You're listening to the Cyberwire Network, powered by N2K. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. In Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. Have a question or need how to advice? Just ask MetaAI. Whether you want to design a marathon training program, or you're curious what planets are visible in tonight's sky, MetaAI has the answers. It can also summarize your class notes, visualize your ideas, and so much more. It's the most advanced AI at your fingertips. Expand your world with MetaAI. Now on Instagram, WhatsApp, Facebook, and Messenger. Hey, everybody, Rick here. The minor attack wiki is the only open source collection dedicated to cataloging known nation state and some crime hacker tactics, techniques, and procedures, TTPs, across the intrusion kill chain. I've been a fan of it for over a decade now. My old intelligence director, Ryan Olson, introduced me to it when we founded the Palo Alto Networks Public Facing Intelligence Team Unit 42. It took a while for Ryan to get it through my thick head, the immense potential value of the minor intelligence collection to anybody pursuing the intrusion kill chain prevention strategy. But once I got it, it was like inserting the last piece into a very large puzzle. It was a eureka moment for me. I realized that there really is nothing else like it in the world. The intrusion kill chain prevention strategy realizes that hacker groups like the Shadow Brokers, Fancy Bear, and the Lazarus Group, etc. must successfully execute a chain of offensive actions against their victims in order to accomplish their goal. Not one thing, a set of things. Sometimes the implicit profession refers to that set of things as offensive attack campaigns. The strategy makes a couple of assumptions. First, the hacker group reuses these campaigns against multiple victims. They don't build it, use it once, throw it away, and then build another one that would be wasteful. Which brings us to the second assumption. Designing, building, and deploying attack campaigns is expensive in terms of the people process technology triad. Actor groups are reluctant to abandon a good one. Which is good news for the good guys. Analyst studying attack campaigns can loosely categorize subsets of the campaign into stages of malicious activity like delivery, installation, exploitation, command and control, lateral movement, etc. With that categorization, analysts can then design and deploy prevention and detection controls for one or more of the TTPs in that attack stage. When the fancy bear hackers run into one of our blocks, they don't throw the entire campaign out and see assumption one, they pivot. They try to find a way around that one block. Even if they are successful though, you know, they develop some new thing in the exploitation stage, let's say, something that the good guys have never seen before, some new code that we don't have a prevention control for yet. It doesn't guarantee fancy bear success because the good guys have deployed other prevention controls in other stages in the attack sequence. Those controls will defeat the adversary. The more controls you put in place for each stage reduces the probability of a material cyber event to your organization from the hacker campaign. If the key defensive strategy for your infaset program is the intrusion kill chain prevention strategy, see my first principles book for a deeper explanation, you have to be using the minor attack framework wiki or something very similar that you either built yourself or you paid for. Over the years, I became one of its biggest unofficial evangelists as I was out and about speaking at conferences and talking to security professionals of all strikes. When I met with the minor people about it, I kept quietly suggesting that they should give me a commission for my support. I'm still waiting to hear back. Myder, if you're listening, send checks to the Rick Howard Bermuda Island's retirement fund. But that doesn't mean that I haven't been frustrated with it too, although it has had a large impact on the infaset professional community already. And the minor people behind it have made huge improvements to it in a very short amount of time. The idea of it has so much more unrealized potential. So here we are in 2024, over 10 years since minor released version one, I thought it was time to put a stake in the ground and assess what the current state of the minor attack framework is today. So hold on to your butts, hold on to your butts, butts, this is going to be fun. My name is Rick Howard, and I'm broadcasting from IntuK Cyber's Secret Sanctum Sanctorum Studios located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland in the Good Old U.S. of A. And you're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. It all began with the Lockheed Martin paper published in 2010. It caused a shift in the collective cyber professionals thinking away from defending against generic offensive tools like viruses, malware, and exploit code with no relation to what the adversary was trying to accomplish towards specifically defeating the adversary's overall goal. Before the paper, most of us were using a defense and depth strategy designed to block