Monday, November 7, 2011

Defensive Kill Chain

So I became aware of the intrusion kill chain in 2009 when Mike Cloppert referenced it in one of his presentations at the SANS Incident Detection Summit (I can't find an agenda to this).  In 2010 he released a formal paper on the concept.  If you're not familiar with the intrusion kill chain please pause and read it.  It's worth your time.  Don't TL;DR me.

I recently used the kill chain as an example in a few presentations I gave.  That made me think a bit more about the kill chain concept.  Specifically I asked the question:  Does the defensive side have a kill chain?

Short answer? no. 

Long answer?  A kill chain relies on the fact that "any one deficiency will interrupt the entire process."  Through an entirely inductive reasoning process I've identified five steps of defense that can, if interrupted, will greatly disrupt the defensive process.  Unlike a kill chain, disrupting one phase will not necessarily interrupt the entire defensive process or posture.

So what's my back-of-the-napkin defensive kill chain?  More precisely, what would a targeted attack focus on in order to disrupt a defensive operation?  First, the attacker will leverage penetrating the defensive operations security of the target.  This is through a variety of means, including OSInt, HUMInt, etc.  Next, the attacker will find weaknesses in the orientation of the defensive operation.  This means taking advantage of both the defenders and overall target's mindset, expectations, and beliefs.  This includes social engineering.  It also includes understanding defensive operations shifts, holidays, and general abilities.  Next, the attacker will leverage this combined information and subvert the IT architecture.  This is exploitation, this is escalation, this is action.  This is done in tandem with subverting the security architecture.  This avoids detection and prevention measures; this defeats any defense-in-depth control which is not already inherently built into the IT architecture.  Finally, the attacker will defeat any responsive/reactive measures by the defensive operation.  This means working faster and better than the defensive team.

The short version of the Defensive Kill Chain: Operations Security -> Orientation -> IT Architecture -> Security Architecture -> Response Activities

I'm wishy-washy on this as an idea; but it's a fun one that I may use and strengthen in the future.