Cyber Kill Chain and Determined Human Adversaries

Table of ContentsIntroduction 1

Principles of Intelligence-Driven Computer Network Defense 2The Observer, Minimalist, and Planner: Modern Adversaries 2Modeling the Base Types of Actions in a Computer Network Intrusion: Cyber Kill Chain 2Attributes of an Intrusion 5

Leveraging the Cyber Kill Chain 5Building Threat Sequences 5Visualizing Threats 6Classifying Threats 7Mounting a Defense 8Security Controls and Limits 8

Primary Libraries: Examples of Known Attack Patterns 9

Building and Improving Libraries: Analysis and Reconstruction 9Metrics of Resiliency 9Intrusion Reconstruction 10Campaign Analysis and TTP 10

Advanced Classification of DHA 11

Lexicon and a Pathway to Collaboration 12

Conclusion 13

Figures and Tables 14

Appendix A: Terms and Definitions 14

Appendix B: Attributes 15Common Attributes 15Extended Attributes 16

Appendix C 17

References 17

IntroductionModern network intrusions are more likely to target individuals and rely on social engineering or deception over brute force. Defense against such attacks should focus on the adversary, not the tools. By understanding that sophisticated adversaries—those who could be considered good at their craft—would not use the same tool or exploit during a series of attacks, attention can be directed toward the

adversary's behavior and motive, seeking answers to questions like "What is the adversary doing?" or "What are they after?" With that knowledge in mind, one can begin to develop a robust defense that is proactive and gains strength from an adversary's persistence.

This paper highlights the principles of a network intrusion, describes the Cyber Kill Chain, and shows ways we can leverage the Cyber Kill Chain to classify intrusions and mount an appropriate defense.

Principles of Intelligence-Driven Computer Network Defense

The Observer, Minimalist, and Planner: Modern AdversariesDetermined Human Adversaries (DHA), also known as Advanced Persistent Threats (ATP)1, are deliberate and focused. They are noteworthy for engaging in extended campaigns using advanced tools to bypass most conventional network defense mechanisms. Their goal: sensitive economic, proprietary, or national security information. Security analysts recognize that conventional tools used to mitigate risk from viruses or worms are ineffective against intrusions by DHA. Therefore, countering DHA requires approaching defense from a different angle. By generating knowledge about DHA, we can create an intelligence feedback loop whereby information superiority decreases DHA likelihood of success with each subsequent intrusion attempt.

Modeling the Base Types of Actions in a Computer Network Intrusion: Cyber Kill ChainBefore we can begin to ask "What is the adversary doing?" or "What are they after?" we must first identify a range of possible actions that DHA can take.

At the most basic level, a sophisticated network intrusion mirrors a military operation. Therefore, we can use models that have proven useful in military applications and leverage them in computer network defense (CND). McRaven's Relative Superiority (Figure 1) was implemented by the military to graphically model the probability of mission completion from the perspective of an attacker, while also taking into account mission-critical objectives. A key aspect of the model is the Relative Superiority Line (RS Line) where the probability offor mission success increases exponentially if certain principles hold true or specific mission objectives met. For instance, whether the initial mission objectives were simplified and quickly executed or if knowledge of the target was utilized in planning the attack.

1 See Appendix A for a list of terms and definitions.

Relative Superiority lends itself to a progression-style modeling of operations such as the military "Kill Chain." The classic Kill Chain consists of four stages of an attack and the dependencies between them: (1) Target identification, (2) Force dispatch to target, (3) Decision and order to attack, and (4) Destruction of the target. Though the Kill Chain was created primarily as a tool to plan better attacks, it has alternative uses as well. Using the Kill Chain from a defense perspective, one can anticipate an adversaries' action in relation to the model and mount an appropriate defense. For CND, we take this approach a step further to create a Cyber Kill Chain.

While a Cyber Kill Chain can be described multiple ways, the version described in this paper borrows from Espenschied et al., which breaks down each phase of an attack as follows: (1) Reconnaissance, (2) Commencement, (3) Entry, (4) Foothold, (5) Lateral Movement, (6) Acquire Control, (7) Acquire Target, (8) Implement/Execute, (9) Conceal & Maintain, and (10) Withdraw. Each of these describes the "base types of action" a DHA may take during most computer network intrusions.

