Cyber Kill Chain and Determined Human

Adversaries
Table of Contents
Introduction

Principles of Intelligence-Driven Computer Network Defense

The Observer, Minimalist, and Planner: Modern Adversaries

2
Modeling the Base Types of Actions in a Computer Network Intrusion: Cyber
Kill Chain
2
Attributes of an Intrusion
5

Leveraging the Cyber Kill Chain

Building Threat Sequences
Visualizing Threats
Classifying Threats
Mounting a Defense
Security Controls and Limits

Primary Libraries: Examples of Known Attack Patterns

Building and Improving Libraries: Analysis and Reconstruction
Metrics of Resiliency
Intrusion Reconstruction
Campaign Analysis and TTP

5
6
7
8
8

9
9

9
10
10

Advanced Classification of DHA

11

Lexicon and a Pathway to Collaboration

12

Conclusion

13

Figures and Tables

14

Appendix A: Terms and Definitions

14

Appendix B: Attributes

15

Appendix C

17

References

17

Common Attributes
Extended Attributes

15
16

Introduction
Modern network intrusions are more likely to target individuals and rely
on social engineering or deception over brute force. Defense against
such attacks should focus on the adversary, not the tools. By

understanding that sophisticated adversariesthose who could be

considered good at their craftwould not use the same tool or exploit
during a series of attacks, attention can be directed toward the
adversary's behavior and motive, seeking answers to questions like
"What is the adversary doing?" or "What are they after?" With that
knowledge in mind, one can begin to develop a robust defense that is
proactive and gains strength from an adversary's persistence.
This paper highlights the principles of a network intrusion, describes
the Cyber Kill Chain, and shows ways we can leverage the Cyber Kill
Chain to classify intrusions and mount an appropriate defense.

Principles of Intelligence-Driven Computer Network

Defense
The Observer, Minimalist, and Planner: Modern Adversaries
Determined Human Adversaries (DHA), also known as Advanced
Persistent Threats (ATP)1, are deliberate and focused. They are
noteworthy for engaging in extended campaigns using advanced tools
to bypass most conventional network defense mechanisms. Their goal:
sensitive economic, proprietary, or national security information.
Security analysts recognize that conventional tools used to mitigate
risk from viruses or worms are ineffective against intrusions by DHA.
Therefore, countering DHA requires approaching defense from a
different angle. By generating knowledge about DHA, we can create an
intelligence feedback loop whereby information superiority decreases
DHA likelihood of success with each subsequent intrusion attempt.

Modeling the Base Types of Actions in a Computer Network

Intrusion: Cyber Kill Chain
Before we can begin to ask "What is the adversary doing?" or "What
are they after?" we must first identify a range of possible actions that
DHA can take.
At the most basic level, a sophisticated network intrusion mirrors a
military operation. Therefore, we can use models that have proven
useful in military applications and leverage them in computer network
defense (CND). McRaven's Relative Superiority (Figure 1) was
implemented by the military to graphically model the probability of
mission completion from the perspective of an attacker, while also
1 See Appendix A for a list of terms and definitions.

taking into account mission-critical objectives. A key aspect of the

model is the Relative Superiority Line (RS Line) where the probability
offor mission success increases exponentially if certain principles hold
true or specific mission objectives met. For instance, whether the initial
mission objectives were simplified and quickly executed or if
knowledge of the target was utilized in planning the attack.
Relative Superiority lends itself to a progression-style modeling of
operations such as the military "Kill Chain." The classic Kill Chain
consists of four stages of an attack and the dependencies between
them: (1) Target identification, (2) Force dispatch to target, (3) Decision
and order to attack, and (4) Destruction of the target. Though the Kill
Chain was created primarily as a tool to plan better attacks, it has
alternative uses as well. Using the Kill Chain from a defense
perspective, one can anticipate an adversaries' action in relation to the
model and mount an appropriate defense. For CND, we take this
approach a step further to create a Cyber Kill Chain.
While a Cyber Kill Chain can be described multiple ways, the version
described in this paper borrows from Espenschied et al., which breaks
down each phase of an attack as follows: (1) Reconnaissance, (2)
Commencement, (3) Entry, (4) Foothold, (5) Lateral Movement, (6)
Acquire Control, (7) Acquire Target, (8) Implement/Execute, (9) Conceal
& Maintain, and (10) Withdraw. Each of these describes the "base types
of action" a DHA may take during most computer network intrusions.
During Reconnaissance, DHA engages in research, identification, and
selection of targets and to gain insight into the types of technology
implemented for security. They search for vulnerabilities and gainful
opportunities and will often search through publicly available
information found on websites or other publications, making detection
at this phase very unlikely. Security analysts rely on thorough study of
past intrusions to find evidence of DHA activity during this phase. For
us, Reconnaissance is most useful as an attribute to distinguish
between adversaries of varying threats and this paper will describe
how in later sections.
Although Reconnaissance is an ongoing affair, there is a point when
DHA move from observation and knowledge gathering to deploying
tools or actions. This change is called Commencement (Weaponization
in some context). Detection at this phase includes the discovery of
intrusive scanning, active probing for vulnerabilities, phishing
campaigns, or the conversation of benign data or documents retrieved
during Reconnaissance into deliverable payloads for weapons such as
a remote access Trojan.

