WIXLIB

Cyber Kill Chain Model for Root Cause AnalysisTable of ContentsReview – Root Cause Analysis -1 . 2Review – Root Cause Analysis -2 . 3Kill Chain Concept . 4Lockheed Martin Cyber Kill Chain -1 . 6Lockheed Martin Cyber Kill Chain -2 . 7Lockheed Martin Cyber Kill Chain -3 . 10Using the Kill Chain for Mitigating Incidents . 12Kill Chain Model Considerations . 14Notices . 15Page 1 of 15

Review – Root Cause Analysis -1Review – Root Cause Analysis -1Definitions A root cause is an initiating or highest level cause of a problem.(sources:- Wikipedia: https://en.wikipedia.org/wiki/Root cause- ASQ: ysis/overview/overview.html) Root cause analysis is the understanding of the "design" or"implementation" flaw that allowed the attack.(source: FIRST “Security Incident Response Team (SIRT) Services Framework,”https://www.first.org/ assets/global/FIRST SIRT Services Framework Version1.0.pdf)[Distribution Statement A] This material has been approved for public release and unlimiteddistribution.44**004 So first let's do a quick reviewof what root cause analysis is.Basically root cause is the underlyingor fundamental or initiating highestlevel cause of a particular problem orissue. In this case we're looking atcybersecurity incidents. So rootcause analysis is understanding whatthe flaw or the problem or issue isthat allowed that particular incidentor attack to occur.Page 2 of 15

Review – Root Cause Analysis -2Review – Root Cause Analysis -2Why do a root cause analysis? can benefit other incident management processes, such asprevention, detection, and responseWhen? usually during the detailed analysis steps of the incidentresponse process, but can also occur with other analysis stepsanywhere in the incident management lifecycleHow? using a list of causes or threat vectors and a methodicalapproach, and analyzing available information sources[Distribution Statement A] This material has been approved for public release and unlimiteddistribution.55**005 Why do we want to do rootcause analysis? Well, it's going tobenefit other types of incidentmanagement processes, andparticularly the response process, inproviding a more targeted, focusedresponse to that particular problemor issue. It can also help with theprevention and detection of incidentsfrom reoccurring on that samesystem or occurring on othersystems, if you understand what trulyallowed the incident to occur.It generally occurs during theanalysis phase of the incidentresponse processes, but it can alsohappen during the initial detection,Page 3 of 15

triage, or other analysis phase thathappened anywhere during theincident management lifecycle.And how it is performed by havingsome kind of understanding, a list ofcauses or threat vectors, having anapproach or a process for identifyingthose threat vectors, and havingavailable information to analyze fromvarious data sources that can beused in the root cause analysis.Kill Chain ConceptKill Chain ConceptKill chain is a term originally used to define a military concept of“target identification, force dispatch to target, decision and order toattack the target, and the destruction of the target”(source: r-Force-Jargon/Kill-Chain)In information security, “a kill chain is a systematic process totarget and engage an adversary to create desired effects.”(source: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill -Intel-Driven-Defense.pdf)Identifying and understanding the phases (kill chain) of a cyberattack can enable better defense and response to an incident.[Distribution Statement A] This material has been approved for public release and unlimiteddistribution.66**006 So Lockheed Martin has takena concept called kill chain, which wasa term originally used in the military.It's a concept for identifying aPage 4 of 15

particular target, dispatching a forceto that particular target, deciding toattack the target, and then actingupon that target. So that's how "killchain" is used in a military context.So Lockheed Martin took this sameterm and applied it to informationsecurity, and in an informationsecurity context, a kill chain is thesystematic process to target andengage an adversary and create-and their ability to create the desiredeffects. So in the case of acybersecurity incident, we're trying todisrupt or deny the adversary or theattacker the ability to perform thatparticular incident, and byunderstanding the different phases ofthe kill chain that an attacker mightuse can then better identify wherewe can put in places to detect thatactivity, to mitigate, to preventagainst it, and to put other defensivecontrols or mitigation actions inplace.Page 5 of 15

Lockheed Martin Cyber Kill Chain -1Lockheed Martin Cyber Kill Chain -1Lockheed Martin (LM) expanded the kill chain concept to present acyber intrusion kill chain model with seven phases:1. Reconnaissance2. Weaponization3. Delivery4. Exploitation5. Installation6. Command and control (C2)7. Actions on objectives(source: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Intel-Driven-Defense.pdf)[Distribution Statement A] This material has been approved for public release and unlimiteddistribution.77**007 So looking at LockheedMartin's Kill Chain Model, Cyber KillChain Model, they took the conceptand they identified seven differentphases that attacker will typically gothrough. Not for every incident butfor many incidents, these are thephases.The first step is reconnaissance,where they're trying to identifyinformation. We'll describe these in alittle bit more detail in the next slideand show some examples. A secondphase might be weaponizing orcreating some way to actually attackthe system. Delivering that attackmechanism is the third phase-Page 6 of 15

