SlideShare a Scribd company logo

Understanding Cyber Kill Chain and OODA loop

David Sweigert
David Sweigert

The document discusses using an attacker's tactics and techniques to design effective cybersecurity defenses. It provides examples of mapping security controls and tools to different stages of common attack models like the Lockheed Martin Kill Chain. This allows an organization to see where in the attack cycle they have visibility and can disrupt threats. The document advocates taking a strategic, intelligence-driven approach to cyber defense by understanding adversaries' full operations in order to implement controls earlier in the attack cycle.

Related slideshows

Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
1 of 15
Tony Sager The Center for Internet Security The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense
Risk = { } Classic Risk Equation  Vulnerability, Threat, Consequence countermeasures
“The ” standards SDL supply-chain security security bulletins user awareness training browser isolationtwo-factor authentication encryption incident response security controls threat intelligence whitelisting need-to-know SIEM virtualization sandbox compliance maturity model anti-malware penetration testing audit logs baseline configuration risk management framework continuous monitoring DLP threat feed certification assessment best practice governance
An OODA Loop - Patching OBSERVE Track security bulletins, advisories ORIENT Assess applicability, operational issues, risk DECIDE Prioritize remediation strategy ACT Rollout, Monitor, Manage “breakage”
OBSERVE Track security bulletins, advisories ORIENT Assess applicability, operational issues, risk DECIDE Prioritize remediation strategy ACT Rollout, Monitor, Manage “breakage” “Dueling’ OODAs” OBSERVE Bulletins ORIENT Vulnerability DECIDE Weaponized ACT Deploy
Threat Intelligence • There are many loops – Tactical AND Strategic – Often connected • “farther in space, earlier in time” • The Bad Guy’s loop is also an opportunity OBSERVE ORIENT DECIDE ACT OBSERVE ORIENT DECIDE ACT OBSERVE ORIENT DECIDE ACT O O D A O O D A
Attack & Defend Delivery Exploit InstallationC2 Action & Objectives Detect Deny DisruptDegrade Deceive Reconnaissance & Build What is critical? How is it protected? Who has access?
• What do Attackers do, When? • Where are the opportunities to see, stop, etc.? • What things should I put in place, Where, to help me the most effectively? Samples of Attack Models
Sample 1: based on LM Kill Chain A notional use of the Lockheed Kill Chain: mapping Controls to the Kill Chain; then mapping specific tool choices to the Kill Chain Recon & Prep Delivery Exploitation C2 internal Recon Lateral Movement Persistence Stage & Action IDS/IPS Firewall Firewall Proxy Proxy AV Mail Gateway Patching Patching CONTROLS DEP Standard Config Standard Config EMET Sinkhole AD Wrong Path DLP OCC Exchange Akamai Logs PRODUCTS FireEye Netwitness Netwitness Splunk MIR MIR Vontu
