July 2015


In Part 1 we looked at cyber attack models and discussed some of the pros and cons of different variants.  This time we’ll walk through a fictitious attack as it traverses the middle phases that most attack models have in common: Delivery, Exploitation, Installation, and Command & Control (C2 or CnC).  Along the way, we’ll look at ways your network architecture can help make life more difficult for attackers, what types of monitoring controls you might wish to consider for these phases, and finally examine some indicators that you may not have considered. Before we begin, let’s discuss two subjects: indicators and how network architecture can aid in cyber defense.


Cyber Attack Models: What are they?

Attack models describe the structure of an attack in phases.   They provide a means to conceptualize the different aspects of an attack.  However, it is important to understand that not all attacks must complete all phases to be successful.  In fact, many attacks iterate recursively through the phases of an attack model.  Kill Chain is a military term used to describe the structure (or phases) of an attack.  In a military context, the process is described as find, fix, track, target, engage, assess (F2T2EA): find adversary targets suitable for engagement; fix their location; track and observe; target with suitable weapon or asset to create desired effects; engage adversary; assess effects.  Scientists at Lockheed Martin used this concept to develop the Cyber Kill Chain.   It was described in a paper presented in 2011 at the 6th Annual International Conference on Information Warfare and Security (Intelligence-Driven Computer Network Defense…).  Some people love it — others, not so much.  Regardless, it has become an almost standard framework which others have altered or extended in different ways.  Let’s do a high-level fly-over, examine some of the criticisms, and then take a look at a couple of variants! (more…)