The document discusses the Lockheed Martin Cyber Kill Chain model for describing cyber attacks. It outlines the seven stages of the kill chain: exploitation, installation, command and control, actions on objectives, and others. It also discusses some limitations of only focusing on the kill chain, such as that it is malware-focused and doesn't address internal threats. The document then covers ways the kill chain model can still be useful, such as for explaining attacks to executives. It introduces the concept of an internal kill chain for modeling insider threats. Finally, it discusses how persistent insiders and flight risks can be modeled at different stages of an internal kill chain approach.

1. PRACTICAL SECURITY
ARCHITECTURE
WAYNE TUFEK
15TH – 16TH OF FEBRUARY 2019
SACON
BANGALORE

2. 2
Sensitivity: Confidential
LOCKHEED MARTIN CYBER KILL CHAIN
Source: https://lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

3. 3
Sensitivity: Confidential
LOCKHEED MARTIN CYBER KILL CHAIN
The seven steps to the Cyber Kill Chain® are:
1. Exploitation – this is the process in which the weaponized
package from step 2 acts on the system, exploiting a
vulnerability and executing code on the targeted system;
2. Installation – the executed code from Step 4 then installs the
malware on the target;
3. Command & Control (C2 or C&C) – the malware installed on the
target system will use a C2 channel to communicate with the
malicious actor; C2 channels are frequently masked to look like
normal traffic from the computer. Common C2 channels include
malware connecting to another IP address, website or social
media feed to receive additional commands;
4. Actions on Objectives – the malicious actor will send commands
to the malware through the C2 channel; this commonly includes
providing remote access so the malicious actor can directly login
to the system or other actions, such as gathering and exfiltrating
predefined data.
Source: https://www.cisecurity.org/spotlight/ei-isac-cybersecurity-spotlight-cyber-kill-
chain/

4. 4
Sensitivity: Confidential
LOCKHEED MARTIN CYBER KILL CHAIN
5. Installation – the executed code from Step 4 then
installs the malware on the target;
6. Command & Control (C2 or C&C) – the malware
installed on the target system will use a C2 channel
to communicate with the malicious actor; C2
channels are frequently masked to look like normal
traffic from the computer. Common C2 channels
include malware connecting to another IP address,
website or social media feed to receive additional
commands;
7. Actions on Objectives – the malicious actor will send
commands to the malware through the C2 channel;
this commonly includes providing remote access so
the malicious actor can directly login to the system or
other actions, such as gathering and exfiltrating
predefined data.
Source: https://www.cisecurity.org/spotlight/ei-isac-cybersecurity-spotlight-cyber-kill-
chain/

5. 5
Sensitivity: Confidential
KILL CHAIN LIMITATIONS
• Steps 1 through 6 of the Chain relate solely to intrusion, which
is, as we know from recent attacks, only a very small part of a
targeted attack. Along these same lines, the Chain is
disproportionate on an attack time scale: Steps 1 through 6
take relatively little time, whereas step 7 can take months.
• Further, it’s worth considering that steps 1, 2, and 3 are not
relevant from an operational point of view. These are just the
documentation of steps an attacker may take behind the
scenes, not something that security professionals can directly
address or influence.

6. 6
Sensitivity: Confidential
KILL CHAIN LIMITATIONS
• Malware focused
• Can reinforce old-school, perimeter-focused, malware-
prevention thinking. And the fact is that intrusion prevention
solutions cannot provide 100% protection. But can be easily
applied to detection, response and recovery with a little work
• Doesn’t address internal threats

7. 7
Sensitivity: Confidential
LOCKHEED MARTIN CYBER KILL CHAIN
Source: https://www.blackhat.com/docs/us-16/materials/us-16-Malone-Using-An-. Expanded-Cyber-Kill-Chain-
Model-To-Increase-Attack-Resiliency.pdf

8. 8
Sensitivity: Confidential
LOCKHEED MARTIN CYBER KILL CHAIN
• Understand how an attack unfolds
• Determine what to defend against
• Only one way an attacker can breach your defences
• When it comes to enterprise detection, the Kill Chain is useful
for understanding what your capabilities are, as well as your
gaps in coverage by tools and threat actors
• Post-incident reviews excel is by leveraging the Kill Chain
model to systematically break down the attack. Using the KC
as a framework to answer questions as to how the attack
played out, and dissecting each step for what the adversary
did and why it worked, may provide a wealth of understanding
of the attack, the actor, and what should be done afterwards.

9. 9
Sensitivity: Confidential
LOCKHEED MARTIN CYBER KILL CHAIN
• Have you ever tried to explain to the C-suite how an attack
happened? It can be challenging. However, the Kill Chain
offers a simple and powerful way to look at a very complex
situation and tell a story. In a world driven by PowerPoint
presentations, you can easily explain the concepts of the KC in
terms that everyone will understand, without getting technical,
and follow a linear approach to explain the details of the
attack to your audience

10. 10
Sensitivity: Confidential
LOCKHEED MARTIN CYBER KILL CHAIN

11. 11
Sensitivity: Confidential
LOCKHEED MARTIN THREAT DRIVEN
APPROACH
Source: A Threat Driven Approach to Cyber Security – Lockheed Martin Corporation

12. 12
Sensitivity: Confidential
LOCKHEED MARTIN THREAT DRIVEN
APPROACH
Source: A Threat Driven Approach to Cyber Security – Lockheed Martin Corporation

13. 13
Sensitivity: Confidential
INTERNAL KILL CHAIN
• The classic kill chain model was designed to help
organizations combat external threats by bad actors.
• Recruitment and tipping point
• Search and reconnaissance
• Data acquisition
• Data exfiltration
Source: https://www.tripwire.com/solutions/vulnerability-and-risk-management/insider-threat-kill-chain-
detecting-human-indicators-of-compromise-register/

14. 14
Sensitivity: Confidential
LOCKHEED MARTIN CYBER KILL CHAIN
• Flight Risks: Employees looking to leave the company elevate
the risk of data loss. They tend to be less sophisticated and
exhibit less cautious behaviour on their way out. The kill chain–
style reactive risk model begins with looking for early
indicators — for example, if an employee frequently visits job
search websites, something he or she typically would not do.
However, even if employees are visiting those kinds of
websites, that doesn't necessarily mean they are a threat. They
become a potential threat when they move to the next stage
when, for example, they upload unusually large encrypted files
to cloud storage at odd working hours.

15. 15
Sensitivity: Confidential
LOCKHEED MARTIN CYBER KILL CHAIN
• Persistent Insiders: Unlike flight risks, these threats are more
sophisticated insiders who have no intention of leaving the
organization. They repeatedly look for whatever sensitive data
they can get their hands on to hurt the organisation and/or sell
for profit. Organisations won't see these employees looking at
job search websites. Instead, they will visit websites where
they can circumvent web proxies. These are websites that
allow them to hide, and then jump to the Dark Web, for
example, to move data and bypass controls.

16. 16
Sensitivity: Confidential
QUESTIONS?
Questions

17. 17
Sensitivity: Confidential
PA S S I O N • I N T E G R I T Y • E X P E R I E N C E • R E S U LT S