0000 10/12/2011 1

The Kill Chain for the

Advanced Persistent Threat

Intelligence-driven Computer Network Defense

Michael Cloppert

Eric Hutchins

Lockheed Martin Corp

as presented at

Wednesday, October 12, 2011

2

Introductions Presenters

– Eric Hutchins

– Michael Cloppert

LM-CIRT

– Established 2004 to focus on sophisticated threats

– Now responsible for CND against all threats facing LM

Intel-driven CND / Security Intelligence

– Symbiotic tools & methods such as Cyber Kill Chain

– Developed by presenters w/ support from team

– History

• Evolution of operational defenses, 2006-2008

• Documented, 2009

• Slight adjustments in 2010

• Formalized in refereed journal in March, 2011

Chief Analyst, LM-CIRT

Intel Fusion Lead, LM-CIRT

3

Our Adversaries

The 80/20 rule

Key top-tier adversary attributes

– Adaptable

– Persistent

• Access to targeted data

• Presence in environment

• Attempts to gain entry

– Perceptive

– Organized

Intel-based CND exploits persistent attributes

4

Our Requirements

Approach to detection & mitigation that is:

– Resilient to change

– Anticipates aspects of future intrusions

Means to understand CND capabilities

– What is available

– Relative efficacy

– Tradeoffs (intel gain/loss, etc.)

Ability to easily prioritize response based on risk

Framework for defining complete & proper analysis

Self-sustaining processes

5

Counterintelligence via

Adversary Modeling

Meet requirements by modeling adversary

Our method offers tools to model at various

levels

– Specific tools & techniques

• Indicator lifecycle, thread pulling

– An intrusion, or intrusion attempt

• Cyber Kill Chain

– Strategic access to protected data

• Campaign analysis

…and defender capabilities…

– Courses of Action Matrix

6

The Cyber Kill Chain (CKC)

Pre- Compromise

Intrusion

Recon Weaponize Deliver Exploit Install Act on

Intent

Establish

C2

Post- Compromise

7-Stage Pipeline Model

Adversary must reach end of the chain to be successful

Just one mitigation breaks the chain

Just one detection provides opportunity for response prior to

phase 7

7

Mitigated intrusion: Analysis and synthesis

Driving Completion

Recon Weaponize Deliver Exploit Install Act on Intent

Establish C2

Recon Weaponize Deliver Exploit Install Act on Intent

Establish C2

Detect

Detect

Analyze

Analyze Synthesize

Full intrusion: Analysis to complete the kill chain

Gather all intel across the kill chain, regardless of success

Pre- Compromise Post- Compromise

Pre- Compromise Post- Compromise

8

Resiliency via Courses of Action

Kill Chain Detect Deny Disrupt Degrade Deceive

Recon Web

analytics

Firewall

ACL

Weaponize NIDS NIPS

Delivery Vigilant

User

Proxy

filter Inline AV

Email

Queuing

Exploit HIDS Vendor

Patch DEP

Installation HIDS “chroot”

jail AV

Command &

Control NIDS

Firewall

ACL NIPS Tarpit

DNS

redirect

Actions on

Objectives Audit log

Quality of

Service Honeypot

Intrusion

Incre

asin

g ris

k

Defensive Countermeasures

9

Indicator Life Cycle

1. Analysis and synthesis reveal indicators

2. Pivoting on indicators identifies detection

candidates

3. Future intrusions trip detections

4. GOTO 1

Intel sharing accelerates indicator lifecycle

Stable indicators drive consistent workflows

Repetitions, correlations may reveal new campaigns

10

Anticipating Intrusion Indicators

• Two ways to be proactive

– Implement durable defenses

for today and for tomorrow

– Anticipate before it happens

• Kill chain completion and

campaign trending are crucial

• Anticipation and true early

warning are heavily dependant

on adversary’s tactics

11

Campaign Trending

* using fictitious data

12

A Framework for Collaboration

• Kill Chain approach has been widely adopted

– Leveraged by DoD, DIB, energy, pharmaceutical

companies

– Spurring new international collaboration in UK,

Australia, and Canada

• Kill Chain Workshops to fuse collective reporting,

build more salient trends

• Developing and sharing tools that facilitate

intel-driven CND

– Vortex-IDS: Lockheed Martin open source

software

• http://sourceforge.net/projects/vortex-ids/

13

Conclusion

• Intelligence-driven CND techniques are vital to

mitigate sophisticated intrusions

• Cyber Kill Chain enables

– Consistency and completeness in analysis,

response

– Correlations between intrusions to identify and

analyze campaigns

– Resilient and anticipatory security posture

14

Thank You

Eric Hutchins

eric.m.hutchins@lmco.com

Michael Cloppert

michael.j.cloppert@lmco.com

Additional credit: Lockheed Martin Computer Incident Response Team members