During Reconnaissance, DHA engages in research, identification, and selection of targets and to gain insight into the types of technology implemented for security. They search for vulnerabilities and gainful opportunities and will often search through publicly available information found on websites or other publications, making detection at this phase very unlikely. Security analysts rely on thorough study of past intrusions to find evidence of DHA activity during this phase. For us, Reconnaissance is most useful as an attribute to distinguish between adversaries of varying threats and this paper will describe how in later sections.

Although Reconnaissance is an ongoing affair, there is a point when DHA move from observation and knowledge gathering to deploying tools or actions. This change is called Commencement (Weaponization in some context). Detection at this phase includes the discovery of intrusive scanning, active probing for vulnerabilities, phishing campaigns, or the conversation of benign data or documents retrieved during Reconnaissance into deliverable payloads for weapons such as a remote access Trojan.

DHA are considered to have gained Entry into a network once they have bypassed primary security barriers. This often coincides with the delivery of some weaponized payload (e-mail attachments, websites, and USB drives) and basic access to one or more non-critical internal environments.

Once DHA have gained access to low privilege/local credential system (often via exploitation of system vulnerability or application—sometimes even the user themselves—to execute malicious code) and are able to stay resident in the environment, they are considered to have gained a Foothold. Detection of Foothold events includes alerts of localized compromises of a system, compromise of employee credentials, uploading of tools, installation of remote access tools, and efforts to escalate privileged access.

The ability to move beyond the Foothold suggests Lateral Movement capability of the DHA, which puts the immediate network and adjacent logical environments at risk. However, opportunities to detect the DHA at this phase also increases. For instance, detecting movement in network flow data. While Lateral Movement may be a significant step toward a DHA’s goal, in McRaven's Relative Superiority model it does not yet correspond with reaching the RS Line. It is, in some respects, a "make or break" phase.

DHA Acquires Control in an environment when they gain privileged access to assets and resources in an area and in most cases signals that the adversary has achieved Relative Superiority and their attack is more likely to succeed than to fail. Detection is still possible, but taking action against DHA with privileged access and control over an entire environment becomes difficult. Acquire Control is an escalated version of Entry (basic access to non-privileged systems). For some types of intrusions, Acquire Control often coincides with increased Lateral Movement.

DHA is said to have Acquired a Target when they can assess a target asset, neutralize point defenses, and consolidate control over an asset, resources, or capabilities. Acquire Target is an escalated version of Foothold (control of a non-privileged environment). Deactivation of key administrative controls, filtering and compression of data files for extraction, or PKI system compromise are several means for detecting that a DHA has control of a target.

At the Implement/Execute phase, we see the execution of attack code or the implementation of a process on an acquired target. DHA will move to extract or destroy data, consolidate and integrate control, and may sometimes communicate demands.

After gaining sufficient control of an environment and the contained systems, some DHA may choose to alter security logs and implement decoys—all in the effort to Conceal their presence and Maintain their activities. Corrupt or missing logs, loss of access, or strange system behavior are some indirect means of detection. In more severe cases, detection comes from errors in business processes or unplanned changes to finance balances.

A DHA who has completed the objectives and has removed himself from a system or network (not removed involuntarily) is said to have Withdrawn. This may be classified by the removal of previously detected tools or verified logs showing the conclusion of attacks. In some cases, external parties may provide evidence, perhaps even the intruders themselves stepping up to claim credit for and cessation of an attack. In severe cases, the destruction of all the data on affected systems heralds the Withdrawal of a DHA.

It is important to note, that while the phases in the Cyber Kill Chain are listed in progression, they do not necessarily have to occur in this order or must each phase

be completed before moving onto the next. Variances in intrusions, the means used in detecting each intrusion, and other attributes are crucial in identifying the DHA and learning what it is they are after.

For example, adversaries who spend extended periods of time engaging in Lateral Movement with little progress suggest a lack of capability, poor reconnaissance, or bad choice in targeting. On the other hand, DHA who spend the majority of a campaign in Reconnaissance only to escalate all the way up the Cyber Kill Chain in a fraction of the time suggest detailed planning toward specific objectives.

