need a one page paper on Intelligence-Driven Computer Network DefenseInformed by Analysis of Adversary Campaigns andIntrusion Kill Chains
Intelligence-Driven Computer Network Defense
Informed by Analysis of Adversary Campaigns and
Intrusion Kill Chains
Eric M. Hutchins
, Michael J. Cloppert
, Rohan M. Amin, Ph.D. Lockheed Martin Corporation Abstract
Conventional network defense tools such as intrusion detection systems and anti-virus focus on
the vulnerability component of risk, and traditional incident response methodology presupposes a
An evolution in the goals and sophistication of computer network intrusions
has rendered these approaches insufficient for certain A
new class of threats, appropriately
dubbed the ?Advanced Persistent Threat? (APT), represents well-resourced and trained adversaries
that conduct multi-year intrusion campaigns targeting highly sensitive economic,
national security information.
These adversaries accomplish their goals using advanced tools and
techniques designed to defeat most conventional computer network defense mechanisms.
defense techniques which leverage knowledge about these adversaries can create an intelligence
feedback loop, enabling defenders to establish a state of information superiority which decreases the
adversary?s likelihood of success with each subsequent intrusion attempt.
Using a kill chain model to
describe phases of intrusions, mapping adversary kill chain indicators to defender courses of action,
identifying patterns that link individual intrusions into broader campaigns, and understanding the
iterative nature of intelligence gathering form the basis of intelligence-driven computer network defense
(CND). Institutionalization of this approach reduces the likelihood of adversary success,
network defense investment and resource prioritization, and yields relevant metrics of performance
The evolution of advanced persistent threats necessitates an intelligence-based
model because in this model the defenders mitigate not just vulnerability, but the threat component
of risk, too. Keywords: incident response, intrusion detection, intelligence, threat, APT, computer network defense 1 Introduction
As long as global computer networks have existed, so have malicious users intent on exploiting vulnerabilities.Early evolutions of threats to computer networks involved self-propagating
over time in anti-virus technology significantly reduced this automated
recently, a new class
of threats,intent on the compromise of data for economic or military advancement,
emerged as the
largest element of risk facing some industries.
This class of threat has been given the moniker ?Advanced
Persistent Threat,? or APT. To date, most organizations have relied on the technologies and processes
implemented to mitigate risks associated with automated viruses and worms which do not sufficiently
manually operated APT intrusions.
incident response methods to
mitigate the risk posed by APTs because they make two flawed assumptions:
response should happen
after the point of compromise, and the compromise was the result of a fixable flaw (Mitropoulos et al.,
2006; National Institute of Standards and Technology, 2008).
APTs have recently been observed and characterized by both industry and the U.S. government.
and July 2005, the U.K. National Infrastructure Security Co-ordination Centre (UK-NISCC) and the U.S.
[email protected] ? [email protected]
? [email protected] 1 Computer Emergency Response Team (US-CERT) issued technical alert bulletins describing targeted,
socially-engineered emails dropping trojans to exfiltrate sensitive information.
These intrusions were
over a significant period of time, evaded conventional firewall and anti-virus capabilities, and enabled
adversaries to harvest sensitive information (UK-NISCC,
2005;US-CERT, 2005).Epstein and Elgin
(2008) ofBusiness Week described numerous intrusions into NASA and other government networks
where APT actors were undetected and successful in removing sensitive high-performance rocket design
information.In February 2010,iSec Partners noted that current approaches such as anti-virus and
patching are not sufficient, end users are directly targeted, and threat actors are after sensitive intellectual
property (Stamos, 2010). Before the U.S. House Armed Services Committee Subcommittee on Terrorism, Unconventional Threats
James Andrew Lewis of the Center for Strategic and International Studies testified
that intrusions occurred at various government agencies in 2007, including the Department of Defense,
State Department and Commerce Department, with the intention of information collection (Lewis, 2008).