DHA are considered to have gained Entry into a network once they
have bypassed primary security barriers. This often coincides with the
delivery of some weaponized payload (e-mail attachments, websites,
and USB drives) and basic access to one or more non-critical internal
environments.
Once DHA have gained access to low privilege/local credential system
(often via exploitation of system vulnerability or application
sometimes even the user themselvesto execute malicious code) and
are able to stay resident in the environment, they are considered to
have gained a Foothold. Detection of Foothold events includes alerts of
localized compromises of a system, compromise of employee
credentials, uploading of tools, installation of remote access tools, and
efforts to escalate privileged access.
The ability to move beyond the Foothold suggests Lateral Movement
capability of the DHA, which puts the immediate network and adjacent
logical environments at risk. However, opportunities to detect the DHA
at this phase also increases. For instance, detecting movement in
network flow data. While Lateral Movement may be a significant step
toward a DHAs goal, in McRaven's Relative Superiority model it does
not yet correspond with reaching the RS Line. It is, in some respects, a
"make or break" phase.
DHA Acquires Control in an environment when they gain privileged
access to assets and resources in an area and in most cases signals
that the adversary has achieved Relative Superiority and their attack is
more likely to succeed than to fail. Detection is still possible, but taking
action against DHA with privileged access and control over an entire
environment becomes difficult. Acquire Control is an escalated version
of Entry (basic access to non-privileged systems). For some types of
intrusions, Acquire Control often coincides with increased Lateral
Movement.
DHA is said to have Acquired a Target when they can assess a target
asset, neutralize point defenses, and consolidate control over an asset,
resources, or capabilities. Acquire Target is an escalated version of
Foothold (control of a non-privileged environment). Deactivation of key
administrative controls, filtering and compression of data files for
extraction, or PKI system compromise are several means for detecting
that a DHA has control of a target.
At the Implement/Execute phase, we see the execution of attack code
or the implementation of a process on an acquired target. DHA will
move to extract or destroy data, consolidate and integrate control, and
may sometimes communicate demands.

After gaining sufficient control of an environment and the contained

systems, some DHA may choose to alter security logs and implement
decoysall in the effort to Conceal their presence and Maintain their
activities. Corrupt or missing logs, loss of access, or strange system
behavior are some indirect means of detection. In more severe cases,
detection comes from errors in business processes or unplanned
changes to finance balances.
A DHA who has completed the objectives and has removed himself
from a system or network (not removed involuntarily) is said to have
Withdrawn. This may be classified by the removal of previously
detected tools or verified logs showing the conclusion of attacks. In
some cases, external parties may provide evidence, perhaps even the
intruders themselves stepping up to claim credit for and cessation of
an attack. In severe cases, the destruction of all the data on affected
systems heralds the Withdrawal of a DHA.
It is important to note, that while the phases in the Cyber Kill Chain are
listed in progression, they do not necessarily have to occur in this order
or must each phase be completed before moving onto the next.
Variances in intrusions, the means used in detecting each intrusion,
and other attributes are crucial in identifying the DHA and learning
what it is they are after.
For example, adversaries who spend extended periods of time
engaging in Lateral Movement with little progress suggest a lack of
capability, poor reconnaissance, or bad choice in targeting. On the
other hand, DHA who spend the majority of a campaign in
Reconnaissance only to escalate all the way up the Cyber Kill Chain in
a fraction of the time suggest detailed planning toward specific
objectives.

