be the strong link in your

Cyber Kill Chain

Presented by: Tom Kirby

What is the Cyber Kill Chain? The Cyber Kill Chain is a taxonomy designed to

measure the effectiveness of the

Defense-in-Depth strategy.

Layer 3

Layer 2

Layer 1

How far

can I get?

What is the origin of the Kill Chain? The Cyber Kill Chain was socialized by Lockheed Martin.

It is based on military doctrine.

It was developed as a method for describing an intrusion

from an attacker’s point of view.

It can inform Cyber Security and Intelligence Analysis.

Searches LinkedIn for System Administrators at USAA.

Guesses their USAA email addresses based on name.

Obtains domain name and creates website with malware.

Crafts spear phish.

Sends spear phish to targeted email addresses.

Administrator clicks on link and goes to evil website.

Zero day exploit on website executes on Administrator’s PC.

Administrator’s PC is compromised.

Root Kit is installed on Administrator’s PC.

Root kit connects back to Threat Actor’s server to obtain

further instructions.

Threat Actor looks for data on Administrator’s PC.

Threat Actor starts compromising other USAA machines.

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Establish C2

Actions on Objectives

Cyber

Kill Chain Stages

What can the Kill Chain do? Each phase of the kill chain can be mapped to

corresponding defensive tools and actions.

Defensive “Courses of Actions” are based on the

Information Operations principles of:

Detect, Deny, Disrupt, Degrade, Deceive & Destroy

An analyst who knows the stage of the Kill Chain has a

basic understanding of what is being attempted and what

response is called for.

Courses of Action Matrix Phase Detect Deny Disrupt Degrade Deceive

Reconnaissance Firewall

NIDS Web Logs

Firewall NIPS

* * *

Weaponization DNS Monitoring

Website Monitoring * * * *

Delivery Antivirus

NIDS Vigilant User

NIPS Proxy

In-Line Antivirus * *

Exploitation NIDS

Antivirus Antivirus

System Patching Antivirus

System Patching Restricted User

Accounts *

Installation Antivirus

Application Logs * Antivirus * *

Establish C2 CIC

Malware Sandbox NIDS

Firewall NIPS * *

Actions on Objectives Application Logs Firewall VLANs

VLANs *

What can the Kill Chain do? The sooner in the kill chain you can disrupt the attack,

the better.

Tracking similarities across kill chain phases can give

Fellow College Park Analysts insight into:

• Threat Actor Tactics, Techniques and Procedures (TTP)

• Campaign Analysis

Why do we need the Cyber Kill Chain?

“Measurement is the first step that leads to

control and eventually to improvement.”

If you can’t measure something, you can’t understand it.

If you can’t understand it, you can’t control it.

If you can’t control it, you can’t improve it.”

- H. James Harrington

"Circumstantial evidence is occasionally very

convincing, as when you find a trout in the

milk, to quote Thoreau's example.”

-Sir Arthur Conan Doyle

How will (CSO’s) operationalize?

Integrate into Cases 1

2

3

Integrate into Wiki

Integrate into Stand-Up Briefing’s

Questions?