Attributes of an IntrusionThe ability to associate events allows us to expand upon the Cyber Kill Chain model and produce a clearer picture of each attack. Building these pictures depends on attributes, which are the least common denominator in describing base types of actions and allow us to connect, group, and correlate activities that may otherwise appear unrelated. Attributes can be time of first detection, the duration of the event, identifiers, source of alerts or detection, targeting, indicator of compromise, and the base type of action themselves.

Attributes, also known in the security community as indicators or markers, range in type: Common (soft markers) and Extended (hard markers) Attributes2. Hard markers cannot be broken down into smaller parts, these include IP addresses, e-mail addresses, and vulnerability identifiers. Soft markers are expressions of human behavior. These are pieces of information inferred from how a DHA transitions between actions, often reflected from evidence of repetition, parallelism, persistence, and number. Soft markers are of particular importance in differentiating serious threats among a cluster of background noise. Together, soft and hard markers allow us to piece together attack patterns and use evidence to match or differentiate between groups of DHA.

Leveraging the Cyber Kill Chain

Building Threat SequencesIn dealing with modern attacks, we must be able to detect and respond to changes in behavior of authorized users. The goal therefore is to create a tagging system that characterizes patterns for analysis with past and present actions. With enough data, we can use sequences of activity to identify and come to recognize intrusions and campaigns from specific DHA. Once a DHA is known, present actions can be linked to prior sequences to elucidate the answer to "What are they after?" In other words, find ways to quickly classify a military "maneuver" in order to develop a defense for that kind of attack.

2 See Appendix B for a more detailed list of Common and Extended Attributes.

The true strength of the Cyber Kill Chain is its role in helping us identify those attack patterns. By collecting a history of intrusions and matching actions along with other common and extended attributes, we can begin to correlate and match attacks to a specific maneuver and perhaps to specific DHA.

Visualizing ThreatsBy combining common attributes such as time and detection alerts as well as the Cyber Kill Chain, we can create a visual tool to categorize attacks.

An attack pattern made using the Cyber Kill Chain model offers a simple, yet effective way of visualizing and recognizing a type of attack (Figure 2). With the phases of the Cyber Kill Chain listed on the y-axis (along with other key attributes) and time on the x-axis, one can compare different intrusions based on the amount of time spent during each phase of the kill chain. For example, a history of attack patterns shows that the behavior of typical thieves or vandals demonstrate longer time spent moving laterally within the network in search of a way to cash out. On the other hand, nation-state actors or industrial spies dedicate a longer period of time toward reconnaissance and prep work before moving directly toward the high-value information.

Of course, data is rarely ever presented as clearly as shown in Figure 2. Instead, one is more likely to collect and record many frivolous alerts from regular users simply trying out something new, or alerts from a spike in activity from vandals who pose a problem but may distract a defender from a far more malicious threat. To make matters even more complicated, DHA may have teams of people working jointly toward a unified goal. To assist in interpreting this data, one should recognize that the cessation of specific activities is just as informative as when they begin.

Consider Figure 3. Here we see three separate actors ending Reconnaissance around the same time. This pattern continues up the Cyber Kill Chain to resemble the attack pattern shown in Figure 2. This pattern of activity that would have otherwise gone unnoticed was isolated by taking note of the stops in parallel. Whereas a novice may have drawn attention to the cluster of activity in the lower-right portion of the figure (very typical of a network experiencing denial-of-service attacks from Anonymous, for instance), the experienced network defender would have leveraged large-scale automation to help correlate these sequence fragments and sought out recognizable attack curves from known patterns.

By introducing aspects of the 5-stage Capability Maturity Model (CMM) to our existing attack patterns, we can also include the means to quickly visualize the condition of the environment targeted by DHA (see Figure 4). The CMM is a sort of gauge to classify the maturity of the processes or systems in place and how well they can perform desired outcomes. These range from Optimized to Chaotic. In business terms, a company that is about to launch new software internally for its employees

and has provided no training could be said to launch in a state of chaos. The software is unlikely to perform to standard if its users are not capable of using it.

