Threat monitoring is the day-to-day process of continuously monitoring systems for evidence of attack. It is important both for repelling active attacks and for learning about the threats. Any attack reveals important information about the tactics and the methodology, which can help anticipate and mitigate future attacks.
There are two popular systems for monitoring threats: Kill Chain and Diamond Model.
Kill Chain, or officially "Cyber Kill Chain®", was developed in 2009 by Lockheed-Martin as tool for their own threat monitoring needs. As a major defense contractor with access to classified information, Lockheed-Martin is a frequent target of Advanced Persistent Threats (APTs). And the scale of their operations are enormous. They have over three million IP addresses, over 100,000 employees, and 570 locations spread across 60 countries. They needed a way to identify and defend against threats, so they developed Kill Chain.
Kill Chain is a framework for identifying and preventing intrusions. It identifies the seven essential steps which any intruder must complete to complete their objective. If the intrusion can be stopped at any step it will "break the kill chain" and prevent the intruder from completing their objective.
These seven steps are often illustrated as a set of arrows, each one leading into the next.
The attacker gathers information on the target. The attacker uses footprinting techniques and publicly available information on the Internet.
The attacker plans the attack. They procure or develop the code and tools for their exploit. At the low end, these are basic malware scripts. At the high end, these are new zero-day exploits coded by teams of developers.
The attacker sends a malicious payload. There are many method of delivery but spear phishing and drive-by downloads are the most popular. Delivery is the first opportunity to block an operation.
The attacker attempts to use the exploit. These are often zero-day exploits with no time to prepare a defense. Fundamental security principals such as least privilege and defense in depth are often the best defense.
The attack either installs malware or establishes a foothold for completing the objective. May establish a backdoor to allow persistent access. Use server instrumentation to detect and log installation activity.
The attack creates a command and control channel to allow remote access to the compromised server. This is the best opportunity to halt successful intrusions.
The attacker performs the steps to achieve their goals—data exfiltration, sabotage, intrusion of another target. The longer an adversary has access, the greater the impact. The goal at this stage is quick detection and response to limit damage.
Kill Chain does a good job of identifying current defensive capabilities and gaps which need improvement. It also provides useful terminology for communicating about an attack. This is useful for internal discussions and incident response post-mortem reviews as well as for explanations to non-technical people, such as corporate directors and shareholders. (A Kill Chain analysis on the Target breach was prepared and presented to the U.S. Congress.) Kill chain also makes it clear that the risk and the cost to contain and remediate an attack increase at each step in the process. It is much safe and cheaper to repel an attack at step 1 than at step 7.
However, there is criticism about Kill Chain. Many feel that it is too focused on malware-based intrusion and gives too little attention to threats from insiders, stolen credentials, and social engineering. It overlooks any remote-access which does not use malware. The second criticism of Kill Chain is that many of the early steps (CKC steps 1-4) are out of view or beyond any control while at the same time, there is not enough detail in CKC step 7. Step 7, "Actions on Objectives" can be made of of hundreds of smaller steps and secondary objectives which may play out over weeks. By omitting them, Kill Chain overlooks many additional opportunities to "break the kill chain". Many organizations which use the Kill Chain methodology, modify it to expand and enhance step 7.
The Diamond Model was created in a 2013 white paper by the Centre for Cyber Threat Intelligence and Threat Research. Instead of monitoring and stopping a single intrusion, the Diamond Model focuses on understanding the attacker, their motivations, their tools, and their infrastructure. The better a threat is understood, the better a defender can craft a response to that threat.
Every threat has four key components:
The Diamond model connects these four attributes together as a diamond graphic.
A fun way to see the Diamond Model in action is using the movie, "Star Wars". This was written up well by Threat Connect in "Luke in the Sky with Diamonds". The movie's central plot revolves around a data breach (the plans for the Death Star stored in R2-D2) which reveals a vulnerability.
The four attributes of the Diamond Model are:
Near the end of the movie, there is a discussion of the attack and vulnerability between members of the Empire.
General Bast: We've analyzed their attack, sir, and there is a danger. Should I have your ship standing by?
Grand Moff Tarkin: Evacuate? In our moment of triumph? I think you overestimate their chances.
If the Empire had used the Diamond Model and realized that Luke Skywalker was their adversary with the infrastructure and capabilities to shoot a torpedo into a small exhaust port, then they may have assessed the risk and addressed their vulnerability differently.
The two methodologies for threat monitoring are compatible. Most organizations use both together.
Kill Chain is useful for discussing and preventing a single intrusion. The Diamond Model is useful for analyzing a larger threat. Every attack stopped by Kill Chain provides valuable information which helps improve the Diamond Model. The Diamond Model makes strategies to halt the Kill Chain more effective.