the hacker's generic offensive malicious software. By generic, I mean that we didn't associate the weapon with any adversary plan. We were just looking to detect and prevent bad things on the network. To counter the deployment, network defenders would stack one or more blocking tools between the boundary of our digital environments and our crown jewels like firewalls, intrusion prevention systems, and antivirus software. The idea was that if the first tool failed to prevent the deployment of the offensive weapon, then the second prevention tool in the stack would catch it. If that one failed, then the third one would be successful. That's what defense and depth means, multiple ways to prevent bad things from happening. A number of defensive tools you had in the security stack depended on your internal budget. The Kill Chain paper's great insight was that all cyber adversaries, regardless of their motivation, have to complete a set of tasks in order to accomplish their goal and their goal, whatever it is, doesn't really matter in terms of devising a defensive strategy. Whether it's crime, espionage, hacktivism, low-level cyber conflict, or just mischief making for the fun of it, every hacking crew has to follow this general model. Instead of cybersecurity professionals trying and mostly failing to block all of the generic hacking weapons in existence with the defense and depth strategy, we would instead design prevention controls for known adversary campaigns and install them at every stage of the attack chain. The brilliance of this model is that the hacker team has to be 100% successful in avoiding all of those prevention controls in order to accomplish their goal. They can't make one mistake. The defenders, on the other hand, only have to be successful once somewhere along the attack chain. If we are, we can break the attack sequence. We can kill the attack. That's why the paper's title says that it's "informed by analysis of adversary campaigns and intrusion kill chains." By doing a post-mortem on victim zero and other subsequent victims, cyberintelligence analysts can construct the attack sequence in the aftermath and potentially identify multiple locations along the chain where we can kill the attack. That doesn't help victim zero, but it helps every other potential victim that Fancy Bear has its sights on. That's a magnificent and radical insight. It seems obvious to us now that we're 10 years past the initial paper publication, but back then, it was revolutionary. Just a year later, 2011, the Department of Defense published their paper on the diamond model. It provides a structure for how cyberintelligence teams can analyze attack sequences and provide a standard language for intelligence analysts to discuss the same campaigns. In the early days of the idea, we were all doing our own thing. It was exceedingly difficult to communicate what I knew about the Lazarus Group campaign with somebody else because we were all speaking different languages. The result was that the diamond model became a supporting guidebook for organizations pursuing the kill-change strategy. And then, in 2013, might have released the first version of the attack framework. The team recognized the overall value of the kill-change strategy direction, but they wanted to convey the actions that individual adversaries make. How one action relates to another, how sequences of actions relate to tactical adversary objectives, and how the actions correlate with data sources, defenses, configurations, and other countermeasures used for the security of a platform and domain. Over time, I started calling these three research efforts the Intrusion Kill Chain trifecta. When we first started doing this podcast back in 2020, the Intrusion Kill Chain Prevention Strategy was one of the first topics we covered. In 2022, we covered it again, and of course, when we published the first principles book back in 2023, I dedicated Chapter 4 to the idea. In the book and the podcast, I made the case about why these three research efforts should be considered collectively and not separately. They are three significant elements coming together. One is a strategy document, the Lockheed Martin paper. One is an operational construct for defensive action, the MITRE framework. And one is a methodology for cyber threat intelligence teams, the diamond model. You don't choose one model over the other, all of these models work in conjunction with each other. To be clear though, there wasn't a lot of collaboration between the research groups. The Lockheed Martin people weren't saying, "Hey, we're doing the strategic piece, DOD, you work on the intelligence piece, and MITRE, you build an intelligence wiki," no. Different parts of the implicit profession were all thinking along the same lines, working independently, and coming to different conclusions. The situation was similar to the old Buddhist parable, where six blind men examined the same elephant. Each man was convinced that what he experienced was the correct interpretation when really it was only a piece of the whole. Frank Duff is the chief innovation officer at a startup called Tidal Cyber. Their mission is to make it practical and affordable for all