Attributes of an Intrusion
The ability to associate events allows us to expand upon the Cyber Kill
Chain model and produce a clearer picture of each attack. Building
these pictures depends on attributes, which are the least common
denominator in describing base types of actions and allow us to
connect, group, and correlate activities that may otherwise appear
unrelated. Attributes can be time of first detection, the duration of the
event, identifiers, source of alerts or detection, targeting, indicator of
compromise, and the base type of action themselves.
Attributes, also known in the security community as indicators or
markers, range in type: Common (soft markers) and Extended (hard

markers) Attributes2. Hard markers cannot be broken down into smaller

parts, these include IP addresses, e-mail addresses, and vulnerability
identifiers. Soft markers are expressions of human behavior. These are
pieces of information inferred from how a DHA transitions between
actions, often reflected from evidence of repetition, parallelism,
persistence, and number. Soft markers are of particular importance in
differentiating serious threats among a cluster of background noise.
Together, soft and hard markers allow us to piece together attack
patterns and use evidence to match or differentiate between groups of
DHA.

Leveraging the Cyber Kill Chain

Building Threat Sequences

In dealing with modern attacks, we must be able to detect and respond

to changes in behavior of authorized users. The goal therefore is to
create a tagging system that characterizes patterns for analysis with
past and present actions. With enough data, we can use sequences of
activity to identify and come to recognize intrusions and campaigns
from specific DHA. Once a DHA is known, present actions can be linked
to prior sequences to elucidate the answer to "What are they after?" In
other words, find ways to quickly classify a military "maneuver" in
order to develop a defense for that kind of attack.
The true strength of the Cyber Kill Chain is its role in helping us identify
those attack patterns. By collecting a history of intrusions and
matching actions along with other common and extended attributes,
we can begin to correlate and match attacks to a specific maneuver
and perhaps to specific DHA.

Visualizing Threats

By combining common attributes such as time and detection alerts as

well as the Cyber Kill Chain, we can create a visual tool to categorize
attacks.
An attack pattern made using the Cyber Kill Chain model offers a
simple, yet effective way of visualizing and recognizing a type of attack
(Figure 2). With the phases of the Cyber Kill Chain listed on the y-axis
(along with other key attributes) and time on the x-axis, one can
compare different intrusions based on the amount of time spent during
each phase of the kill chain. For example, a history of attack patterns
shows that the behavior of typical thieves or vandals demonstrate
2 See Appendix B for a more detailed list of Common and Extended
Attributes.

longer time spent moving laterally within the network in search of a

way to cash out. On the other hand, nation-state actors or industrial
spies dedicate a longer period of time toward reconnaissance and prep
work before moving directly toward the high-value information.
Of course, data is rarely ever presented as clearly as shown in Figure 2.
Instead, one is more likely to collect and record many frivolous alerts
from regular users simply trying out something new, or alerts from a
spike in activity from vandals who pose a problem but may distract a
defender from a far more malicious threat. To make matters even more
complicated, DHA may have teams of people working jointly toward a
unified goal. To assist in interpreting this data, one should recognize
that the cessation of specific activities is just as informative as when
they begin.
Consider Figure 3. Here we see three separate actors ending
Reconnaissance around the same time. This pattern continues up the
Cyber Kill Chain to resemble the attack pattern shown in Figure 2. This
pattern of activity that would have otherwise gone unnoticed was
isolated by taking note of the stops in parallel. Whereas a novice may
have drawn attention to the cluster of activity in the lower-right portion
of the figure (very typical of a network experiencing denial-of-service
attacks from Anonymous, for instance), the experienced network
defender would have leveraged large-scale automation to help
correlate these sequence fragments and sought out recognizable
attack curves from known patterns.
By introducing aspects of the 5-stage Capability Maturity Model (CMM)
to our existing attack patterns, we can also include the means to
quickly visualize the condition of the environment targeted by DHA
(see Figure 4). The CMM is a sort of gauge to classify the maturity of
the processes or systems in place and how well they can perform
desired outcomes. These range from Optimized to Chaotic. In business
terms, a company that is about to launch new software internally for its
employees and has provided no training could be said to launch in a
state of chaos. The software is unlikely to perform to standard if its
users are not capable of using it.
In the context CND, adding CMM allows us to gauge the state of the
targeted environment and how well network defenses will perform. The
maturity levels for network defenses are: Predictive, Preventive,
Mitigating, Tactical, and Chaotic. The ideal state is Predictive, where
the processes are fully matured and the focus here is on finding
avenues for improvements. DHA who are limited to the Cyber Kill Chain
stages Reconnaissance and Commence are still acting in a network
environment that is performing as predicted and as designed.

