generate all possible attack paths and vulnerabilities for a given set of protected resources to determine the most cost effective defense and the greatest degree of protection.” It’s a terrific idea but it didn’t scale back then. The Diamond model author’s attempt to formalize the language around cyber incidents was a first step to improve that situation. In their model, they build “activity threads” that combine intelligence and traditional attack graphs into activity-attack graphs by merging “traditional vulnerability analysis with knowledge of adversary activity.”
And this is the point where it becomes apparent that the Diamond Model is not an alternative to the Lockheed Martin kill chain model and the MITRE ATT&CK framework, it’s an enhancement. The Diamond Model’s atomic element, the Event, with it's four core features, is present at each phase of the intrusion kill chain. From the Diamond Model paper, “The ‘Kill Chain’ provides a highly effective and influential model of adversary operations which directly informs mitigation decisions. Our model integrates their phased approach and complements Kill Chain analysis by broadening the perspective which provides needed granularity and the expression of complex relationships amongst intrusion activity.”
In practice, your own intel team might be analyzing multiple incidents that may or may not be related to each other. For each, using the Lockheed Martin strategy, you are monitoring adversary activity across all kill chain phases. You collect that intelligence by filling in the blanks of the four feature pairs from the Diamond model and you standardize the language by using the MITRE Framework’s vocabulary of tactics, techniques, and procedures.
As the story develops, the kill chain becomes more complete with data for all the incidents. At a certain point, you might note that the Diamond model events for the delivery phase and the Command and Control phase in incident 1 are remarkably similar to the events captured in incident 2. These “activity threads” connect the two incidents together, may indicate that the attacks have originated from the same adversary, and implies a much broader campaign against your network. According to the paper, “The Diamond model’s Events can then be correlated across activity threads to identify adversary campaigns, and coalesced into activity groups to identify similar events and threats which share common features.”
For the security folks out there who are not cyber threat intelligence experts, this process is how we get all of those colorful names that splash across as headlines in the cybersecurity news space.
- “Chinese APT10 hackers use Zerologon exploits against Japanese orgs.”
- “Ferocious Kitten: 6 years of covert surveillance in Iran.”
- “Lazarus Group May Have Been Behind 2019 Attacks on European Targets.”
When intelligence teams have high high confidence that they are seeing similar “activity threads” across multiple incidents targeting the same victim or described in other “activity threads” for other victims, they assign the activity group a colorful name as a kind of shorthand to readers of the news and readers of intelligence reports, a label that says that all of this information is related.
The adversary intelligence trifecta: Kill Chain, ATT&CK, and Diamond.
In order to reduce the probability of material impact to our organization due to a cyber attack, our first principle cybersecurity strategies include risk forecasting, zero trust, resilience, and intrusion kill chain prevention. Out of the four, the strategy that brings the most joy to me is intrusion kill chain prevention. The others are great and necessary, but they’re passive. They’re like eating your vegetables or getting the oil changed in your car. You have to do them but they’re not sexy. Intrusion kill-chain prevention though, that’s exciting. That’s me and the adversary, in the ring, duking it out, every day. And it’s taken the network defender community over a decade to figure out how to do it in terms of strategy, operations, and Cyber Threat Intelligence best practices.
Big thinkers from Lockheed Martin (kill chain), the Department of Defense (Diamond Model), and MITRE (ATT&CK Framework) gave us the blueprints of how to be good at this over a decade ago. It’s taken that long for the rest of us mere cybersecurity mortals to get our heads around the key concepts. The bottom line is that we build adversary playbooks so that we can automatically collect threat intelligence on what adversaries are actually doing across all the Lockheed Martin kill chain phases. We operationalize that process by standardizing on the MITRE ATT&CK framework’s established vocabulary for adversary tactics, techniques, and procedures. We instruct our cyber threat analysts teams to fill in the blanks of Event pairs, identify activity threads across multiple incidents, and establish activity groups for common behavior in the Diamond model. Finally, we automate the deployment of our mitigation plan across our entire security stack. We do all of that with the adversary intelligence trifecta: Kill Chain, ATT&CK, and Diamond.
11 MAY 2020:
CSOP S1E6:: Cybersecurity First Principles
26 MAY 2020:
CSOP S1E8:: Cybersecurity first principles: intrusion kill chains.
22 JUN 2020:
CSOP S1E12:: Cybersecurity first principles - intelligence operations
03 AUG 2020:
CSOP S2E3: Incident response: a first principle idea..
10 AUG 2020:
CSOP S2E4: Incident response: around the Hash Table.