With specificity about the nature of computer network operations reportedly emanating from China,
the 2008 and 2009 reports to Congress of the U.S.-China Economic and Security Review Commission
summarized reporting of targeted intrusions against U.S. military, government and contractor systems.
Again,adversaries were motivated by a desire to collect sensitive information (U.S.-China Economic
and Security Review Commission, 2008, 2009).
Finally, a report prepared for the U.S.-China Economic
and Security Review Commission,
Krekel (2009) profiles an advanced intrusion with extensive detail
demonstrating the patience and calculated nature of APT. Advances in infrastructure management tools have enabled best practices of enterprise-wide patching
and hardening, reducing the most easily accessible vulnerabilities in networked
continually demonstrate the capability to compromise systems by using advanced
malware, and ?zero-day? exploits that anti-virus and patching cannot detect orResponses
APT intrusions require an evolution in analysis, process, and technology; it is possible to anticipate and
mitigate future intrusions based on knowledge of theThis
paper describes an intelligence-driven,
threat-focused approach to study intrusions from the adversaries? perspective.
Each discrete phase of the
intrusion is mapped to courses of action for detection, mitigation and response.
The phrase ?kill chain?
describes the structure of the intrusion, and the corresponding model guides analysis to inform actionable
Through this model, defenders can develop resilient mitigations against intruders
and intelligently prioritize investments in new technology or processes.
Kill chain analysis illustrates that
the adversary must progress successfully through each stage of the chain before it can achieve its desired
objective; just one mitigation disrupts the chain and the adversary.
Through intelligence-driven response,
the defender can achieve an advantage over the aggressor for APT caliber adversaries. This paper is organized as follows:
section two of this paper documents related work on phase based
models of defense and countermeasure strategy.
Section three introduces an intelligence-driven computer
network defense model (CND) that incorporates threat-specific intrusion analysis and defensive mitigations
Section four presents an application of this new model to a real case study, and section five summarizes
the paper and presents some thoughts on future study. 2 Related Work
While the modeling of APTs and corresponding response using kill chains is unique, other phase based
models to defensive and countermeasure strategies exist. A United States Department of Defense Joint Staff publication describes a kill chain with stages find,
fix, track, target, engage, and assess (U.S. Department of Defense,
United States Air Force
(USAF) has used this framework to identify gaps in Intelligence, Surveillance and Reconnaissance (ISR)
capability and to prioritize the development
2000). Threat chains have
also been used to model Improvised Explosive Device (IED) attacks (National Research Council, 2007).
The IED delivery chain models everything from adversary funding to attack execution.
intelligence and defensive efforts focused on each stage of the IED threat chain as the ideal way to counter
This approach also provides a model for identification of basic research needs by mapping
existing capability to the chain.
Phase based models have also been used for antiterrorism planning.
United States Army describes the terrorist operational planning cycle as a seven step process that serves
as a baseline to assess the intent and capability of terrorist organizations (United States Army Training
2 and Doctrine Command, 2007).
Hayes (2008) applies this model to the antiterrorism planning process for
military installations and identifies principles to help commanders determine the best ways to protect
themselves. Outside of military context, phase based models have also been used in the information security field.
Sakuraba et al.(2008) describe the Attack-Based Sequential
Analysis of Countermeasures (ABSAC)
framework that aligns types of countermeasures along the time phase ofThe
includes more reactive post-compromise countermeasures than early detection capability to uncover
persistent adversary campaigns.
In an application ofphase based models to insider threats,
et al. (2009) describe a tiered detection and countermeasure strategy based on the progress of malicious
insiders.Willison and Siponen (2009) also address insider threat by adapting a phase based model called
Situational Crime Prevention (SCP). SCP models crime from the offender?s perspective and then maps
controls to various phases of the crime.
Finally, the security company Mandiant proposes an ?exploitation
life cycle?.The Mandiant model,
however,does not map courses of defensive action and is based on
post-compromise actions (Mandiant, 2010).