However, as they move past network defenses and gain further control
of the targeted environment the processes in place will begin to fail. A
barometer for the RS line in CND could be moving past Lateral
Movement. Similarly, network defenses and processes that continue to
function and manage to contain DHA to Lateral Movement are
performing at a CMM-like Mitigating level. On the other hand, DHA that
has moved up the Kill Chain to acquire its target and execute its attack
code to the point where it is able to remain concealed suggests a total
loss of control from network administrators of the targeted
environmentreducing operating maturity to Chaotic.
In general, the further up the Cyber Kill Chain DHA are able to move,
the less predictive our environment (and the processes in place) will
become.

Classifying Threats
In Threat Genomics, the authors state: "Two actors attempting the
same attack, even with similar tools, goals, and timeframe, may still
differ in their approach due to cultural and organizational differences
between the two." Recognizing this concept encourages us to focus on
and recognize the types of traits and behaviorand therefore the kinds
of attackswhich serious adversaries display.
For example, in one situation we may encounter a DHA that prefers an
extended reconnaissance followed by rapid intrusion and concealment
phases in order to avoid detection. On the other hand, another DHA
may dedicate more time to the intrusion, either perceiving it a minimal
risk or perhaps even desiring detection and attribution. What causes
these differences in observable behavior? The authors in Threat
Genomics suggest: "These variations in observable expression may
have a cultural basis, an organizational basis, or a combination of the
two."
Turning back to McRaven. There six observable principles found
present in all significant and successful operations: simplicity, security,
repetition, surprise, speed, and purpose. These six principles are traits
that most successful military attacks possess (those that reached
Relative Superiority quickly and succeeded). Similarly, during a
successful cyber intrusion, patterns of actions and transitions between
types of action will be observed. When mounting a defense against a
DHA, we want to identify types of actions that separate them from less
sophisticated cyber intruders, which would allow for more robust
defenses.

Mounting a Defense
Once we have acquired knowledge of the adversary, appropriate
courses of actions can be leveraged by aligning defenses to each
phase of the intrusion. The U.S. Department of Defense (DOD)
information operations doctrine serves as a solid foundation when
building a matrix for possible courses of action. The doctrine lists a set
of six possible actions: detect, deny, disrupt, degrade, deceive, and
destroy.
The purpose of a Courses of Action Matrix (Table 1) is twofold: First, it
can be used as a barometer to quickly assess what sort of defenses are
in place in the network prior to intrusion; second, it can serve as a
guide during post-intrusion analysis to gauge where additional
resources should be directed to counter a similar attack in the future.
A more complete table represents network defense resiliency, and our
primary goal when faced with DHA. However even with the best
defenses, zero-day exploits and attacks areby definitionimpossible
to stop. Creating a robust defense structure that includes DHA analysis,
the Cyber Kill Chain, and threat sequences, shows that we recognize
zero-day exploits as just one breakthrough in the overall attack
process. DHA are likely to reuse known tools or infrastructure in other
phases, allowing established defenses to render the major
improvement in the attack arsenal useless.
By implementing defenses across the board of actions (Detect, Deny,
etc.) and down each phase of the kill chain, we can achieve a
defensive strategy that leverages redundancy to force DHA to pursue
more comprehensive alterations toward their objectives. The end result
is an effective deterrent that increases the DHA cost per intrusion.

Security Controls and Limits

"A more detailed scenario evaluation might take into account
discrete actions, common sequences of actions, parallel actions,
parallel cessation of actions, persistence beyond successful acquisition
of a target, or relative speed. These details can give data about the
nature or strength of adversarys attack action relative to the detective
and preventive controls that protect the target asset or environment.
Technical or operational limitations may make detection of one specific
event type impractical or infeasible, so it is particularly interesting that
this approach allows us to look at an event over time or events that
usually occur in a predictable sequence over time, and use that
information to do things such as combine detection tools or
conditionally lower a particular alert threshold.