In the context CND, adding CMM allows us to gauge the state of the targeted environment and how well network defenses will perform. The maturity levels for network defenses are: Predictive, Preventive, Mitigating, Tactical, and Chaotic. The ideal state is Predictive, where the processes are fully matured and the focus here is on finding avenues for improvements. DHA who are limited to the Cyber Kill Chain stages Reconnaissance and Commence are still acting in a network environment that is performing as predicted and as designed. However, as they move past network defenses and gain further control of the targeted environment the processes in place will begin to fail. A barometer for the RS line in CND could be moving past Lateral Movement. Similarly, network defenses and processes that continue to function and manage to contain DHA to Lateral Movement are performing at a CMM-like Mitigating level. On the other hand, DHA that has moved up the Kill Chain to acquire its target and execute its attack code to the point where it is able to remain concealed suggests a total loss of control from network administrators of the targeted environment—reducing operating maturity to Chaotic.

In general, the further up the Cyber Kill Chain DHA are able to move, the less predictive our environment (and the processes in place) will become.

Classifying ThreatsIn Threat Genomics, the authors state: "Two actors attempting the same attack, even with similar tools, goals, and timeframe, may still differ in their approach due to cultural and organizational differences between the two." Recognizing this concept encourages us to focus on and recognize the types of traits and behavior—and therefore the kinds of attacks—which serious adversaries display.

For example, in one situation we may encounter a DHA that prefers an extended reconnaissance followed by rapid intrusion and concealment phases in order to avoid detection. On the other hand, another DHA may dedicate more time to the intrusion, either perceiving it a minimal risk or perhaps even desiring detection and attribution. What causes these differences in observable behavior? The authors in Threat Genomics suggest: "These variations in observable expression may have a cultural basis, an organizational basis, or a combination of the two."

Turning back to McRaven. There six observable principles found present in all significant and successful operations: simplicity, security, repetition, surprise, speed, and purpose. These six principles are traits that most successful military attacks possess (those that reached Relative Superiority quickly and succeeded). Similarly, during a successful cyber intrusion, patterns of actions and transitions between types of action will be observed. When mounting a defense against a DHA,

we want to identify types of actions that separate them from less sophisticated cyber intruders, which would allow for more robust defenses.

Mounting a DefenseOnce we have acquired knowledge of the adversary, appropriate courses of actions can be leveraged by aligning defenses to each phase of the intrusion. The U.S. Department of Defense (DOD) information operations doctrine serves as a solid foundation when building a matrix for possible courses of action. The doctrine lists a set of six possible actions: detect, deny, disrupt, degrade, deceive, and destroy.

The purpose of a Courses of Action Matrix (Table 1) is twofold: First, it can be used as a barometer to quickly assess what sort of defenses are in place in the network prior to intrusion; second, it can serve as a guide during post-intrusion analysis to gauge where additional resources should be directed to counter a similar attack in the future.

A more complete table represents network defense resiliency, and our primary goal when faced with DHA. However even with the best defenses, zero-day exploits and attacks are—by definition—impossible to stop. Creating a robust defense structure that includes DHA analysis, the Cyber Kill Chain, and threat sequences, shows that we recognize zero-day exploits as just one breakthrough in the overall attack process. DHA are likely to reuse known tools or infrastructure in other phases, allowing established defenses to render the major improvement in the attack arsenal useless.

By implementing defenses across the board of actions (Detect, Deny, etc.) and down each phase of the kill chain, we can achieve a defensive strategy that leverages redundancy to force DHA to pursue more comprehensive alterations toward their objectives. The end result is an effective deterrent that increases the DHA cost per intrusion.

Security Controls and Limits"A more detailed scenario evaluation might take into account discrete actions, common sequences of actions, parallel actions, parallel cessation of actions, persistence beyond successful acquisition of a target, or relative speed. These details can give data about the nature or strength of adversary’s attack action relative to the detective and preventive controls that protect the target asset or environment. Technical or operational limitations may make detection of one specific event type impractical or infeasible, so it is particularly interesting that this approach allows us to look at an event over time or events that usually occur in a predictable sequence over time, and use that information to do things such as combine detection tools or conditionally lower a particular alert threshold.

