Académique Documents
Professionnel Documents
Culture Documents
EXPANDED
CYBER KILL CHAIN MODEL
TO INCREASE ATTACK
RESILIENCY
SEAN T MALONE
@SEANTMALONE
WWW.SEANTMALONE.COM
WWW.FUSIONX.COM
PRESENTER BACKGROUND
2
AGENDA
3
LEGACY CYBER KILL CHAIN MODEL
• Harvesting email addresses, conference
Reconnaissance information, etc.
• Coupling exploit with backdoor into
Weaponization deliverable payload
• Delivering weaponized bundle to the victim
Delivery via email, web, USB, etc.
• Exploiting a vulnerability to execute code
Exploitation on victim’s system
5
LEGACY CYBER KILL CHAIN MODEL
“Perimeter Breach Kill Chain”
Actions on Objectives
• With “Hands on Keyboard” access, GAME
intruders accomplish their original goal OVER ?
6
Example Target Manipulation Objectives:
• Financial Theft
‒ Modify queued wire transfers to redirect payments
• Reputation Impact and Loss of Market Share through DoS
‒ Disable all company workstations
• Disable Infrastructure in Preparation for Kinetic Attack
‒ Quickly cycle smart electric meters to overload grid
• Provide Propaganda Support for Coup Attempt
‒ Hijack television broadcast
• Cause Terror in Regional Population
‒ Change concentration of chemicals added to water supply
THE EXPANDED CYBER KILL CHAIN MODEL
8
THE EXPANDED CYBER KILL CHAIN MODEL
LEGACY CYBER KILL CHAIN
External External Command & Actions on
Weaponization Delivery Installation
Reconnaissance Exploitation Control Objectives
11
ALTERNATIVE: TREE MODEL
X X
Origin X Objective
X X
12
UNDERSTANDING THE STAGES OF A
SOPHISTICATED ATTACK
13
INTERNAL RECONNAISSANCE
14
INTERNAL EXPLOITATION
15
ENTERPRISE PRIVILEGE ESCALATION
16
LATERAL MOVEMENT
17
TARGET RECONNAISSANCE
Reconnaissance
Weaponization
18
TARGET EXPLOITATION
Reconnaissance
Gain access to target systems
Target via trust relationships or new 1 Hour
Exploitation
vulnerabilities
Weaponization
19
WEAPONIZATION
20
INSTALLATION
Reconnaissance
Weaponization
21
EXECUTION
Reconnaissance
Activate malware to subvert
Target target system operation, 1 Second
Exploitation
with material consequences
Weaponization
22
BUILDING A RESILIENT ENTERPRISE
23
THE RESILIENT MINDSET
EVERY CONTROL
WILL FAIL
If the adversary has access to:
• The internal corporate network
• Any username and password
• All documentation & specifications
What would you do differently?
24
THE CYBER DEFENSE THRESHOLD
Response Controls
Detection &
Threshold of Defender Success
Prevention Controls
Safe Zone
Value to Adversary of (Negative Adversary ROI)
Defended Asset ($)
Level of
SEAN T MALONE
@SEANTMALONE
(SLIDES AVAILABLE AT) WWW.SEANTMALONE.COM
27