Matching attack actions to available controls depends on having good

quantitative data (often suspect or hard to obtain), or solid criteria for
qualitative categorization and evaluation. The task, then, is to
generalize enough to handle entire classes of attacks, while
maintaining precision to effectively prevent, detect, and respond to
attacks."
"On the other side of the analytical valley is a milestone beyond which
practical security assessment questions can be asked about the
correlation of current risk and controls, security control improvement,
and forward-looking anticipation and estimation of risk."
"Even when all suitable and practical controls are in place, there are
limitations and caveats to the effectiveness of those controls.
Grindingly tight security tends to inhibit normal business processes,
which means a reasonable organization always has a window of
residual risk."

Primary Libraries: Examples of Known Attack Patterns

Ideally, we want to have access to a library of all known computer
network intrusions. Such a repository of knowledge would help us
complete a Courses of Action matrix several times over and deal with
threats by newly detected DHA despite zero-day exploit.
<Insert examples>

Building and Improving Libraries: Analysis and

Reconstruction
Metrics of Resiliency

As attack patterns have shown, visual representation of data can

expedite analysis and convey large amounts of information in very
little time. Having a means to quickly assess the success or failure of
existing network defenses for each intrusion type allows us to see
where we stand in relation to DHA. Metrics of resiliency (See Table 2) is
a means of measuring the performance and effectiveness of defensive
actions over time against DHA.
Table 2 (using a less detailed version of the Cyber Kill Chain) illustrates
the outcome of three separate intrusions: one in December, March,

and June. The white diamond represents passive detection of an

intrusion, the black diamonds show that relevant mitigations were in
place, and an empty cell means no capabilities available. Gray arrows
show areas where analysts used acquired new information from the
intrusion to update their defenses.
"For each phase of the kill chain, a white diamond indicates relevant,
but passive, detections were in place at the time of that months
intrusion attempt, a black diamond indicates relevant mitigations were
in place, and an empty cell indicates no relevant capabilities were
available. After each intrusion, analysts leverage newly revealed
indicators to update their defenses, as shown by the gray arrows."
"The illustration shows, foremost, that at least one mitigation was in
place for all three intrusion attempts, thus mitigations were successful.
However, it also clearly shows significant differences in each month. In
December, defenders detect the weaponization and block the delivery
but uncover a brand new, unmitigated, zero-day exploit in the process.
In March, the adversary reuses the same exploit, but evolves the
weaponization technique and delivery infrastructure, circumventing
detection and rendering those defensive systems ineffective. By June,
the defenders updated their capabilities sufficiently to have detections
and mitigations layered from weaponization to C2. By framing metrics
in the context of the kill chain, defenders had the proper perspective of
the relative effect of their defenses against the intrusion attempts and
where there were gaps to prioritize remediation."

Intrusion Reconstruction
"Kill chain analysis is a guide for analysts to understand what
information is available for defensive courses of action."
Most detected intrusions reveal only a limited set of attributes about a
single phase (e.g., detecting the intrusion at the Command and
Control, or C2otherwise referred to as the Acquiring Control and
Acquiring Target phases for in this paper; see Figure 5). Since the goal
in CND is to populate the courses of action matrix with the maximum
number of options, our aim is to gain as much knowledge as possible
regarding an intrusion during each phase of the kill chain.
Lets break down a scenario in which an intrusion was detected during
Acquiring Control/Acquiring Target. Because the DHA wasnt detected
until that phase, we can assume that movement past barriers between
prior phases was successful. Therefore, analyzing all available data
may help give insight as to where the defenses failed. By reproducing

how the intrusion was able to bypass the delivery phase, for instance,
we can setup appropriate courses of action to mitigate future attacks.
The goal should always be to move our detection and analysis down
the kill chain (toward Reconnaissance; see Figure 6) and implement
courses of actions to force the adversary away from Relative
Superiority (e.g., if the attacker is able to acquire control by means of a
zero-day attack, their chances of successfully completing their mission
rises exponentially).