Matching attack actions to available controls depends on having good quantitative data (often suspect or hard to obtain), or solid criteria for qualitative categorization and evaluation. The task, then, is to generalize enough to handle entire classes of attacks, while maintaining precision to effectively prevent, detect, and respond to attacks."

"On the other side of the analytical valley is a milestone beyond which practical security assessment questions can be asked about the correlation of current risk and controls, security control improvement, and forward-looking anticipation and estimation of risk."

"Even when all suitable and practical controls are in place, there are limitations and caveats to the effectiveness of those controls. Grindingly tight security tends to inhibit normal business processes, which means a reasonable organization always has a window of residual risk."

Primary Libraries: Examples of Known Attack Patterns Ideally, we want to have access to a library of all known computer network intrusions. Such a repository of knowledge would help us complete a Courses of Action matrix several times over and deal with threats by newly detected DHA despite zero-day exploit.

<Insert examples>

Building and Improving Libraries: Analysis and Reconstruction

Metrics of ResiliencyAs attack patterns have shown, visual representation of data can expedite analysis and convey large amounts of information in very little time. Having a means to quickly assess the success or failure of existing network defenses for each intrusion type allows us to see where we stand in relation to DHA. Metrics of resiliency (See Table 2) is a means of measuring the performance and effectiveness of defensive actions over time against DHA.

Table 2 (using a less detailed version of the Cyber Kill Chain) illustrates the outcome of three separate intrusions: one in December, March, and June. The white diamond represents passive detection of an intrusion, the black diamonds show that relevant mitigations were in place, and an empty cell means no capabilities available. Gray arrows show areas where analysts used acquired new information from the intrusion to update their defenses.

"For each phase of the kill chain, a white diamond indicates relevant, but passive, detections were in place at the time of that month’s intrusion attempt, a black diamond indicates relevant mitigations were in place, and an empty cell indicates no relevant capabilities were available. After each intrusion, analysts leverage newly revealed indicators to update their defenses, as shown by the gray arrows."

"The illustration shows, foremost, that at least one mitigation was in place for all three intrusion attempts, thus mitigations were successful. However, it also clearly shows significant differences in each month. In December, defenders detect the weaponization and block the delivery but uncover a brand new, unmitigated, zero-day exploit in the process. In March, the adversary reuses the same exploit, but evolves the weaponization technique and delivery infrastructure, circumventing detection and rendering those defensive systems ineffective. By June, the defenders updated their capabilities sufficiently to have detections and mitigations layered from weaponization to C2. By framing metrics in the context of the kill chain, defenders had the proper perspective of the relative effect of their defenses against the intrusion attempts and where there were gaps to prioritize remediation."

Intrusion Reconstruction"Kill chain analysis is a guide for analysts to understand what information is… available for defensive courses of action." 

Most detected intrusions reveal only a limited set of attributes about a single phase (e.g., detecting the intrusion at the Command and Control, or C2—otherwise referred to as the Acquiring Control and Acquiring Target phases for in this paper; see Figure 5). Since the goal in CND is to populate the courses of action matrix with the maximum number of options, our aim is to gain as much knowledge as possible regarding an intrusion during each phase of the kill chain.

Let’s break down a scenario in which an intrusion was detected during Acquiring Control/Acquiring Target. Because the DHA wasn’t detected until that phase, we can assume that movement past barriers between prior phases was successful. Therefore, analyzing all available data may help give insight as to where the defenses failed. By reproducing how the intrusion was able to bypass the delivery phase, for instance, we can setup appropriate courses of action to mitigate future attacks. 

The goal should always be to move our detection and analysis down the kill chain (toward Reconnaissance; see Figure 6) and implement courses of actions to force the adversary away from Relative Superiority (e.g., if the attacker is able to acquire control by means of a zero-day attack, their chances of successfully completing their mission rises exponentially). 

Campaign Analysis and TTPLong-term strategy plays a significant role in defense. The sort of tunnel vision that occurs when analyzing that one attack that managed to bypass the most barriers carries a significant risk. We may, for example, ignore the bigger picture—the event that allowed that particular intrusion to succeed in the first place. Analyzing multiple intrusion kill chains over time will allow us to identify commonalities and overlapping attributes that indicate a campaign.

