So I became aware of the intrusion kill chain in 2009 when Mike
Cloppert referenced it in one of his presentations at the SANS
Incident Detection Summit (I can’t find an agenda to this). In 2010
he released a formal
paper
on the concept. If you’re not familiar with the intrusion kill chain
please pause and read it. It’s worth your time. Don’t TL;DR me.
I recently used the kill chain as an example in a few presentations I
gave. That made me think a bit more about the kill chain concept.
Specifically I asked the question: Does the defensive side have a
kill chain?
Short answer? no.
Long answer? A kill chain relies on the fact that “any one
deficiency will interrupt the entire process.“ Through an entirely
inductive reasoning process I’ve identified five steps of defense that
can, if interrupted, will greatly disrupt the defensive process.
Unlike a kill chain, disrupting one phase will not necessarily
interrupt the entire defensive process or posture.
So what’s my back-of-the-napkin defensive kill chain? More precisely,
what would a targeted attack focus on in order to disrupt a defensive
operation? First, the attacker will leverage penetrating the
defensive operations security of the target. This is through a
variety of means, including OSInt, HUMInt, etc. Next, the attacker
will find weaknesses in the orientation of the defensive operation.
This means taking advantage of both the defenders and overall target’s
mindset, expectations, and beliefs. This includes social
engineering. It also includes understanding defensive operations
shifts, holidays, and general abilities. Next, the attacker will
leverage this combined information and subvert the IT architecture.
This is exploitation, this is escalation, this is action. This is
done in tandem with subverting the security architecture. This avoids
detection and prevention measures; this defeats any defense-in-depth
control which is not already inherently built into the IT
architecture. Finally, the attacker will defeat any
responsive/reactive measures by the defensive operation. This means
working faster and better than the defensive team.
The short version of the Defensive Kill Chain: Operations Security ->
Orientation -> IT Architecture -> Security Architecture -> Response
Activities
I’m wishy-washy on this as an idea; but it’s a fun one that I may use
and strengthen in the future.