Campaign Analysis and TTP

Long-term strategy plays a significant role in defense. The sort of
tunnel vision that occurs when analyzing that one attack that managed
to bypass the most barriers carries a significant risk. We may, for
example, ignore the bigger picturethe event that allowed that
particular intrusion to succeed in the first place. Analyzing multiple
intrusion kill chains over time will allow us to identify commonalities
and overlapping attributes that indicate a campaign.
Being able to link key attributes across multiple intrusions allows us to
determine the patterns and behaviors of the intruderstheir tactics,
techniques, and procedures (TTP)to detect how they operate rather
than focusing on what they do. By doing so, we can evaluate their
capabilities, doctrine, objectives, and perhaps some of their limitations.
This knowledge plays a significant role in anticipating how a specific
DHA will respond to new barriers. Remember, new tools or
technologies are rendered obsolete if DHA continue to rely on legacy
tools that we know of and that we can leverage to stop their
movement through the network.
Finally, campaign analysis is a means to peer into the mind of the DHA
and surmise their intent. It is possible to run circles trying to deduce
what an opponent is thinking; instead, our goal is to pinpoint the
technologies or individuals that interest the intruders in an attempt to
understand their mission objectives. To this end, DHA persistence is
our strongest weapon. By studying new intrusions we will be able to
either link attack patterns to existing campaigns or even identify a new
set of behaviors. It also necessitates careful study of those intrusions
to identify targeting patterns as well as examining any data they
managed to exfiltrate.
In the end, this analysis leads to a better understanding of our
vulnerabilities (those technologies or individuals that are being
targeted) and where to prioritize our security measures.

Advanced Classification of DHA

Introducing cultural and organizational dimensions to our analysis
takes DHA classification further into an area of ongoing research.
For cultural dimensions (much of the data was synthesized by former
IBM researcher Geert Hofestede), the idea is that "people consistently
behave in certain ways when making decisions or evaluating
situationsmeasurable in ways that show consistency within cultures
and dissimilarity between them." Therefore, cultural dimensions could
give us additional metrics by which to associate groups of DHA.
Cultural dimensions are essentially a new layer of questions to ask
other than our aforementioned what is an adversary doing? and
what are they after? New questions include Do parallel adversaries
take the same actions? Are they using the same playbook? (the Power
Distance Index) and Is there direct reaction to being blocked or
removed from a system? Are there markers for ownership or
entitlement? (the Aggression/Masculinity index).3
In responding to these questions, we classify each on a scale of one to
fivefrom distinctive absence to overwhelming presence (i.e., absence
or presence of Aggression). Of course, ratings are relative to historical
data, so accuracy will improve with time.
Examples:
Site defacement is often an impulsive act attackers perform to
assert their dominance over a networkuntil the defacement is
taken down. It conforms to the base type Implement/Execute and
indicates that the attacker has low Long-Term Orientation and a
tendency toward Indulgence over Restraint.
Some cultures are more aggressive (high-MAS) than others.
When detected and thrown off the network by an administrator,
some attackers may simply leave, while others may attempt to
retaliate.
Organizational dimensions could be called an evolved version of
cultural dimensions and the pinnacle of current research in DHA
classification. There are similar metrics, but the focus is on specificity
and being able to distinguish between cultures of multiple
organizations. These include means vs. goals, internally or externally
driven, easygoing vs. strict work discipline, local vs. professional, open
system vs. closed, and employee focus vs. work focus. While cultural
dimensions had a large dataset to support some of its broad
generalizations (data showing how Americans differ from Russians, for
3 See Appendix C for a complete list of all six Cultural Dimensions.

instance), such a dataset has not yet been published for organizational
dimensions. However, we can still use this early research as a basis for
seeking answers to simple questions like are adversaries free actors?
and are they corporate or military?
By using these additional metrics in DHA classification, we can begin to
construct a rich history of datamuch like our attack pattern libraries
to fully leverage additional organizational and cultural dimensions
research as its published.

