The Cyber Kill Chain model that has been getting so much attention is a failed model from the start. It is based upon a complete defensive model identifying tactics after the adversary is in your environment. This is too late. The Cyber Kill Chain model needs to be scraped for a more comprehensive one that includes the full spectrum of cyber warfare. If you disagree, read the news, visit datalossdb.org, and examine the latest data loss. This model albeit with solid concepts is a defeatist model that assumes we have lost. How many times do you have to work and rework the model? http://twitter.com/Treadstone71LLC/status/534336801914511360
The model of recon, weaponization, delivery, exploitation, installation, C2 and actions on objectives is the mirror imaged model we have assigned to the adversary assuming each adversary follows the same model. A rule of thumb that leads to data loss. A heuristic assumed to be true. The model tries to place a box around behavior while not understanding that behaviors changed specifically based upon the existence of such a published model.
The model uses terminology that creates false understanding. Advanced Persistent Threat (APT) is a term that only serves to sell more product. Product based upon the failed cyber kill chain model. This is spending good money after bad. Let’s call it what it is – cyber espionage and cyber sabotage. Getting the terminology correct starts the process to establishing the proper model.
Active defense is another term that hides the true intent and definite need but actually starts to wake up the issue. Wake it up from the stand point that this is full cyber warfare and not purely a defensive action. When you play a sport like basketball you do not sit on one side of the court waiting for the adversary to score. Take the ball out and score again. No. You actually attack the basket and make the adversary play defense costing the adversary in fouls, fatigue and time.
Threat intelligence in most cases in the marketplace today is nothing more that data. It is neither actionable nor analyzed to an actionable state.
My point is – if you continue to spend all your money on a market proven, failed model, then you will continue to lose intellectual property and sensitive information. The model must be comprehensive and include mitigative and retributive counterstrikes. The model must include exposure and exfiltration of the adversary. Simply sitting back in the boxing ring bobbing and weaving without throwing a punch ensures you will lose. It assumes only one adversary is in the ring at any given round. It assumes defeat.
Incident response is but a component of the whole program. Problem is, we are afraid to venture out from this established comfort zone. We work in incident response as a full time gig and cannot see the forest for the trees. Time to incorporate a complete model.