Moving detections and mitigations to earlier phases of the
intrusion kill chain is essential for CND against APT actors. 3 Intelligence-driven Computer Network Defense Intelligence-driven computer network defense is a risk management strategy that addresses the threa
risk, incorporating analysis adversaries,
limitations.This is necessarily a continuous process, leveraging indicators to discover new activity with
yet more indicators to leverage.
It requires a new understanding of the intrusions themselves,
singular events, but rather as phased progressions.
This paper presents a new intrusion kill chain model
to analyze intrusions and drive defensive courses of action. The effect of intelligence-driven CND is a more resilient security APT
actors, by their nature,
attempt intrusion after intrusion,
adjusting their operations based on the success or failure
attempt.In a kill chain model, just one mitigation breaks the chain and thwarts the adversary, therefore
any repetition by the adversary is a liability that defenders must recognize andIf leverage.
implement countermeasures faster than adversaries evolve, it raises the costs an adversary must expend
to achieve their objectives.
This model shows, contrary to conventional wisdom, such aggressors have no
inherent advantage over defenders. 3.1 Indicators and the Indicator Life Cycle
The fundamental element of intelligence in this model is the indicator.
For the purposes of this paper, an
indicator is any piece of information that objectively describes an intrusion.
Indicators can be subdivided
into three types:
? Atomic – Atomic indicators are those which cannot be broken down into smaller parts and retain
their meaning in the context of an intrusion.
Typical examples here are IP addresses, email addresses,
and vulnerability identifiers.
? Computed- Computed indicators are those which are derived from data involved in an incident.
Common computed indicators include hash values and regular expressions.
? Behavioral- Behavioral indicators are collections of computed and atomic indicators, often subject
to qualification by quantity and possibly combinatorialAn
example would be a statement
such as ?the intruder would initially used a backdoor which generated network traffic matching
[regular expression] at the rate of [some frequency] to [some IP address], and then replace it with
one matching the MD5 hash [value] once access was established.? Using the concepts in this paper, analysts will reveal indicators through analysis or collaboration, mature
these indicators by leveraging them in their tools,
and then utilize them when matching activity is
This activity, when investigated, will often lead to additional indicators that will be subject
to the same set of actions and states.
This cycle of actions, and the corresponding indicator states, form
the indicator life cycle illustrated in Figure
1. applies to all indicators indiscriminately, regardless of
their accuracy or applicability.
Tracking the derivation of a given indicator from its predecessors can be
3 time-consuming and problematic if sufficient tracking isn?t in place, thus it is imperative that indicators
subject to these processes are valid and applicable to the problem set inIfquestion.
attention is not paid
to this point, analysts may find themselves applying these techniques to threat actors for which they
were not designed, or to benign activity altogether. Revealed ra
Le Utilized ge An
e Report Discover Mature Figure 1:Indicator life cycle states and transitions 3.2 Intrusion Kill Chain A kill chain is a systematic process to target and engage an adversary to create desired
military targeting doctrine defines the steps of this process as
(F2T2EA): find adversary targets suitable for engagement; fix their location; track and observe; target
with suitable weapon or asset to create desired effects; engage adversary; assess effects (U.S. Departmen
2007).This is an integrated,
end-to-end process described as a ?chain? because any one
deficiency will interrupt the entire process.
Expanding on this concept, this paper presents a new kill chain model, one specifically for intrusions.
The essence of an intrusion is that the aggressor must develop a payload to breach a trusted boundary,
establish a presence inside a trusted environment, and from that presence, take actions towards their
objectives,be they moving laterally inside the environment or violating the confidentiality,
or availability of a system in the environment.
The intrusion killchain is defined as reconnaissance,
weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives.
With respect to computer network attack (CNA) or computer network espionage (CNE), the definitions
for these kill chain phases are as follows:
– Research, identification and selection of targets, often represented as crawling
Internet websites such as conference proceedings and mailing lists for
relationships, or information on specific technologies.
2. Weaponization- Coupling a remote access trojan with an exploit into a deliverable payload,
typically by means of an automated tool (weaponizer).
