Meta’s new kill chain model tackles online threats

In April 2014, Lockheed Martin revolutionized the cyber defense business by publishing a seminal white paper Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. This document sparked a new wave of thinking about digital adversaries, specifically, nation-state advanced persistent threat groups (APTs).

The authors of the paper argued that by leveraging the knowledge of how these adversaries operate, cyber defenders “can create an intelligence feedback loop, enabling defenders to establish a state of information superiority which decreases the adversary’s likelihood of success with each subsequent intrusion attempt.” This so-called kill chain model could “describe phases of intrusions, mapping adversary kill chain indicators to defender courses of action, identifying patterns that link individual intrusions into broader campaigns, and understanding the iterative nature of intelligence gathering form the basis of intelligence-driven computer network defense.”

Eight years later, one of the authors of the paper, Eric Hutchins, now a security engineer investigator at Meta, and his colleague, Ben Nimmo, global lead for threat intelligence at Meta, presented a new kill chain model at this year’s Cyberwarcon conference that cuts across the silos typical of online operations to provide a common framework they call the “Online Operations Kill Chain.”

A common threat taxonomy

Focused on the unique challenges that online operations face, the Meta researchers devised a common threat taxonomy that can help them better understand the threat landscape and spot vulnerabilities in the industry’s collective defense. “The first job was obviously just to understand what was going on and what the bad actors were doing,” Nimmo told Cyberwarcon attendees.

“So, it was really about analyzing them, breaking them down, and then taking them down. What we saw increasingly was that the more we understood these threat actors, the more there were commonalities among them. There would be commonalities between different operations of the same type, but there would also be commonalities between very different operations. So, over the last 18 months, we have come up with a framework that really allows us to break down and tabulate, analyze those commonalities across all types, all the different types of operation that we deal with,” Nimmo said.

Hutchins said that one of the biggest challenges in coming up with the new kill chain model was ensuring that it applied to many different operations that cut across the silos of espionage and information operations. “The adversaries, of course, don’t adhere to the terms of the rules,” he said.

“A great example of this kind of operation is the Ghostwriter campaign, an operation that uses both account takeovers and compromises. But once those accounts are compromised, you use them to conduct an influence operation.” Ghostwriter was an influence campaign that targeted Lithuania, Latvia, and Poland and promoted narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe.

The new kill chain model was designed to bridge the gap between damaging information operations and other types of online malicious behavior, Nimmo said. “We’ve designed it for any kind of operation where, if you like, there’s a human at both ends of the chain. There’s an actor who is trying to achieve an effect, and there is some kind of human being that they are targeting. We’ve designed it as widely as possible.”

“It’s based on the principle that fundamentally if you’re running an online operation, it doesn’t matter what you’re planning to do with it, some commonalities are going to apply. You need to be able to get online. If you’re going to be operating on social media, you probably need social media accounts,” Nimmo said. “There are going to be commonalities that we can see, detect, share, describe, and deal with. And so that is the basis of this approach. It is looking for those commonalities and trying to make them into a single framework.”

The kill chain model consists of ten phases

The Online Operations Kill Chain consists of ten phases:

1. Acquire assets, which could, for example, be getting hold of an IP address, email addresses, phone numbers, crypto wallets, or whatever the adversaries need to operate. “We saw a wonderful Russian operation earlier this year where they appear to have bought a whole load of beanbag chairs for their operators to slump on,” Nimmo said.
2. Disguise assets, which is how adversaries make their assets look authentic because the operations are meant to be seen on the internet.
3. Gather information in a reconnaissance phase to understand the environment the operation is working in or the targets it seeks.
4. Coordinate and plan, which is how the assets direct and organize themselves.
5. Test defenses to see what happens. “If you’re a sophisticated adversary, you’re not just going throw everything out there and see what happens,” Nimmo said, without conducting something like an A/B test first.
6. Evade detection, which is “not so much changing the paint scheme on the airplane or changing its tail number, but literally flying below the radar kind of aspect,” Hutchins said, “such as using Unicode characters of making doppelganger websites.”
7. Engage indiscriminately, which Nimmo said is akin to just throwing stuff at the wall and seeing if it sticks. “A lot of spam campaigns tend to do this. It is generally the less sophisticated end of the spectrum, but this is anything where you are throwing out content and just hoping that somebody will pick up on it.”
8. Target engagements, which is similar to how individuals are targeted in the real world when an adversary focuses on a victim.
9. Compromise assets, which is the stage that actual cyber intrusion occurs. “This is when it gets really serious,” Nimmo said. “To take over assets that the target is using. Compromising assets is getting anything that an operation does to get the keys to somebody else’s treasure chest.”
10. Enable persistence, which is when “the operations first encounter us as defenders,” Hutchins said.

This ten-step kill chain model is modular, Hutchins stressed. “Not all operations are going to use all phases in the same way. You’re going to have a mix and match, and that’s okay.” The goal is to “identify the complete phases of the kill chain and understand opportunities to detect and disrupt as early as possible. Use it as a framer to measure your effectiveness of moving earlier in the kill chain. And then share as a community.”

Meta kill chain should be a call for action

James Robinson, deputy CISO at Netskope and a big proponent of using kill chain models across the cybersecurity industry, gives the new Meta kill chain model high marks, at least based on a cursory overview. “It sounds like a solid model,” he tells CSO.  “I would say I would almost make it a call to action for the industry.”

The bottom line for Robinson is that organizational defenders should start adopting kill chain models such as the Meta model. “I would say the main thing for any CSO is to continue to invest in threat modeling and kill chain. Start small and make it a practice within your organization. That’s as simple as it starts, for you to start building this kind of mindset of being able to look at a kill chain, the TTPs that exist, and all those other pieces.