exploiting perhaps a vulnerability thatmight exist, installing some additionalsoftware or some future access,taking control of the system, andthen performing what actions theyintend to on the system they've takencontrol of.Lockheed Martin Cyber Kill Chain -2Lockheed Martin Cyber Kill Chain -2The seven steps of the process provide visibility into an attack andan understanding of the adversary’s objectives.(source: l-chain.html)[Distribution Statement A] This material has been approved for public release and unlimiteddistribution.88**008 So in this table we showexamples of typical scenarios ortypes of incidents that might be alittle bit more descriptive of thedifferent phases or steps in anintruder's process.So under the reconnaissance phase,a typical example might be they'rePage 7 of 15

doing some probing or scanning orthey identify some weakness; in thiscase, they find a gap in the securityof a particular social network. Soidentifying that gap or that target isthe first phase.Phase two, the weaponization, in thiscase they might build or acquire ordownload or find another way toexploit that weakness by perhapsusing some malicious software, amalicious attachment, that they canthen upload or send to users of thatparticular social network.In the third phase, delivery, theattacker actually delivers thatparticular malicious attack on thesocial media, or perhaps an emailmessage or some other-- luring themto a website that might look likesomething the user-- in this case, anemployee of the organization-- mightbe able to use.And then the next phase,exploitation-- in this particularscenario, a user or an employeemight open the particular maliciousattachment and therefore cause avulnerability to be exposed. Theinstallation phase is where themalware does install itself on theclient system that the user hadaccess to.And then the sixth phase of the killchain is what they call the commandand-control, the C2 phase, where theattacker actually takes control of thatsystem through this particularmalicious software that had beenPage 8 of 15

downloaded. Perhaps it's set upsome backdoors, some unauthorizedaccounts, opened ports or serviceson particular systems, whatever theway that the malicious code isdesigned.And then the final phase, actions onthe objectives-- they can thentherefore-- in this scenario theattacker can identify other systems,other critical information, otherresources they might use on thiscontrolled system they've been ableto obtain access to, to perform followup actions.So this is just kind of a high-leveloverview of how the Lockheed MartinKill Chain concept is applied in theirroot cause analysis model.Page 9 of 15

Lockheed Martin Cyber Kill Chain -3Lockheed Martin Cyber Kill Chain -3Intrusion reconstruction Kill chain analysis can help analysts understand whatinformation is (or may be) available for defensive courses ofaction.- Late phase detection- Earlier phase detection(Source: “Intelligence-Driven Computer Network Defense Informed by Analysis of AdversaryCampaigns and Intrusion Kill ntel-Driven-Defense.pdf)[Distribution Statement A] This material has been approved for public release and unlimiteddistribution.99**009 So how can we use this forroot cause analysis? Well,understanding the different phases ofthe kill chain can then be used inidentifying the courses of action thatan incident responder may be able touse to try to put in defensivecontrols. In this slide we show twodifferent examples, and typically if anincident is not detected until laterphases of the process of the killchain, generally the detection, thethings that you'll have to analyze totrack back all the different possibleways that the incident may haveoccurred, there's going to be moreenumerated different possibilities anddifferent controls that might need toPage 10 of 15

be put in place to identify andmitigate and defend against thisparticular type of attack.However, ideally, Lockheed Martinproposes the goal is to try to movethe identification and detection toearlier phases in the kill chain, and ifyou can stop them from installing orexploiting the vulnerabilities then it'sgoing to be easier, more effective, tocontrol and put defensive measuresin place. And then also synthesizingthe information from the successfuldefenses that you put in place andthe unsuccessful attacks can thenfeed back into the other processes inprevention and detection of otherincidents.Page 11 of 15

Using the Kill Chain for Mitigating IncidentsUsing the Kill Chain for Mitigating IncidentsTable 1: Courses of Action Matrix(source: “Intelligence-Driven Computer Network Defense Informed by Analysis of AdversaryCampaigns and Intrusion Kill ntel-Driven-Defense.pdf)[Distribution Statement A] This material has been approved for public release and unlimiteddistribution.1010**010 So here's another example oflooking at mapping the seven phasesof the Lockheed Martin Kill Chain tosix categories that the United StatesDepartment of Defense identify aspart of their Information OperationsDoctrine, and these informationoperations characteristics are detect,deny, disrupt, degrade, deceive ordestroy. So they've mapped theseDoD information operations to thevarious phases of the kill chain, theintruder's kill chain, and show howyou might be able to implementdifferent controls or methods toprevent an incident from happening.Page 12 of 15