Increasingly, client application data files such
as Adobe Portable Document Format (PDF) or Microsoft Office documents serve as the weaponized
3. Delivery- Transmission of the weapon to the targeted environment.
The three most prevalent
delivery vectors for weaponized payloads by APT actors,
as observed by the Lockheed Martin
Computer Incident Response Team (LM-CIRT) for the years 2004-2010, are email attachments,
websites, and USB removable media. 4. Exploitation- After the weapon is delivered to victim host, exploitation triggers intruders? code.
Most often, exploitation targets an application or operating system vulnerability, but it could also
more simply exploit the users themselves or leverage an operating system feature that auto-executes
code. 4 5. Installation- Installation of a remote access trojan or backdoor on the victim system allows the
adversary to maintain persistence inside the environment.
6. Command and Control(C2) – Typically, compromised hosts must beacon outbound to an
Internet controller server to establish a C2 channel.
APT malware especially requires manual
interaction rather than conduct activity automatically.
Once the C2 channel establishes, intruders
have ?hands on the keyboard? access inside the target environment.
7. Actions on Objectives
– Only now, after progressing through the first six phases, can intruders
take actions to achieve their original objectives.
Typically, this objective is data exfiltration which
involves collecting, encrypting and extracting information from the victim environment; violations
of data integrity or availability are potential objectives as
the intruders may
only desire access to the initial victim box for use as a hop point to compromise additional systems
and move laterally inside the network. 3.3 Courses of Action The intrusion killchain becomes a model
for actionable intelligence when defenders align enterprise
defensive capabilities to the specific processes an adversary undertakes to target that
can measure the performance as well as the effectiveness of these actions, and plan investment roadmap
to rectify any capability gaps.
Fundamentally, this approach is the essence of intelligence-driven CND:
basing security decisions and measurements on a keen understanding of the adversary.
Table 1 depicts a course of action matrix using the actions of detect, deny, disrupt, degrade, deceive, and
destroy from DoD information operations (IO) doctrine (U.S. Department of Defense,
depicts in the exploitation phase, for example, that host intrusion detection systems (HIDS) can passively
detect exploits, patching denies exploitation altogether, and data execution prevention (DEP) can disrupt
the exploit once it initiates.
Illustrating the spectrum of capabilities defenders can employ, the matrix
includes traditional systems like network intrusion detection systems (NIDS) and firewall access control
lists (ACL), system hardening best practices like audit logging, but also vigilant users themselves who
can detect suspicious activity.
Table 1: Courses of Action Matrix
Phase Detect Deny Disrupt Degrade Reconnaissance Web
ACL Weaponization NIDS NIPS Delivery Vigilant user Proxy filter In-line AV Queuing Exploitation HIDS Patch DEP Installation HIDS ?chroot? jail AV C2 NIDS Firewall
ACL NIPS Actions on
Objectives Audit log Deceive Tarpit DNS
redirect Quality of
Service Honeypot Destroy Here, completeness equates to resiliency, which is the defender?s primary goal when faced with persistent
adversaries that continually adapt their operations overThe
most notable adaptations are exploits,
particularly previously undisclosed ?zero-day? exploits.
Security vendors call these ?zero-day attacks,?
and tout ?zero day protection?.
This myopic focus fails to appreciate that the exploit is but one change
in a broader process.
If intruders deploy a zero-day exploit but reuse observable tools or infrastructure
5 in other phases, that major improvement is fruitless if the defenders have mitigations for the repeated
indicators.This repetition demonstrates a defensive strategy of complete indicator utilization achieves
resiliency and forces the adversary to make more difficult and comprehensive adjustments to achieve their
objectives.In this way, the defender increases the adversary?s cost of executing successful intrusions.
Defenders can generate metrics
of resiliency by measuring the performance and effectiveness of
defensive actions against the intruders.