Being able to link key attributes across multiple intrusions allows us to determine the patterns and behaviors of the intruders—their tactics, techniques, and procedures (TTP)—to detect how they operate rather than focusing on what they do. By doing so, we can evaluate their capabilities, doctrine, objectives, and perhaps some of their limitations. This knowledge plays a significant role in anticipating how a specific DHA will respond to new barriers. Remember, new tools or technologies are rendered obsolete if DHA continue to rely on legacy tools that we know of and that we can leverage to stop their movement through the network.

Finally, campaign analysis is a means to peer into the mind of the DHA and surmise their intent. It is possible to run circles trying to deduce what an opponent is thinking; instead, our goal is to pinpoint the technologies or individuals that interest the intruders in an attempt to understand their mission objectives. To this end, DHA persistence is our strongest weapon. By studying new intrusions we will be able to either link attack patterns to existing campaigns or even identify a new set of behaviors. It also necessitates careful study of those intrusions to identify targeting patterns as well as examining any data they managed to exfiltrate.

In the end, this analysis leads to a better understanding of our vulnerabilities (those technologies or individuals that are being targeted) and where to prioritize our security measures.

Advanced Classification of DHAIntroducing cultural and organizational dimensions to our analysis takes DHA classification further into an area of ongoing research.

For cultural dimensions (much of the data was synthesized by former IBM researcher Geert Hofestede), the idea is that "people consistently behave in certain ways when making decisions or evaluating situations…measurable in ways that show consistency within cultures and dissimilarity between them." Therefore, cultural dimensions could give us additional metrics by which to associate groups of DHA.

Cultural dimensions are essentially a new layer of questions to ask other than our aforementioned “what is an adversary doing?” and “what are they after?” New questions include “Do parallel adversaries take the same actions? Are they using the

same playbook?” (the Power Distance Index) and “Is there direct reaction to being blocked or removed from a system? Are there markers for ownership or entitlement?” (the Aggression/Masculinity index).3

In responding to these questions, we classify each on a scale of one to five—from distinctive absence to overwhelming presence (i.e., absence or presence of Aggression). Of course, ratings are relative to historical data, so accuracy will improve with time.

Examples:• “Site defacement is often an impulsive act attackers perform to assert their

dominance over a network—until the defacement is taken down. It conforms to the base type Implement/Execute and indicates that the attacker has low Long-Term Orientation and a tendency toward Indulgence over Restraint.”

• “Some cultures are more aggressive (high-MAS) than others. When detected and thrown off the network by an administrator, some attackers may simply leave, while others may attempt to retaliate.”

Organizational dimensions could be called an evolved version of cultural dimensions and the pinnacle of current research in DHA classification. There are similar metrics, but the focus is on specificity and being able to distinguish between cultures of multiple organizations. These include means vs. goals, internally or externally driven, easygoing vs. strict work discipline, local vs. professional, open system vs. closed, and employee focus vs. work focus. While cultural dimensions had a large dataset to support some of its broad generalizations (data showing how Americans differ from Russians, for instance), such a dataset has not yet been published for organizational dimensions. However, we can still use this early research as a basis for seeking answers to simple questions like “are adversaries free actors?” and “are they corporate or military?”

By using these additional metrics in DHA classification, we can begin to construct a rich history of data—much like our attack pattern libraries—to fully leverage additional organizational and cultural dimensions research as its published.

Lexicon and a Pathway to CollaborationAn extensive library of combat engagements exists in the military world as historical archives, in part due to the nature of military maneuvers being relatively simple to express in common language. Computer network intrusions can be difficult to express with words and, as shown in this paper, there are many terms to describe the same kinds of information. The purpose of this section is to provide a brief overview of common terms and make suggestions toward a common lexicon as well as providing directions in leveraging collaborations to build larger libraries and databases.

3 See Appendix C for a complete list of all six Cultural Dimensions.

Every organization with a computer network should aim to build, at the very least, a simple analytical library of possible events based on the specific kinds of controls present in the environment. A common path to this analytical library is as follows: (1) find or build a collection of relevant intrusions, (2) assess and evaluate what controls are present in the environment to counter such ‘possible’ intrusions, and (3) evaluate the common attributes available in each type of alert, to improve or enable the process of correlating activities.

