Understanding Cyber Kill Chain and OODA loop
- 1. Tony Sager
The Center for Internet Security
The Cyber OODA Loop:
How Your Attacker Should Help
You Design Your Defense
- 2. Risk = { }
Classic Risk Equation
Vulnerability, Threat, Consequence
countermeasures
- 3. “The ”
standards SDL
supply-chain security
security bulletins
user awareness training
browser isolationtwo-factor authentication
encryption
incident response
security controls
threat intelligence
whitelisting
need-to-know
SIEM
virtualization
sandbox
compliance
maturity model
anti-malware
penetration testing
audit logs
baseline configuration
risk management framework
continuous monitoring
DLP
threat feed
certification
assessment
best practice
governance
- 4. An OODA Loop - Patching
OBSERVE
Track security bulletins,
advisories
ORIENT
Assess applicability,
operational issues, risk
DECIDE
Prioritize remediation
strategy
ACT
Rollout, Monitor, Manage
“breakage”
- 6. Threat Intelligence
• There are many loops
– Tactical AND Strategic
– Often connected
• “farther in space, earlier in time”
• The Bad Guy’s loop is also an opportunity
OBSERVE
ORIENT
DECIDE
ACT
OBSERVE
ORIENT
DECIDE
ACT
OBSERVE
ORIENT
DECIDE
ACT
O
O
D
A
O
O
D
A
- 8. • What do Attackers do, When?
• Where are the opportunities to see, stop,
etc.?
• What things should I put in place,
Where, to help me the most effectively?
Samples of Attack Models
- 9. Sample 1: based on LM Kill Chain
A notional use of the Lockheed Kill Chain: mapping Controls to the Kill Chain; then mapping specific tool choices to the Kill Chain
Recon & Prep Delivery Exploitation C2 internal Recon Lateral Movement Persistence Stage & Action
IDS/IPS
Firewall Firewall
Proxy Proxy
AV
Mail Gateway
Patching Patching
CONTROLS DEP
Standard Config Standard Config
EMET
Sinkhole
AD
Wrong Path
DLP
OCC
Exchange
Akamai
Logs
PRODUCTS FireEye
Netwitness Netwitness
Splunk
MIR MIR
Vontu
- 10. Sample 2: based on Mandiant APT1 and JP 3-13
A notional use of the Mandiant APT1 model; mapping Controls to the Adversary model; then mapping specific tool choices
SOURCE: http://www.appliednsm.com/making-mandiant-apt1-report-actionable/
from JP 3-13 Recon Delivery Exploitation Installation C2
Actions or
Objectives
DETECT NIDS NIDS NIDS HIDS HIDS
Router Logs HIDS HIDS Application Logs NIDS
Web Logs Vigilant User AV AV AV
AV
DENY Firewall ACL Mail Filter HIPS App Whitelisting Egress Filter Egress Filter
Web Filter AV Block Execution Firewall ACL Firewall ACL
from Joint Pub JP 3-13, 2006 Hardened Systems Sinkhole NW Segmentation
DISRUPT Active Defenses Web Filter HIPS AV DEP NW Segmentation
Mail Filter AV HIPS Sinkhole DEP
Hardened Systems HIPS
DEGRADE Honeypot Sinkhole Restrict User AccountsCombo of Deny/DisruptSinkhole NW Segmentation
Redirect Loops Combo of Deny/Disrupt
Active Defenses
DECEIVE Honeypot Honeypot Honeypot Honeypot Honeypot Honeypot
Redirect Loops ` Sinkhole
Active Defenses
(DESTROY) N/A N/A N/A N/A N/A N/A
- 11. Sample 3: MITRE ATT&CK Model (no controls)
ATT&CK Matrix
The MITRE ATT&CK Matrix™ is a overview of the tactics and techniques described in the ATT&CK model.
It visually aligns individual techniques under the tactics in which they can be applied.
Some techniques span across more than one tactic because they can be used for different purposes.
SOURCE: https://attack.mitre.org/wiki/Main_Page
TACTICS ->
TECHNIQUES
|
V
- 12. Sample 4: NIST CSF, LM Kill Chain, CSCs
SOURCE: Center for Internet Security; mapping the Critical Security Controls (V5.1) to/from the NIST Cybersecurity Framework (V1.0) against an Attack Profile
CSC
Recon &
Prep Delivery Exploitation C2
internal
Recon
Lateral
Movement Persistence
Stage &
Action
Functions Categories Control # 20 Critical Security Controls (V5.1)
Asset Management (AM) 1,2 X X X
CSC 1: Inventory of Authorized and Unauthorized
Devices
Business Environment (BE)
CSC 2: Inventory of Authorized and Unauthorized
Software
Governance (GV) CSC 3: Secure Configuration of End user devices
Risk Assessment (RA) 4 X X X X X X X
CSC 4: Continuous Vulnerability Assessment and
Remediation
Risk Management Strategy (RM) CSC 5: Malware Defense
Access Control (AC) 7, 12, 15, 16 X X X CSC 6: Application Software Security
Awareness and Training (AT) 9 X X CSC 7: Wireless Access Control
Data Security (DS) 17 X X X X CSC 8: Data Recovery Capability
Information Protection Processes and
Procedures (IP) 3, 6, 10, 11, 19 X X X X X
CSC 9: Security Skills Assessment and Appropriate
Training
Maintenance (MA) CSC 10: Secure Configuration of Network Devices
Protective Technology (PT) 5 X X X X X X X X
CSC 11: Limitation and Control of Network Ports,
Protocols, and Service
Anomalies and Events (AE) 14, 18 X X X
CSC 12: Controlled Use of Administrative
Privileges
Security Continuous Monitoring (CM) 4, 5, 16 X X X X X X X X CSC 13: Boundary Defense
Detection Processes (DP) 13 X X X
CSC 14: Maintenance, Monitoring, and Analysis of
Audit Logs
Response Planning (RP) 18 X X X CSC 15: Controlled Access Based on Need to Know
Communications (CO) CSC 16: Account Monitoring and Control
Analysis (AN) 14 X X CSC 17: Data Protection
Mitigation (MI) 4 X X X X CSC 18: Incident Response and Management
Improvements (IM) 20 X X X CSC 19: Secure Network Engineering
Recovery Planning (RP) 8 X X X X CSC 20: Penetration Tests and Red Team Exercises
Improvements (IM) 20 X X X X X X X X
Communications (CO)
Recover
Identify
NIST Cybersecurity Framework (V1.0)
Protect
Detect
Respond
- 15. Contact
• Website: www.cisecurity.org
• Email: contact@cisecurity.org
• Twitter: @CISecurity
• Facebook: Center for Internet Security
• LinkedIn: The Center for Internet Security ; Critical Security Controls
• Addresses:
Mid-Atlantic Headquarters
1700 N. Moore Street, Suite 2100
Arlington, VA 22209
Northeast Headquarters
31 Tech Valley Drive, Suite 2
East Greenbush, NY 12061