- Hash Table Guests:
- Jerry Archer - Sallie Mae CSO (1)
- Ted Wagner - SAP National Security Services CISO (1)
- Steve Winterfeld - Akamai Advisory CISO (2)
- Rick Doten - Carolina Complete Health CISO (1)
- Link: Podcast
- Link: Transcript
- No Essay
16 AUG 2021
CSOP S6E5: Pt 1 - Cybersecurity first principles - orchestrating the security stack.
23 AUG 2021
CSOP S6E6: Pt 2 - Cybersecurity first principles - orchestrating the security stack.
- Hash Table Guests:
- Bob Turner, Fortinet Education Field CISO (5)
- Kevin Magee, Microsoft Canada CSO (2)
- Link: Podcast
- Link: Transcript
- No Essay
30 AUG 2021
CSOP S6E7: Pt 1 - Cybersecurity first principles - adversary playbooks.
13 SEP 2021
CSOP S2E8: Pt 2 - Cybersecurity first principles - adversary playbooks.
- Hash Table Guests: None
- Ryan Olson, the Palo Alto Networks (Unit 42) Threat Intelligence VP
- Link: Podcast
- Link: Transcript
- No Essay
“APT1: Exposing One of China’s Cyber Espionage Units | Mandiant.” Mandiant.com, 2013.
“Attack Frameworks - SY0-601 CompTIA Security+ : 4.2,” Professor Messer, YouTube, 29 April 2021.
“Compressing the Kill Chain,” By Adam J. Hebert. 1 March 2003.
“Computer Spies Breach Fighter-Jet Project.” Siobhan Gorman, August Cole, and Yochi Dreazen, The Wall Street Journal, 21 April 2009.
“CYBERARK® SOLUTIONS AND THE MITRE ATT&CK FRAMEWORK,” by CYBERARK.
“CyCraft Classroom: MITRE ATT&CK vs. Cyber Kill Chain vs. Diamond Model.” Medium. CyCraft, July 2020.
“Diamond Presentation v2 0: Diamond Model for Intrusion Analysis – Applied to Star Wars’ Battles,” Andy Pendergrast and Wade Baker, ThreatConnect, YouTube, 4 February 2020.
“Factbox: Cyber Warfare Expert’s Timeline for Iran Attack.” Reuters, 2 December 2011.
"Google Aurora Hack Was Chinese Counterespionage Operation," by Mathew J. Schwartz, Information Week Security, 21 May 2013.
“Defense Industrial Base Sector,”Cisa.gov, 2022.
“Diamond Model of Intrusion Analysis - Threat Intelligence Academy,” Threat Intelligence Academy, 29 July 2020.
“Find, Fix, Track, Target, Engage, Assess," By John A. Tirpak, Air Force Magazine, 1 July 2000.
"Hackers Who Breached Google in 2010 Accessed Company’s Surveillance Database," BY KIM ZETTER, Wired, 05.20.13.
“How China Stole the Designs for the F-35 Stealth Fighter,” by Eli Fuhrman, 19FortyFive, 15 July 2021.
"Implementing Intrusion Kill Chain Strategies by Creating Defensive Campaign Adversary Playbooks," by Rick Howard, Ryan Olson, and Deirdre Beard (Editor), "The Cyber Defense Review," by the Army Cyber Institute, Volume 4, Number 2, Fall 2020.
"Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” by Eric Hutchins, Michael Cloppert, Rohan Amin, Lockheed Martin Corporation, 2010.
“Israel’s Battle against Iran’s Natanz Centrifuges - Timeline,” The Jerusalem Post, 2021.
“Man Who Sold F-35 Secrets to China Pleads Guilty” By Justin Ling, Vice.com, 24 March 2016.
“MITRE ATT&CK®.” MITRE.org, 2021.
"MITRE ATT&CK: Design and Philosophy," by Blake Strom, Andy Applebaum, Doug Miller, Kathryn Nickels, Adam Pennington, and Cody Thomas, MITRE, March 2020.
"No More Chewy Centers: Introducing The Zero Trust Model Of Information Security," by John Kindervag, Forrester, 2010.
“The Cyber Kill Chain is making us dumber: A Rebuttal,” by Rick Howard, Linked-In, 29 July 2017.
"The Diamond Model of Intrusion Analysis, (Link 1) (Link 2)(Link 3),” by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz, Center for Cyber Threat Intelligence and Threat Research, Hanover, MD, Technical Report ADA586960, 05 July 2011.
"The Perfect Weapon: How the Cyber Arms Race Set the World Afire," by David E. Sanger, Published by Crown, June 2018.
"This Is How They Tell Me the World Ends: The Cyberweapons Arms Race," by Nicole Perlroth, Read By, Allyson Ryan, Published by Bloomsbury Publishing, 9 February 2021.
"U.S. charges Chinese spies and their recruited hackers in conspiracy to steal trade secrets," By Ellen Nakashima, The Washington Post, 30 October 2018.