enterprises to adopt MITRE attack and pull disclosure here. I advise Tidal Cyber, so take whatever I say here with a grain of salt. For Tidal Cyber though, Frank spent 20 years working for MITRE in the last 10 years supporting the attack project. Here's Frank. It was serendipitous, I guess, as a way of looking at it, coincidental, that a lot of these things happened, like any good standard. You had everybody doing their own standard at the time, right? They're all kind of pushing the same philosophy. The smart people thinking the same kind of things, and how would they make that happen to them? I think so. Exactly, exactly. I think that there was this common need, right, and the community is a close-knit community. I think a lot of people recognize this common need to create taxonomy, but I think there is always the challenge in moving from one to the other. Your application of the diamond model is looking at a very specific, how thready is the threat kind of concept, right, and yes, you're trying to describe it, but it's trying to solve a slightly different problem, or the kill chain was a great way of making it so that people could realize the steps that an adversary would have to take, but then with attack, it's like, all right, well, those steps don't always happen linearly. I don't think that it's a you pick one kind of thing, which I know that you're a strong believer in, right? It's, I think, those things continue to excel at what they were developed to do. And they're all great pieces of making it so that you communicate, making it so that you can prioritize and the like. Amy Robertson has been working in MITRE for the past six years as a cyber threat intelligence engineer in the last four years as the attack engagement league. She concurs with Frank. She says, "You take the output of the attack wiki as inputs to the diamond model and the outputs of the diamond model support the kill chain strategy." I would view them more as complementary. So I do think that they have different purposes, essentially. So, you know, attack documents have more detailed adversary behavior as well. For example, the diamond model is more helpful if you're trying to get a better understanding of how to cluster intrusions, potentially how to use it for attribution. But you know, attack map techniques are going to be a useful source of input into the diamond model as you're using it to analyze adversary capability. So I think those are complementary. I do not think that you have to use them separately. You can use them together. I think that that makes a really good pairing. And then similarly, the kill chain, it's set, attacks it a little bit lower of a definition because again, we're describing adversary behaviors. We're describing how they're doing things. And so instead of that kind of more linear model where attack is unordered, we're trying to reflect how an adversary is moving realistically across a network. The question then is where do most of us get the threat intelligence that will inform us about known attack sequences? Well, you can develop it yourself by using the diamond model and reading thousands of security vendor intelligence blogs about this adversary campaign or that one, like the latest ESET report on the Chinese hacker group Mustang Panda running attack campaigns against the shipping industry in Europe. And that's our show. Well, part of it, there's actually a whole lot more and it's all pretty great. So here's the deal. We need your help so we can keep producing the insights that make you smarter and keep you a step ahead in the rapidly changing world of cybersecurity. If you want the full show, head on over to the cyberwire.com/pro and sign up for an account. That's the cyberwire all1word.com/pro. For less than a dollar a day, you can help us keep the lights and the mics on and the insights flowing. Plus, you get a whole bunch of other great stuff like ad-free podcasts, exclusive content, newsletters, and personal level of resources like practice tests. Within 2K Pro, you get to help me and our team put food on the table for our families and you also get to be smarter and more informed than any of your friends. I'd say that's a win-win. So head on over to the cyberwire.com/pro and sign up today for less than a dollar a day. Now, if that's more than you can muster, that's totally fine. Shoot an email to pro@intookay.com and we'll figure something out. I would love to see you on Intookay Pro. Here at Intookay, we have a wonderful team of talented people doing insanely great things to make me and the show sound good and I think it's only appropriate you know who they are. I'm Liz Stokes. I'm Intookay's cyberwires associate producer. I'm Trey Hester, audio editor and sound engineer. I'm Elliot Peltzman, executive director of Sound and Vision. I'm Jennifer Ivan, executive producer. I'm Brandon Karpf, executive editor. I'm Simone Patrella, the president of Intookay. I'm Peter Kilpe, the CEO and publisher at Intookay. And I'm Rick Howard. Thanks for your support everybody. And thanks for listening. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. This is the first time we've ever seen. the world. Thanks for watching. I'm Chris. (gentle music)
