Sponsor/Announcer

You're listening to the Cyberwire network, powered by N2K. And now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program. Study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend. Apply for the fall 2026 semester and for this scholarship by February 28th. Learn more at CS JHU. Edu MSSI.

Rick Howard

The word is intrusion kill.

Ch.

Spelled intrusion as in a breach of a network or system, kill as in to terminate or put an end to and chain as in a sequence. Definition A cybersecurity first principle strategy focused on disrupting known adversary activity and at one of several phases of an attack sequence. Example sentence the organization stopped the attack at the installation phase of the intrusion kill chain. Origin and context 2010 was a big year in cybersecurity. The world learned about the US Israeli Cyber Campaign Olympic Games, commonly referred to as Stuxnet, designed to slow down or cripple the Iranian's nuclear bomb production capability. Google sent out shockwaves when it announced that it had been hacked by the Chinese government. John Kinderwog, while working for Forrester, published his seminal paper no More Chewy Sinners, introducing the zero trust Model of information Security. And Lockheed Martin published their groundbreaking paper Intelligence Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, written by Eric Hutchins, Michael Clauffert, and Rohan Amin. I can't emphasize enough the size of the seismic shift in cyber defense thinking in the general public after the Lockheed Martin paper came out. Before the paper, we were all consumed with the idea that we were trying to prevent bad technical things from happening to and inside our networks using a model that we call Defense in Depth. We were preoccupied with stopping malware and zero day exploits and bad URL links without any consideration of how cyber adversaries actually conducted their business from beginning to end. The common notion was that the adversary only had to be lucky one time to have success, like using a zero day exploit, while the defender had to be precisely correct, protected against all the possible zero day exploits all the time. The Lockheed Martin paper made the case that this just wasn't true. The authors demonstrated that adversaries had to string a series of actions together in order to be successful. All the defender had to do was break the sequence somewhere along that chain, the kill chain, which completely reversed the common notion. According to the authors, network defense techniques which leverage knowledge about these adversaries can create an intelligence feedback loop, enabling defenders to establish a state of information superiority which decreases the adversary's likelihood of success with each subsequent intrusion attempt. The bad news is that although the Lockheed Martin kill chain model is brilliant as a conceptual model, it's severely lacking in one major aspect operations. There isn't a lot of detail in the original white paper about how to operationalize the concept. Things like how to collect adversary playbook intelligence, analyze the data, make prudent decisions about how to prevent playbook actions, and actually deploy the mitigation plan are left to the reader as an exercise. But that's a nitpick. The paper wasn't designed for that purpose. The authors disrupted the industry by upending commonly understood best practices and proposed a strategy that was better suited to preventing material impact to our organizations. The operations void would be filled with other big thinkers from MITRE and their ATT and CK framework and the Department of Defense with their diamond model Nerd reference. At the Integrated Cyber Conference in 2018 hosted by the Johns Hopkins Applied Physics Laboratory, yours truly gave the keynote speech about the future of network defense. In this section I discussed the kill chain elements from the Lockheed Martin intrusion Kill Chain paper.

The Lockheed Martin folks realized that as adversaries, the black cats of the world attack their victims networks regardless of the tool set they used and regardless of the motivations that drove them to do it. They all basically got to do the same five things to break into a network and be successful. They have to recon the victim's network looking for weaknesses. They craft a weapon that will leverage those weaknesses and deliver it to some endpoint somewhere. A laptop, a server, a printer, anything, it doesn't really matter. Once they get there, they trick the user into running that weapon against them and allows them to compromise that endpoint. I call that establishing a beachhead. Now the adversary is not successful yet, but now they are inside your network. From there they usually create a command and control channel back out to the Internet to download more tools that will help them finish their mission. And from there the intrusion kill chain paper says actions on the objective. And there's lots of things that can happen here, but generally it's move lateral in the victim's network looking for the data they've come to steal or to destroy. And once they find it, they exfiltrate it out.

Wordnotes is written by Tim Nodar, Executive produced by Peter Kilpe and edited by John Petrick and me, Rick Howard. The mixed sound, design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.

Sponsor/Announcer

At Talis, they know cyber security can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Talas T H A L E S learn more@talasgroup.com Cyber Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, DC. Discover the startups building the future of cyber. Learn more@ciddatatribe.com.