There's a lot of information about Lockheed's implementation (search for Lockheed Kill Chain presentation), but here's a specific presentation they gave at black hat:
The high-level takeaway is that they developed a response methodology (modeled after a military killchain) that breaks up an attack into different phases, and they then have protection (and more importantly, detection) processes in place for each phase.
The idea is that for an attack to be successful (ie: data is exfiltrated, which is predominantly the type of attack they are concerned with) that doesn't just magically happen. Each phase of the kill chain has to be bypassed, so you have multiple places to detect (and hopefully prevent) it.
You also have the benefit of asymmetrical information, which is to say, that when you stop an attack inside the kill chain, you have all the information that got them to that point, whereas they don't necessarily know why the attack was unsuccessful. That allows you to build a knowledge base specific to the attacker so that future attacks can be stopped earlier on in the process.
Lockheed's kill chain implementation (and ours as well) is lacking the last phase of response that is present in the military one (mainly: they can launch a missile strike or send tanks, whereas we are obviously slightly more limited in our response).
Basically, this process came about as a reaction to reality of the defense situation (which is that for all intents and purposes you can't actually stop them from getting into the network, you have to have a response plan to mitigate attack success that includes your systems getting compromised).
Yea it's obviously a fluff piece. At the same time, what kind of details would you expect? As with any anti-fraud it's going to contain a lot of heuristics and stuff that needs to stay secret in order to be effective. So they could probably provide details about how all access is audited, but the real neat parts of what makes it work wouldn't be disclosed anyways.
It's also not clear how Kill Chain helped at all. If they discovered the user, then they could have deactivated his credentials, right? Or are they alluding to that they use live user activity as a sorta honeypot to see if there are other compromised users?
This quote was pretty funny: "An attacker only has one time to be right to get that information out of the network" -- really? Cause I thought usually we think of it the other way around: the defenders have to only mess up once to lose.
The way they described it, they used user auditing to track what the user was doing on the network and where, and compared it against the user's role.
There's lots of commercial software that will help you do this. First you have network appliances throughout your network that monitor traffic. Then you create rules and policies on the device that tracks the user, its defined role, what it should have access to, and what it is attempting to access. Then you define actions (logging, dropping the packet, ignoring it, etc) based on the rules/policies.
You can do this using open source software, too, but it takes a bit more glue code usually. A long set of iptables rules (along with free tools like Snort) could tag traffic based on the user, layer 7 protocol, and network access, and alerts could be mailed to the admins when a user over-reaches in their access.
The name itself seems to be air-force jargon[1] for "locate, identify, destroy".
It also seems to be in somewhat common use in secops, there's a 4-part series from 2009[2] that looks much more interesting than the indefinite article posted.
Another article from Tripwire[3] defines it as: The phrase “kill chain” describes the structure of the intrusion, and the corresponding model guides analysis to inform actionable security intelligence.
There's actually a whitepaper (PDF, ~12 pages)[4] from Lockheed-Martin about their 'kill chain' APT defence, which would be another good read about it. From their paper,
"Conventional network defense tools such as intrusion detection systems and anti-virus focus on
the vulnerability component of risk, and traditional incident response methodology presupposes a
successful intrusion."
and instead, they want to study analytics on the assumption the attacker can or has got in already, and wants to do something with their access. They can detect suspicious actions and do something about them, rather than keep everything suspicious out.
Other commenters have pointed out good resources. I particularly enjoyed reading the lockheed martin whitepaper, that comes up as the first google result for "lockheed martin kill chain", but i had to used the google cached copy as the link is now 404ing. Edit - its the same paper fname links below.
I've been out of the security space for a while but what I would love to see (and perhaps it already exists) is a threat "counter" for every authenticated user on my network. Data could be fed from various sources IDS and audit logs and actions like simultaneous logins, port scans or attempts to access files and apps that the user doesn't have access to would increase their threat counter. You could add weight to events e.g someone from marketing tryign to access a SQL server, router, or RDP to an accounting server, etc. Unauthenticated hits could be associated with an anonymous user. Once the entity has reached a certain threshold an analyst is alerted to investigate. You could even tie this to the support center - "Hello Mr. Rogers, I see you're having trouble logging on to the reporting site, would you like us to reset your password?"
I forget the term, but there is a similar value assigned to users for marketing purposes which is sourced from a variety of systems. The higher the value, the more likely the person would be interested in converting/making a purchase. Something similar surely exists for security purposes. With that said, the last thing you mentioned must be used with great caution, as it could easily be exploited.
It's too bad that RSA was hacked but what was inexcusable was how they responded. Basically they wouldn't tell anyone what happened unless you signed some NDA or something.
Then they said they'd replace your current one's with new free one's. Yea the keys to the kingdom were stolen, let me get some more of that please!
It reminds me of a high tech version of "The Cuckoo's Egg" by Clifford Stoll. In his case, he shorted out wires to cause transmission errors and made up fake data for the cracker to download.
This article barely explains anything about the "Kill Chain" which to me sounds like part firewall, part network monitoring software and part credit card fraud detection algorithm. From what I know and took from the article, the "Kill Chain" is nothing more than a software perhaps even hardware layer that can detect suspicious activity and throw up restrictions without actually alerting the user they're detected but rather make them leave out of frustration once they work out they're not getting anything.
One part of the article in which they reveal that the system can detect attackers using legitimate authentication details basically only when they are trying to access data that they're not entitled too makes me wonder if an attacker were to get the credentials of someone higher up with more access to a wider set of data than a regular employee, would they be able to detect that? Seems like the chink in the armour if you ask me.
Interesting, but I would have loved a bit more detail and explanation about this heavily over-glorified firewall and humanised monitoring network.
Using an IPS to identify users accessing information inconsistent with their role in the organization is better than doing nothing, I guess, by why did those credentials access network shares or databases the intended user wasn't supposed to access in the first place?
If their detection system is useful at all, then the principle of least privilege is definitely not being followed.
Instead of trying to fix the key system, or implement extra methods of authentication, they decided to distrust authenticated users if their accounts were acting suspiciously.