Sample 2: based on Mandiant APT1 and JP 3-13 A notional use of the Mandiant APT1 model; mapping Controls to the Adversary model; then mapping specific tool choices SOURCE: http://www.appliednsm.com/making-mandiant-apt1-report-actionable/ from JP 3-13 Recon Delivery Exploitation Installation C2 Actions or Objectives DETECT NIDS NIDS NIDS HIDS HIDS Router Logs HIDS HIDS Application Logs NIDS Web Logs Vigilant User AV AV AV AV DENY Firewall ACL Mail Filter HIPS App Whitelisting Egress Filter Egress Filter Web Filter AV Block Execution Firewall ACL Firewall ACL from Joint Pub JP 3-13, 2006 Hardened Systems Sinkhole NW Segmentation DISRUPT Active Defenses Web Filter HIPS AV DEP NW Segmentation Mail Filter AV HIPS Sinkhole DEP Hardened Systems HIPS DEGRADE Honeypot Sinkhole Restrict User AccountsCombo of Deny/DisruptSinkhole NW Segmentation Redirect Loops Combo of Deny/Disrupt Active Defenses DECEIVE Honeypot Honeypot Honeypot Honeypot Honeypot Honeypot Redirect Loops ` Sinkhole Active Defenses (DESTROY) N/A N/A N/A N/A N/A N/A
Sample 3: MITRE ATT&CK Model (no controls) ATT&CK Matrix The MITRE ATT&CK Matrix™ is a overview of the tactics and techniques described in the ATT&CK model. It visually aligns individual techniques under the tactics in which they can be applied. Some techniques span across more than one tactic because they can be used for different purposes. SOURCE: https://attack.mitre.org/wiki/Main_Page TACTICS -> TECHNIQUES | V
Sample 4: NIST CSF, LM Kill Chain, CSCs SOURCE: Center for Internet Security; mapping the Critical Security Controls (V5.1) to/from the NIST Cybersecurity Framework (V1.0) against an Attack Profile CSC Recon & Prep Delivery Exploitation C2 internal Recon Lateral Movement Persistence Stage & Action Functions Categories Control # 20 Critical Security Controls (V5.1) Asset Management (AM) 1,2 X X X CSC 1: Inventory of Authorized and Unauthorized Devices Business Environment (BE) CSC 2: Inventory of Authorized and Unauthorized Software Governance (GV) CSC 3: Secure Configuration of End user devices Risk Assessment (RA) 4 X X X X X X X CSC 4: Continuous Vulnerability Assessment and Remediation Risk Management Strategy (RM) CSC 5: Malware Defense Access Control (AC) 7, 12, 15, 16 X X X CSC 6: Application Software Security Awareness and Training (AT) 9 X X CSC 7: Wireless Access Control Data Security (DS) 17 X X X X CSC 8: Data Recovery Capability Information Protection Processes and Procedures (IP) 3, 6, 10, 11, 19 X X X X X CSC 9: Security Skills Assessment and Appropriate Training Maintenance (MA) CSC 10: Secure Configuration of Network Devices Protective Technology (PT) 5 X X X X X X X X CSC 11: Limitation and Control of Network Ports, Protocols, and Service Anomalies and Events (AE) 14, 18 X X X CSC 12: Controlled Use of Administrative Privileges Security Continuous Monitoring (CM) 4, 5, 16 X X X X X X X X CSC 13: Boundary Defense Detection Processes (DP) 13 X X X CSC 14: Maintenance, Monitoring, and Analysis of Audit Logs Response Planning (RP) 18 X X X CSC 15: Controlled Access Based on Need to Know Communications (CO) CSC 16: Account Monitoring and Control Analysis (AN) 14 X X CSC 17: Data Protection Mitigation (MI) 4 X X X X CSC 18: Incident Response and Management Improvements (IM) 20 X X X CSC 19: Secure Network Engineering Recovery Planning (RP) 8 X X X X CSC 20: Penetration Tests and Red Team Exercises Improvements (IM) 20 X X X X X X X X Communications (CO) Recover Identify NIST Cybersecurity Framework (V1.0) Protect Detect Respond
13 Cybersecurity “Plumbing”
Critical Security Controls
Contact • Website: www.cisecurity.org • Email: contact@cisecurity.org • Twitter: @CISecurity • Facebook: Center for Internet Security • LinkedIn: The Center for Internet Security ; Critical Security Controls • Addresses: Mid-Atlantic Headquarters 1700 N. Moore Street, Suite 2100 Arlington, VA 22209 Northeast Headquarters 31 Tech Valley Drive, Suite 2 East Greenbush, NY 12061

