Breaking the Attack Kill Chain

Breaking the Attack Kill Chain

Lets Talk Security

Gordon MS, Ph.D.(c), MCFE, CSO

CSO||Certified Forensic Examiner||Keynote Speaker||Doctoral Researcher🧩DFIR Investigator||Network Analyst||Malware/Reverse Engineering Analyst||CYBΞR✦DΞFΣNSΣ||𝗔𝗱𝗲𝗽𝘁 𝗮𝗻𝗱 # 𝟭♨️𝙇𝙚𝙩’𝙨 𝙏𝙖𝙡𝙠 𝙎𝙚𝙘𝙪𝙧𝙞𝙩𝙮.

Cybersecurity Introduction

Overview…

Protecting an organization’s Infrastructure is a key part of cybersecurity. Fueled by operational intelligence and defense-in-depth activities…..”The goal is to ensure that systems and services are protected against unintended and unauthorized access and potential vulnerabilities” (AWS Security, Identity, and Compliance, 2023). 

Topic: What is the Cyber Kill Chain?…

Developed by Lockheed Martin, the Cyber Kill Chain® framework is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective. The seven steps of the Cyber Kill Chain® enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures (Lockheed Martin Corporation, 2023)

Blocking adversaries at any point in the cycle breaks the chain of attack!!

Visualization: The Seven Steps of the Cyber Kill Chain…

Lockheed Martin -Cyber Kill Chain

Watch CyberY Break the Kill Chain!

Game Development, design and voiceover by Brandy Gordon B.S.B.A, Master of Science, Graduate Student in Cybersecurity, Inspired by MITRE and Lockheed Martin’s Cyber Kill Chain framework

Expanding on weaponization…

The weaponization stage is the part in which the attacker often uses an automated tool to couple malware to a found vulnerability in order to deliver a payload. This part is most interesting as it is the part when the attacker cooks up the recipe to be delivered. It is the job of the security engineer or penetration tester to think as the attacker in order to take preventative measures to preempt possible intrusions. 

Making connections…

The attack kill chain resides within the cybersecurity framework laid out by NIST, the framework includes these five pillars: identify, protect, detect, response and recovery. The framework is for improving critical cybersecurity infrastructure (NIST, 2018). Activities conducted under this framework helps break the kill chain. The kill chain enhances insight into an attack and contributes to the overall understanding of an adversary’s tactics, techniques and procedures (TTPs)(LockheedMartin, 2023).

SIEM detection at the weaponization stage…

TTP- Based threat detection is considered by some to be more robust than anomaly detection or even IOC sweeping (MITRE TTP-Based Hunting, 2019). Overall, adversarial TTP is categorized by the MITRE ATT&CK™ which is used to feed into SIEM rule sets. This plus the use of AI and Machine learning helps the SIEM make correlations from log data to CTI and TTPs. This means that security teams supported by SIEM systems will benefit from better detection which increases time-to-response making security teams proactive rather than reactive so they can break the kill chain!

The SIEM plus…

In conjunction with a centralized security hub, a robust security program should employ defense-in-depth activities that includes a properly architected and configured network design, IPS, IDS, firewalls, MFA/IAM, email security controls, WAF, and a organization wide cyber awareness campaign.