Lexicon and a Pathway to Collaboration

An extensive library of combat engagements exists in the military
world as historical archives, in part due to the nature of military
maneuvers being relatively simple to express in common language.
Computer network intrusions can be difficult to express with words
and, as shown in this paper, there are many terms to describe the
same kinds of information. The purpose of this section is to provide a
brief overview of common terms and make suggestions toward a
common lexicon as well as providing directions in leveraging
collaborations to build larger libraries and databases.
Every organization with a computer network should aim to build, at the
very least, a simple analytical library of possible events based on the
specific kinds of controls present in the environment. A common path
to this analytical library is as follows: (1) find or build a collection of
relevant intrusions, (2) assess and evaluate what controls are present
in the environment to counter such possible intrusions, and (3)
evaluate the common attributes available in each type of alert, to
improve or enable the process of correlating activities.
For step 1, recognize that the initial library of intrusions should be
relevant to the organization. This can be based on assets at risk,
business type, size, financial attributes, supply chain, or any other
factors that constitute risk to the organization. A non-profit
organization may be concerned about the safeguard of donor
information and seek examples of intrusions leading to identity theft,
whereas a bank may choose to include well-documented network
intrusions into credit card processors. Even larger organizations like a
regional energy utility company would be concerned with both credit
card processing (payment systems) as well as nation-state attacks that
are relevant to operating critical infrastructure (hydropower, flood
control, nuclear power systems).
After evaluating the controls present in the above for step 2, one can
evaluate the available attributes for step 3. Appendix B features a list

of common and extended attributes that may be present at a particular

organization.
In many cases, collaboration will be hampered by the need to keep
libraries from reaching the hands of potential DHA (in such a case,
knowledge of what we know about them can work against us).
Assistance can be through the sharing of more benign data, such as
attack patterns of industry-wide attacks where the overall behavior and
tools used are the same across the board but where small differences
in attributes like time detected may be informative (how were they
able to detect the intrusion before us?). In the end, it is up to the
discretion of each organization on how much they are willing to share.
Remember though, stifling controls can be just as counterproductive as
an intrusion.

Conclusion
Determined Human Adversaries (DHA) and Advanced Persistent
Threats (APT) leverage an array of tools and strategies and represent
the modern threat to organizations, governments, and businesses.
Creating a defense against such intrusions relies on combining past
knowledge (military doctrines) to build a framework that applies to
computer networks.
Below is a summary of key lessons.
First, build upon existing knowledge. Creating a whole new model to
describe network intrusions is certainly more romantic, but no one has
been given a reward for recreating the wheel. By building upon military
frameworks, the researchers featured here were able to construct new
applications atop a strong and tested foundation.
Second, qualitative metrics are a good start. Quantitative metrics are
desirable, but a still immature history of events limits our ability to
mimic the quantitative certainty employed by the military (e.g., "air
superiority in day-time attacks lends an additional X% chance of
mission success"). Instead, we should recognize that qualitative
metrics give us sufficient knowledge to begin implementing "smarter"
defenses. Qualitative/category-based labels, consistent criteria, and
attack patterns are strong steps toward defining threats.
Finally, careful analysis can occur prior to attacks. We do not need to
wait for intrusions to begin creating a library of attack patterns and
DHA profiles. Looking through prior attacks in the literature that
correlate with the risks an organization may expose in its network is
the first step. We then create a Courses of Action matrix for defenses

that are already in place and run through prior intrusions in war game
style scenarios to search for weaknesses and find areas where added
resources would be beneficial.

Figures and Tables

Figure 1. McRaven's Relative Superiority from reference 3.
Figure 2. An attack curve visualization using the Cyber Kill Chain Model
from reference 3.
Figure 3. A source-mapped attack curve against a background of other
detected activity, from reference 3.
Figure 4. Attack pattern of the Dave & Buster's card theft, from
reference 1.
Figure 5. Intrusion reconstruction of a late-phase detected event, from
reference 2.
Figure 6. Intrusion reconstruction of an early phase detected event,
from reference 2.
Table 1. Courses of Action Matrix, from reference 2.
Table 2. Metrics of Resiliency, from reference 2.
Table 3. Sample of the Six Dimensions data originating from
Hofstedes research and reference 3.

Appendix A: Terms and Definitions

Determined Human Adversary (DHA) - capable adversary that engages
in extended campaigns using advanced tools to bypass most
conventional network defense mechanisms.
Advanced Persistent Threat (APT) - same as DHA.
Cyber Kill Chain - a collection of the base types of actions an adversary
may take during most computer network intrusions.
Attributes - are the least common denominator in describing base
types of actions and allow us to connect, group, and correlate activities
that may otherwise appear unrelated. While attributes may vary by

organization and environment, there are some that are applicable to

most settings.
Markers - are the same as attributes.
Indicators - are the same as attributes.
Threat Sequence - constructed by identifying patterns from connecting
attributes and the Cyber Kill Chain.
Courses of Actions - Referred to as Courses of Action by Hutchins et al.
(borrowed from the action matrix by the U.S. DoD), these are a set of
possible responses to counter an adversary during each phase of an
intrusion.
TTP - Tactics, techniques, and procedures

Appendix B: Attributes
Appendix B contains a list of Common and Extended Attributes from
reference 3.

