The Kill Chain; how to take a military concept and put it through the wringer:

In the military there are a couple of rules:

• If you can be seen you can be shot, if you can be shot you can be killed…therefore don’t be seen.
• Anything worth shooting is worth shooting twice, ammo is cheap
• Have a backup plan because the first plan won’t work
• Be professional, be polite and have a plan to kill everyone

Also, in the military there’s a simple concept:

1. Identify it
2. Go see it
3. Analyze it
4. Blow it up

That’s their kill chain; it’s simple, effective (mostly) and takes minimal effort to implement; however we’ve taken a simple concept and tried to modify it to fit it in our ever-shifting environments…

The current “version” that the IT Security community seems to be using is this:

1. Reconnaissance
2. Weaponize
3. Deliver
4. Exploit
5. Install
6. C&C
7. Attack

So, taking these 7 stages they can be broken into two broad and distinct areas, those on the outside and those on the inside.

• OUTSIDE: Recon, Weaponize, “some” of deliver, C&C
• INSIDE: Recon, “some” of deliver, exploit, install and attack.

Arguably this whole model really doesn’t account for anything more than promoting a focus on perimeter based security solutions which only tells ? the story that’s necessary to actually stand a chance of winning (or even keeping up) against the attackers.

Why can’t we go back to basics?

1. Threat identification
2. Threat analysis (and classification)
3. Threat mitigation
4. Threat remediation

Simple, effective and a LOT easier to use and communicate AND a lot simpler to actually articulate AND follows the military version a lot closer and with less mess. (Hack back however pleasurable is sometimes frowned upon, so the “blow it up” has to be modified to remediation, however I didn’t say HOW you get to remediate, but for legal reasons…)

The problem with the current version of 7 levels is that it’s missing multiple facets of attack vectors, it’s not allowing for growth or tactical changes that we should expect to be made over the coming years. This again is where the military version has us beaten… it’s able to adapt, it’s able to move into the new tactical era and it’s simple enough that it will fit inside the heads of the leaders just as readily as those who’s job it is to execute upon it.

The idea that we still want to focus on the technology stack solely is also outmoded, we talk more and more of the path of least resistance that the attackers take…and more often than not that path is human initiated, and not always in a manner that is readily detected by endpoint protection or customized detection models, once again OSINT comes into play, especially when paired up with deep, dark and other resources where intelligence can be gathered and analyzed, patterns understood, and human mitigation actually be accomplished.

Breaking the basics down: (and focusing for this moment on No1. Identification)

1. Identification, this can take place in MULTIPLE places and be correlated across internal, external AND other stores of intelligence. Taking endpoints, perimeter and external reference systems as a core analysis of identifying threats and then applying OSINT gathered from open, dark, deep and other sources and then cross referencing that with beacons elsewhere in the same vertical markets will give a much deeper and broader set of key identifiers to allow accurate identification of threats.

1. Identification using trending indicators that are referenced within industry and across OSINT platforms will also provide predictive analytics and behavioral pattern options that can be leverages to provide actionable intelligence in identifying future threat vectors.

1. Identification of groups, individuals, countries and other entities (competitive intelligence attacks) can all be monitored, analyzed and tracked through correlating OSINT gathered on the dark, deep and other electronic sources (SIGINT etc.)

1. Identification of the hosting sites, systems, locations and other jump on/off/in/out points are readily obtained through analyzing the intelligence gathered from endpoints, perimeter systems, TOR and Proxy nodes that are in the collective as well as referencing that against the actionable intelligence gathered from the darker reaches of the Internet.

1. Identifying non-technical attack vectors (humans) and their weaknesses will be possible using a less complex, more OSINT focused set of technologies. Your endpoint solution isn’t going to be able to monitor and manage the data sets beyond the focus perimeter…however the OSINT platform can monitor and report back across all available public platforms. (You can’t monitor her car or her fridge, but I can tell you when her car goes in for service and the technician takes all her data from the Infotainment systems and posts her pictures on YouTube…and I can tell you when the fridge’s software is exploitable which means her internal home network that contains a backup of her work and your IP is vulnerable)

There’s more, but you get the idea, we need to both simplify the solution and be able to take new technologies and implement them into the lifecycle without having to re-write the rules.

I do believe there is a place for a technology kill chain; I do believe it needs to be simplified into something readily actionable that has the chance to grow with our industry. I also believe that we need to find a home for OSINT in all its facets. We HAVE the capability to accurately predict the outcome of actions that we perform inside our organizations, we have the capability to predict the attacks that will be used against us to a high degree of certainty…when will we start to actually USE that technology to our advantage?