Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cyber Kill Chain Deck for General Audience


Published on

Cyber Kill Chain Framework Presented in the "For Dummies" style.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Cyber Kill Chain Deck for General Audience

  1. 1. be the strong link in your Cyber Kill Chain Presented by: Tom Kirby
  2. 2. What is the Cyber Kill Chain?  The Cyber Kill Chain is a taxonomy designed to measure the effectiveness of the Defense-in-Depth strategy. Layer 3 Layer 2 Layer 1 How far can I get?
  3. 3. What is the origin of the Kill Chain?  The Cyber Kill Chain was socialized by Lockheed Martin.  It is based on military doctrine.  It was developed as a method for describing an intrusion from an attacker’s point of view.  It can inform Cyber Security and Intelligence Analysis.
  4. 4.  Searches LinkedIn for System Administrators at USAA.  Guesses their USAA email addresses based on name.  Obtains domain name and creates website with malware.  Crafts spear phish.  Sends spear phish to targeted email addresses.  Administrator clicks on link and goes to evil website.  Zero day exploit on website executes on Administrator’s PC.  Administrator’s PC is compromised.  Root Kit is installed on Administrator’s PC.  Root kit connects back to Threat Actor’s server to obtain further instructions.  Threat Actor looks for data on Administrator’s PC.  Threat Actor starts compromising other USAA machines. Reconnaissance Weaponization Delivery Exploitation Installation Establish C2 Actions on Objectives Cyber Kill Chain Stages
  5. 5. What can the Kill Chain do?  Each phase of the kill chain can be mapped to corresponding defensive tools and actions.  Defensive “Courses of Actions” are based on the Information Operations principles of: Detect, Deny, Disrupt, Degrade, Deceive & Destroy  An analyst who knows the stage of the Kill Chain has a basic understanding of what is being attempted and what response is called for.
  6. 6. Courses of Action Matrix Phase Detect Deny Disrupt Degrade Deceive Reconnaissance Firewall NIDS Web Logs Firewall NIPS * * * Weaponization DNS Monitoring Website Monitoring * * * * Delivery Antivirus NIDS Vigilant User NIPS Proxy In-Line Antivirus * * Exploitation NIDS Antivirus Antivirus System Patching Antivirus System Patching Restricted User Accounts * Installation Antivirus Application Logs * Antivirus * * Establish C2 CIC Malware Sandbox NIDS Firewall NIPS * * Actions on Objectives Application Logs Firewall VLANs VLANs *
  7. 7. What can the Kill Chain do?  The sooner in the kill chain you can disrupt the attack, the better.  Tracking similarities across kill chain phases can give Fellow College Park Analysts insight into: • Threat Actor Tactics, Techniques and Procedures (TTP) • Campaign Analysis
  8. 8. Why do we need the Cyber Kill Chain? “Measurement is the first step that leads to control and eventually to improvement.” If you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it. If you can’t control it, you can’t improve it.” - H. James Harrington "Circumstantial evidence is occasionally very convincing, as when you find a trout in the milk, to quote Thoreau's example.” -Sir Arthur Conan Doyle
  9. 9. How will (CSO’s) operationalize? Integrate into Cases 1 2 3 Integrate into Wiki Integrate into Stand-Up Briefing’s
  10. 10. Questions?