Common Attributes

Identifier (ID) and optional name for automatable reference to

the event or action.

Time detected, usually a marker of first detection set by an IOC

Duration start, Y/M/D/H if different from time detected.

Duration end, or the last known/confident detection.

Base type of action, usually estimated by analyst or

normalization rules.

Source of alert or detection, specific or in aggregate with ID that

allows traceback.

Targeting, including evidence of randomness or selection by

opportunity, area, sequence, or point.

Estimation of operation and technical sophistication

Indicator of Compromise (IOC) record, if available

IDs of all involved source/destinations, whether system, account,

or application

Vector, showing incoming, outgoing, stasis, or lateral movement;

avoiding intermediate guesses of victimhood or attribution

Extended Attributes

Time in relation to potentially related Base Actions

Evidence of human behavior, including parallel or sequential

actions, decisions, escalation, coordination, defacement or other
markers, and other behavioral attributes

IOC or other alert record

Alert source and type

IPv4/6 and any DNS records for involved entities

IP flow or trace data, or other captured data in the alert

Target asset sensitivity or entity access level; a suggested basic
nomenclature is:
o Low: Public or low business impact data for which integrity
outweighs confidentiality;
Higher range: Negotiable assets (money/financial
assets which may be insured)
o Medium: Confidential or medium business impact data
Higher range: Tools, code, credentials, or data which
allows elevation
o High: High business impact data, such as critical trade
secrets and classified data
Higher range: Assets affecting human life and safety,
or compartmentalized information

Organization type, usually by industry, size, or business

relationship; such as:
o General populace/individuals

o Education, research, and other independent nonprofits

o Technology and telecom organizations including software,
hardware, integrators, and operators
o Industries including service, retail, manufacturing, and
materials producers
o Infrastructure and transport including all utilities
o Finance including banks, CU, credit, transaction processors
and financial NGOs
o Government including all fed/state/local civilian agencies,
domestic intelligence, and law enforcement
o Military including geopolitical actors, international
intelligence and some NGOs

Appendix C: Cultural Dimensions

Geert Hofestede collected social data to put together six behavioral
indicators of culture. These indicators show that people behave in
consistent ways when making decisions or evaluating situations. These
indicators cannot identify a specific persons cultural background, but it
is useful to use as a way to compare people within a certain groups
with other groups.

Power Distance Index (PDI) Do parallel actors take the same

actions? Are they using a playbook?
Uncertainty Avoidance Index (UAI) Are attackers pragmatic? Do
they adapt or keeping trying failed attacks?
Individualism vs. Collectivism (IDV) Is there an aversion to
using not invented here tools? Tendency to follow group
activity?
Aggression (Masculinity) (MAS) Is there direct reaction to being
blocked or removed from a system? Are there markers for
ownership or entitlement? Hostility toward remediation?
Long-Term vs. Short-Term Orientation (LTO) Is there an
investment and intent to stay resident? Active maintenance or
observation (not just time in a botnet)?
Indulgence vs. Restraint (IVR) Is there defacement? Flair? A
distinctive style or tendency to leave cryptic clues?
Announcement of success, or petulance at failure?

References
1. Espenschied, Jonathan A., "A Discussion of Threat Behavior:
Attackers & Patterns." White paper, Microsoft Trustworthy
Computing, 2012.
2. Hutchins, Eric M. et al., "Intelligence-Driven Computer Network
Defense Informed by Analysis of Adversary Campaigns and
Intrusion Kill Chains." White paper, Lockheed Martin Corporation.
3. Espenschied, Jonathan A. and Gunn, Angela, "Threat Genomics."
White paper, Microsoft Trustworthy Computing, 2012.
4. Cloppert, Michael, "Intelligence-Driven Response for Combating
the Advanced Persistent Threat." Slide deck, Lockheed Martin
CIRT, 2010.
5. Amin, Rohan M., "Detecting Targeted Malicious Email Through
Supervised Classification of Persistent Threat and Recipient
Oriented Features." Ph.D. diss., George Washington University,
2011.