For step 1, recognize that the initial library of intrusions should be relevant to the organization. This can be based on assets at risk, business type, size, financial attributes, supply chain, or any other factors that constitute risk to the organization. A non-profit organization may be concerned about the safeguard of donor information and seek examples of intrusions leading to identity theft, whereas a bank may choose to include well-documented network intrusions into credit card processors. Even larger organizations like a regional energy utility company would be concerned with both credit card processing (payment systems) as well as nation-state attacks that are relevant to operating critical infrastructure (hydropower, flood control, nuclear power systems).

After evaluating the controls present in the above for step 2, one can evaluate the available attributes for step 3. Appendix B features a list of common and extended attributes that may be present at a particular organization.

In many cases, collaboration will be hampered by the need to keep libraries from reaching the hands of potential DHA (in such a case, knowledge of what we know about them can work against us). Assistance can be through the sharing of more benign data, such as attack patterns of industry-wide attacks where the overall behavior and tools used are the same across the board but where small differences in attributes like time detected may be informative (“how were they able to detect the intrusion before us?”). In the end, it is up to the discretion of each organization on how much they are willing to share. Remember though, stifling controls can be just as counterproductive as an intrusion.

ConclusionDetermined Human Adversaries (DHA) and Advanced Persistent Threats (APT) leverage an array of tools and strategies and represent the modern threat to organizations, governments, and businesses. Creating a defense against such intrusions relies on combining past knowledge (military doctrines) to build a framework that applies to computer networks.

Below is a summary of key lessons.

First, build upon existing knowledge. Creating a whole new model to describe network intrusions is certainly more romantic, but no one has been given a reward

for recreating the wheel. By building upon military frameworks, the researchers featured here were able to construct new applications atop a strong and tested foundation.

Second, qualitative metrics are a good start. Quantitative metrics are desirable, but a still immature history of events limits our ability to mimic the quantitative certainty employed by the military (e.g., "air superiority in day-time attacks lends an additional X% chance of mission success"). Instead, we should recognize that qualitative metrics give us sufficient knowledge to begin implementing "smarter" defenses. Qualitative/category-based labels, consistent criteria, and attack patterns are strong steps toward defining threats.

Finally, careful analysis can occur prior to attacks. We do not need to wait for intrusions to begin creating a library of attack patterns and DHA profiles. Looking through prior attacks in the literature that correlate with the risks an organization may expose in its network is the first step. We then create a Courses of Action matrix for defenses that are already in place and run through prior intrusions in war game style scenarios to search for weaknesses and find areas where added resources would be beneficial.

Figures and TablesFigure 1. McRaven's Relative Superiority from reference 3.

Figure 2. An attack curve visualization using the Cyber Kill Chain Model from reference 3.

Figure 3. A source-mapped attack curve against a background of other detected activity, from reference 3.

Figure 4. Attack pattern of the Dave & Buster's card theft, from reference 1.

Figure 5. Intrusion reconstruction of a late-phase detected event, from reference 2.

Figure 6. Intrusion reconstruction of an early phase detected event, from reference 2.

Table 1. Courses of Action Matrix, from reference 2.

Table 2. Metrics of Resiliency, from reference 2.

Table 3. Sample of the “Six Dimensions” data originating from Hofstede’s research and reference 3.

Appendix A: Terms and DefinitionsDetermined Human Adversary (DHA) - capable adversary that engages in extended campaigns using advanced tools to bypass most conventional network defense mechanisms.

Advanced Persistent Threat (APT) - same as DHA.

Cyber Kill Chain - a collection of the base types of actions an adversary may take during most computer network intrusions.

Attributes - are the least common denominator in describing base types of actions and allow us to connect, group, and correlate activities that may otherwise appear unrelated. While attributes may vary by organization and environment, there are some that are applicable to most settings.

Markers - are the same as attributes.

Indicators - are the same as attributes.

Threat Sequence - constructed by identifying patterns from connecting attributes and the Cyber Kill Chain.

