In April 2014, Lockheed Martin revolutionized the cyber defense business by publishing a seminal white paper Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. This document sparked a new wave of thinking about digital adversaries, specifically, nation-state advanced persistent threat groups (APTs).The authors of the paper argued that by leveraging the knowledge of how these adversaries operate, cyber defenders \u201ccan create an intelligence feedback loop, enabling defenders to establish a state of information superiority which decreases the adversary\u2019s likelihood of success with each subsequent intrusion attempt.\u201d This so-called kill chain model could \u201cdescribe phases of intrusions, mapping adversary kill chain indicators to defender courses of action, identifying patterns that link individual intrusions into broader campaigns, and understanding the iterative nature of intelligence gathering form the basis of intelligence-driven computer network defense.\u201dEight years later, one of the authors of the paper, Eric Hutchins, now a security engineer investigator at Meta, and his colleague, Ben Nimmo, global lead for threat intelligence at Meta, presented a new kill chain model at this year\u2019s Cyberwarcon conference that cuts across the silos typical of online operations to provide a common framework they call the \u201cOnline Operations Kill Chain.\u201dA common threat taxonomyFocused on the unique challenges that online operations face, the Meta researchers devised a common threat taxonomy that can help them better understand the threat landscape and spot vulnerabilities in the industry\u2019s collective defense. \u201cThe first job was obviously just to understand what was going on and what the bad actors were doing,\u201d Nimmo told Cyberwarcon attendees.\u201cSo, it was really about analyzing them, breaking them down, and then taking them down. What we saw increasingly was that the more we understood these threat actors, the more there were commonalities among them. There would be commonalities between different operations of the same type, but there would also be commonalities between very different operations. So, over the last 18 months, we have come up with a framework that really allows us to break down and tabulate, analyze those commonalities across all types, all the different types of operation that we deal with,\u201d Nimmo said.Hutchins said that one of the biggest challenges in coming up with the new kill chain model was ensuring that it applied to many different operations that cut across the silos of espionage and information operations. \u201cThe adversaries, of course, don't adhere to the terms of the rules,\u201d he said.\u201cA great example of this kind of operation is the Ghostwriter campaign, an operation that uses both account takeovers and compromises. But once those accounts are compromised, you use them to conduct an influence operation.\u201d Ghostwriter was an influence campaign that targeted Lithuania, Latvia, and Poland and promoted narratives critical of the North Atlantic Treaty Organization\u2019s (NATO) presence in Eastern Europe.The new kill chain model was designed to bridge the gap between damaging information operations and other types of online malicious behavior, Nimmo said. \u201cWe've designed it for any kind of operation where, if you like, there's a human at both ends of the chain. There's an actor who is trying to achieve an effect, and there is some kind of human being that they are targeting. We've designed it as widely as possible.\u201d\u201cIt's based on the principle that fundamentally if you're running an online operation, it doesn't matter what you're planning to do with it, some commonalities are going to apply. You need to be able to get online. If you're going to be operating on social media, you probably need social media accounts,\u201d Nimmo said. \u201cThere are going to be commonalities that we can see, detect, share, describe, and deal with. And so that is the basis of this approach. It is looking for those commonalities and trying to make them into a single framework.\u201dThe kill chain model consists of ten phasesThe Online Operations Kill Chain consists of ten phases:Acquire assets, which could, for example, be getting hold of an IP address, email addresses, phone numbers, crypto wallets, or whatever the adversaries need to operate. \u201cWe saw a wonderful Russian operation earlier this year where they appear to have bought a whole load of beanbag chairs for their operators to slump on,\u201d Nimmo said.Disguise assets, which is how adversaries make their assets look authentic because the operations are meant to be seen on the internet.Gather information in a reconnaissance phase to understand the environment the operation is working in or the targets it seeks.Coordinate and plan, which is how the assets direct and organize themselves.Test defenses to see what happens. \u201cIf you're a sophisticated adversary, you're not just going throw everything out there and see what happens,\u201d Nimmo said, without conducting something like an A\/B test first.Evade detection, which is \u201cnot so much changing the paint scheme on the airplane or changing its tail number, but literally flying below the radar kind of aspect,\u201d Hutchins said, \u201csuch as using Unicode characters of making doppelganger websites.\u201dEngage indiscriminately, which Nimmo said is akin to just throwing stuff at the wall and seeing if it sticks. \u201cA lot of spam campaigns tend to do this. It is generally the less sophisticated end of the spectrum, but this is anything where you are throwing out content and just hoping that somebody will pick up on it.\u201dTarget engagements, which is similar to how individuals are targeted in the real world when an adversary focuses on a victim.Compromise assets, which is the stage that actual cyber intrusion occurs. \u201cThis is when it gets really serious,\u201d Nimmo said. \u201cTo take over assets that the target is using. Compromising assets is getting anything that an operation does to get the keys to somebody else's treasure chest.\u201dEnable persistence, which is when \u201cthe operations first encounter us as defenders,\u201d Hutchins said.This ten-step kill chain model is modular, Hutchins stressed. \u201cNot all operations are going to use all phases in the same way. You're going to have a mix and match, and that's okay.\u201d The goal is to \u201cidentify the complete phases of the kill chain and understand opportunities to detect and disrupt as early as possible. Use it as a framer to measure your effectiveness of moving earlier in the kill chain. And then share as a community.\u201dMeta kill chain should be a call for actionJames Robinson, deputy CISO at Netskope and a big proponent of using kill chain models across the cybersecurity industry, gives the new Meta kill chain model high marks, at least based on a cursory overview. \u201cIt sounds like a solid model,\u201d he tells CSO.\u00a0 \u201cI would say I would almost make it a call to action for the industry.\u201dThe bottom line for Robinson is that organizational defenders should start adopting kill chain models such as the Meta model. \u201cI would say the main thing for any CSO is to continue to invest in threat modeling and kill chain. Start small and make it a practice within your organization. That's as simple as it starts, for you to start building this kind of mindset of being able to look at a kill chain, the TTPs that exist, and all those other pieces.