Consider an example series of intrusion attempts from a single
APT campaign that occur over a seven month timeframe,
shown in Figure 2.For each phase of the
kill chain, a white diamond indicates relevant, but passive, detections were in place at the time of that
month?s intrusion attempt, a black diamond indicates relevant mitigations were in place, and an empty
cell indicates no relevant capabilities were available.
After each intrusion, analysts leverage newly revealed
indicators to update their defenses, as shown by the gray arrows. Figure 2:Illustration of the relative effectiveness of defenses against subsequent intrusion attempts The illustration shows, foremost, that at last one mitigation was in place for all three intrusion attempts,
thus mitigations were successful.
However,it also clearly shows significant differences in each month.
In December,defenders detect the weaponization and block the delivery but uncover a brand new,
unmitigated,zero-day exploit in the process.
In March, the adversary re-uses the same exploit,
evolves the weaponization technique and delivery infrastructure, circumventing detection and rendering
those defensive systems ineffective.
By June, the defenders updated their capabilities sufficiently to have
detections and mitigations layered from weaponizationBy
metrics in the context of the
kill chain, defenders had the proper perspective of the relative effect of their defenses against the intrusion
attempts and where there were gaps to prioritize remediation. 3.4 Intrusion Reconstruction
Kill chain analysis is a guide for analysts to understand what information is, and may be, available for
defensive courses of action.
It is a model to analyze the intrusions in a newMost
way. detected intrusions
will provide a limited set of attributes about a single phase of an intrusion.
Analysts must still discover
many other attributes for each phase to enumerate the maximum set of options for courses of action.
Further, based on detection in a given phase, analysts can assume that prior phases of the intrusion have
already executed successfully.
Only through complete analysis of prior phases, as shown in Figure 3, can
actions be taken at those phases to mitigate future intrusions.
If one cannot reproduce the delivery phase
of an intrusion, one cannot hope to act on the delivery phase of subsequent intrusions from the same
adversary.The conventional incident response process initiates after our exploit phase, illustrating the
self-fulfilling prophecy that defenders are inherently disadvantaged and inevitably
to fully reconstruct all intrusion phases prioritizes tools, technologies, and processes to fill this gap.
Defenders must be able to move their detection and analysis up the kill chain and more importantly to
implement courses of actions across the kill chain.
In order for an intrusion to be economical, adversaries
must re-use tools and infrastructure.
By completely understanding an intrusion, and leveraging intelligence
6 Reconnaissance Weaponization Delivery Exploitation Analysis Detection Installation C2 Actions Figure 3:Late phase detection on these tools and infrastructure, defenders force an adversary to change every phase of their intrusion in
order to successfully achieve their goals in subsequent intrusions.
In this way, network defenders use the
persistence of adversaries? intrusions against them to achieve a level of resilience. Equally as important as thorough analysis of successful compromises is synthesis of unsuccessful intrusions
As defenders collect data on adversaries, they will push detection from the latter phases of the kill chain int
Detection and prevention at pre-compromise phases also necessitates aDefenders
must collect as much information on the mitigated intrusion as possible, so that they may synthesize what
might have happened should future intrusions circumvent the currently effective protections and detections
(see Figure 4).For example, if a targeted malicious email is blocked due to re-use of a known indicator,
synthesis of the remaining kill chain might reveal a new exploit or backdoor contained
this knowledge, future intrusions, delivered by different means, may go undetected.
If defenders implement
countermeasures faster than their known adversaries evolve, they maintain a tactical advantage.
Analysis Reconnaissance Weaponization Detection Delivery Synthesis Exploitation Installation C2 Actions Figure 4:Earlier phase detection 3.5 Campaign Analysis At a strategic level, analyzing multiple intrusion kill chains over time will identify commonalities and
Figure 5 illustrates how highly-dimensional correlation between two intrusions
through multiple killchain phases can be identified.
Through this process,
and define intrusion campaigns, linking together perhaps years of activity from a particular persistent
threat. The most consistent indicators,
the campaigns key indicators,
provide centers of
defenders to prioritize development and use of courses ofFigure