Courses of Actions - Referred to as Courses of Action by Hutchins et al. (borrowed from the action matrix by the U.S. DoD), these are a set of possible responses to counter an adversary during each phase of an intrusion.

TTP - Tactics, techniques, and procedures

Appendix B: Attributes Appendix B contains a list of Common and Extended Attributes from reference 3.

Common Attributes Identifier (ID) and optional name for automatable reference to the event or

action.

Time detected, usually a marker of first detection set by an IOC

Duration start, Y/M/D/H if different from time detected.

Duration end, or the last known/confident detection.

Base type of action, usually estimated by analyst or normalization rules.

Source of alert or detection, specific or in aggregate with ID that allows traceback.

Targeting, including evidence of randomness or selection by opportunity, area, sequence, or point.

Estimation of operation and technical sophistication

Indicator of Compromise (IOC) record, if available

IDs of all involved source/destinations, whether system, account, or application

Vector, showing incoming, outgoing, stasis, or lateral movement; avoiding intermediate guesses of victimhood or attribution

Extended Attributes Time in relation to potentially related Base Actions

Evidence of human behavior, including parallel or sequential actions, decisions, escalation, coordination, defacement or other markers, and other behavioral attributes

IOC or other alert record

Alert source and type

IPv4/6 and any DNS records for involved entities

IP flow or trace data, or other captured data in the alert Target asset sensitivity or entity access level; a suggested basic nomenclature

is:

o Low: Public or low business impact data for which integrity outweighs confidentiality;

Higher range: Negotiable assets (money/financial assets which may be insured)

o Medium: Confidential or medium business impact data Higher range: Tools, code, credentials, or data which allows

elevation

o High: High business impact data, such as critical trade secrets and classified data

Higher range: Assets affecting human life and safety, or compartmentalized information

Organization type, usually by industry, size, or business relationship; such as:o General populace/individuals

o Education, research, and other independent nonprofits

o Technology and telecom organizations including software, hardware, integrators, and operators

o Industries including service, retail, manufacturing, and materials producers

o Infrastructure and transport including all utilities

o Finance including banks, CU, credit, transaction processors and financial NGOs

o Government including all fed/state/local civilian agencies, domestic intelligence, and law enforcement

o Military including geopolitical actors, international intelligence and some NGOs

Appendix C: Cultural DimensionsGeert Hofestede collected social data to put together six behavioral indicators of culture. These indicators show that people behave in consistent ways when making decisions or evaluating situations. These indicators cannot identify a specific person’s cultural background, but it is useful to use as a way to compare people within a certain groups with other groups.

Power Distance Index (PDI) – Do parallel actors take the same actions? Are they using a playbook?

Uncertainty Avoidance Index (UAI) – Are attackers pragmatic? Do they adapt or keeping trying failed attacks?

Individualism vs. Collectivism (IDV) – Is there an aversion to using “not invented here” tools? Tendency to follow group activity?

Aggression (Masculinity) (MAS) – Is there direct reaction to being blocked or removed from a system? Are there markers for ownership or entitlement? Hostility toward remediation?

Long-Term vs. Short-Term Orientation (LTO) – Is there an investment and intent to stay resident? Active maintenance or observation (not just time in a botnet)?

Indulgence vs. Restraint (IVR) – Is there defacement? Flair? A distinctive style or tendency to leave cryptic clues? Announcement of success, or petulance at failure?

References

1. Espenschied, Jonathan A., "A Discussion of Threat Behavior: Attackers & Patterns." White paper, Microsoft Trustworthy Computing, 2012.

2. Hutchins, Eric M. et al., "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains." White paper, Lockheed Martin Corporation.

3. Espenschied, Jonathan A. and Gunn, Angela, "Threat Genomics." White paper, Microsoft Trustworthy Computing, 2012.

4. Cloppert, Michael, "Intelligence-Driven Response for Combating the Advanced Persistent Threat." Slide deck, Lockheed Martin CIRT, 2010.

5. Amin, Rohan M., "Detecting Targeted Malicious Email Through Supervised Classification of Persistent Threat and Recipient Oriented Features." Ph.D. diss., George Washington University, 2011.