More Related Content

Understanding Cyber Kill Chain and OODA loop

  • 1. Tony Sager The Center for Internet Security The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense
  • 2. Risk = { } Classic Risk Equation  Vulnerability, Threat, Consequence countermeasures
  • 3. “The ” standards SDL supply-chain security security bulletins user awareness training browser isolationtwo-factor authentication encryption incident response security controls threat intelligence whitelisting need-to-know SIEM virtualization sandbox compliance maturity model anti-malware penetration testing audit logs baseline configuration risk management framework continuous monitoring DLP threat feed certification assessment best practice governance
  • 4. An OODA Loop - Patching OBSERVE Track security bulletins, advisories ORIENT Assess applicability, operational issues, risk DECIDE Prioritize remediation strategy ACT Rollout, Monitor, Manage “breakage”
  • 5. OBSERVE Track security bulletins, advisories ORIENT Assess applicability, operational issues, risk DECIDE Prioritize remediation strategy ACT Rollout, Monitor, Manage “breakage” “Dueling’ OODAs” OBSERVE Bulletins ORIENT Vulnerability DECIDE Weaponized ACT Deploy
  • 6. Threat Intelligence • There are many loops – Tactical AND Strategic – Often connected • “farther in space, earlier in time” • The Bad Guy’s loop is also an opportunity OBSERVE ORIENT DECIDE ACT OBSERVE ORIENT DECIDE ACT OBSERVE ORIENT DECIDE ACT O O D A O O D A
  • 7. Attack & Defend Delivery Exploit InstallationC2 Action & Objectives Detect Deny DisruptDegrade Deceive Reconnaissance & Build What is critical? How is it protected? Who has access?
  • 8. • What do Attackers do, When? • Where are the opportunities to see, stop, etc.? • What things should I put in place, Where, to help me the most effectively? Samples of Attack Models
  • 9. Sample 1: based on LM Kill Chain A notional use of the Lockheed Kill Chain: mapping Controls to the Kill Chain; then mapping specific tool choices to the Kill Chain Recon & Prep Delivery Exploitation C2 internal Recon Lateral Movement Persistence Stage & Action IDS/IPS Firewall Firewall Proxy Proxy AV Mail Gateway Patching Patching CONTROLS DEP Standard Config Standard Config EMET Sinkhole AD Wrong Path DLP OCC Exchange Akamai Logs PRODUCTS FireEye Netwitness Netwitness Splunk MIR MIR Vontu
  • 10. Sample 2: based on Mandiant APT1 and JP 3-13 A notional use of the Mandiant APT1 model; mapping Controls to the Adversary model; then mapping specific tool choices SOURCE: http://www.appliednsm.com/making-mandiant-apt1-report-actionable/ from JP 3-13 Recon Delivery Exploitation Installation C2 Actions or Objectives DETECT NIDS NIDS NIDS HIDS HIDS Router Logs HIDS HIDS Application Logs NIDS Web Logs Vigilant User AV AV AV AV DENY Firewall ACL Mail Filter HIPS App Whitelisting Egress Filter Egress Filter Web Filter AV Block Execution Firewall ACL Firewall ACL from Joint Pub JP 3-13, 2006 Hardened Systems Sinkhole NW Segmentation DISRUPT Active Defenses Web Filter HIPS AV DEP NW Segmentation Mail Filter AV HIPS Sinkhole DEP Hardened Systems HIPS DEGRADE Honeypot Sinkhole Restrict User AccountsCombo of Deny/DisruptSinkhole NW Segmentation Redirect Loops Combo of Deny/Disrupt Active Defenses DECEIVE Honeypot Honeypot Honeypot Honeypot Honeypot Honeypot Redirect Loops ` Sinkhole Active Defenses (DESTROY) N/A N/A N/A N/A N/A N/A
  • 11. Sample 3: MITRE ATT&CK Model (no controls) ATT&CK Matrix The MITRE ATT&CK Matrix™ is a overview of the tactics and techniques described in the ATT&CK model. It visually aligns individual techniques under the tactics in which they can be applied. Some techniques span across more than one tactic because they can be used for different purposes. SOURCE: https://attack.mitre.org/wiki/Main_Page TACTICS -> TECHNIQUES | V
  • 12. Sample 4: NIST CSF, LM Kill Chain, CSCs SOURCE: Center for Internet Security; mapping the Critical Security Controls (V5.1) to/from the NIST Cybersecurity Framework (V1.0) against an Attack Profile CSC Recon & Prep Delivery Exploitation C2 internal Recon Lateral Movement Persistence Stage & Action Functions Categories Control # 20 Critical Security Controls (V5.1) Asset Management (AM) 1,2 X X X CSC 1: Inventory of Authorized and Unauthorized Devices Business Environment (BE) CSC 2: Inventory of Authorized and Unauthorized Software Governance (GV) CSC 3: Secure Configuration of End user devices Risk Assessment (RA) 4 X X X X X X X CSC 4: Continuous Vulnerability Assessment and Remediation Risk Management Strategy (RM) CSC 5: Malware Defense Access Control (AC) 7, 12, 15, 16 X X X CSC 6: Application Software Security Awareness and Training (AT) 9 X X CSC 7: Wireless Access Control Data Security (DS) 17 X X X X CSC 8: Data Recovery Capability Information Protection Processes and Procedures (IP) 3, 6, 10, 11, 19 X X X X X CSC 9: Security Skills Assessment and Appropriate Training Maintenance (MA) CSC 10: Secure Configuration of Network Devices Protective Technology (PT) 5 X X X X X X X X CSC 11: Limitation and Control of Network Ports, Protocols, and Service Anomalies and Events (AE) 14, 18 X X X CSC 12: Controlled Use of Administrative Privileges Security Continuous Monitoring (CM) 4, 5, 16 X X X X X X X X CSC 13: Boundary Defense Detection Processes (DP) 13 X X X CSC 14: Maintenance, Monitoring, and Analysis of Audit Logs Response Planning (RP) 18 X X X CSC 15: Controlled Access Based on Need to Know Communications (CO) CSC 16: Account Monitoring and Control Analysis (AN) 14 X X CSC 17: Data Protection Mitigation (MI) 4 X X X X CSC 18: Incident Response and Management Improvements (IM) 20 X X X CSC 19: Secure Network Engineering Recovery Planning (RP) 8 X X X X CSC 20: Penetration Tests and Red Team Exercises Improvements (IM) 20 X X X X X X X X Communications (CO) Recover Identify NIST Cybersecurity Framework (V1.0) Protect Detect Respond
  • 15. Contact • Website: www.cisecurity.org • Email: contact@cisecurity.org • Twitter: @CISecurity • Facebook: Center for Internet Security • LinkedIn: The Center for Internet Security ; Critical Security Controls • Addresses: Mid-Atlantic Headquarters 1700 N. Moore Street, Suite 2100 Arlington, VA 22209 Northeast Headquarters 31 Tech Valley Drive, Suite 2 East Greenbush, NY 12061