Cyber security can be a lot like a game of chess; one side wins, one side loses, and you have to outsmart your opponent to defeat them. Eric Hutchins, a Fellow at Lockheed Martin, has spent more than a decade working on computer network defense strategies that do just that.
Hutchins and his colleagues developed the Cyber Kill Chain (CKC), a model that helps companies outsmart attackers by anticipating and blocking their next moves. I had the opportunity to ask him a few questions about his career, the development of the Cyber Kill Chain, and the strategies Lockheed Martin is currently working on to build even stronger defenses against cyber attacks.
Q: How did you get into cyber security as a career? What areas do you focus on?
EH: Two things I loved growing up were computer programming (especially getting my calculator to automate my math homework) and military history – these two things inspired me to major in computer science, but take multiple history electives. I had no idea that that combination could become a career, though. The campus recruiting event in my senior year just happened to be a week or two after 9/11. I told the recruiters, including Lockheed Martin, that I was interested in cyber security. I got a lot of interviews scheduled that day. Cyber security, and in particular computer network defense, involves so much more than just understanding the 1s and 0s. Someone, some person, or some group is targeting your company for a reason, and we have to understand the geography, the politics, the technology, the people, etc. to build the right defenses to stop the threats.
Q: Can you explain what each phase of the Cyber Kill Chain are?
EH: Defenders can’t win if a compromise has occurred before their process starts. When we created the Cyber Kill Chain (CKC) beginning in 2008, we wanted to show all the steps that an intruder would have to take to not only compromise a system but also to achieve their ultimate objective. Each step was a chance for us to detect and stop the intrusion; just one breaks the chain.
The seven CKC steps are: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives. We haven’t made any changes to CKC because its high level stages still apply today. For example, step seven, “Actions on Objectives,” is open ended by design because different threats have different objectives. Those objectives also change over time. For example, we’ve seen cyber attacks that were merely theoretical a few years ago evolve into the higher prevalence of destructive attacks that we are seeing today.
Q: At what phase can defenders be most effective in stopping the adversary?
EH: One of the best CKC phases to understand is Weaponization. This stage describes how a threat builds and generates its malware. In other words, it’s the malware supply chain. The trick is that while defenders can’t see the malware being created, they can still see the latent fingerprints of the weaponization process when the malware targets their environment. This is just like having the shell casing to a bullet. You may not have the gun, but you can still correlate multiple shell casings to the same weapon. Net defenders can also correlate multiple pieces of malware to the same weaponizer. One of the best ways to block malware is to block the fingerprints of the weaponizer that made it.
Q: How is the Cyber Kill Chain different from other methodologies or process maps used to analyze intrusions?
EH: “All models are wrong, but some are useful” is one of my new favorite quotes. The bottom line measurement of any intrusion methodology is the degree to which it helps understand threats and build better defenses. The biggest contribution CKC has made is showing how useful it is to model the process of the intruder – that’s the intelligence part of Intelligence Driven Defense. What I think still sets CKC apart from other models is that it is heavily focused on the stages before compromise occurs rather than the stages post-compromise. That’s intentional – we want to be very clear about our chances to stop the threats before they a compromise happens.
Q: Most organizations have too few resources to implement and maintain the plethora of existing commercial security technologies. With that in mind, are there best practices and/or strategies that help your team prioritize its efforts?
EH: First and foremost, cyber security is a people problem: the threats are clever people and it takes clever people to stop them. We like to say that we want tools that will support the analysts, not analysts who support the tools. Highly flexible, adaptable systems are always the best investments. We use Cyber Kill Chain as a better measure of “defense in depth.” We want to understand which capabilities we have across the enterprise that can detect or block each step of the kill chain. We can prioritize our investments by focusing on where we have gaps. Each month, we provide a scorecard to our leadership that shows each significant intrusion attempt and how well all of these investments performed against that real, no kidding threat. This is how we measure the return on investment – by showing we had the right capabilities in the right place.
Q: How can analysts leverage open source software to strengthen their cyber defenses?
EH: Some of the best innovation in cyber security is happening in open source today. It’s one of the great ideals behind cyber defense to help others, and what better way than to share the tools and frameworks with the community. Open source tools are typically very extensible and flexible which lets us tailor them to our environment and to the specific threats that we face. The biggest downside is that many of the best tools are not designed to scale to a large enterprise. They are tools for analysts to use in one-off situations.
We are really excited to give back to the open source community by releasing our Laika BOSS object scanning system this year. This is a framework that we built internally and run across our enterprise to detect and block malicious emails and web downloads. It allows us to take those one-off libraries and scale them everywhere. Laika BOSS is recursive and chains modules together to automate specific workflows and analyze malware. It’s also a platform that lowers the bar for innovation. Because the modules chain together, analysts with limited coding experience can write small Laika BOSS modules that adds powerful new capabilities.
Q: What type of improvements can organizations expect once they shift to an intelligence driven defense mindset?
EH: Ultimately, better risk management and risk mitigation. We all have finite resources, so we must be able to prioritize our time and investments on the problems that matter most. This is where the intelligence mindset comes in – understanding and prioritizing threats, mapping threat tactics to defensive capabilities, measuring resilience against persistent threats. As the process evolves, it’s an opportunity to forge greater trust and confidence with your executive leaders. For example, we can’t claim success of stopping pick pockets if there are still serial arsonists out there. That erodes confidence.
It’s no wonder Eric Hutchins and his colleagues at Lockheed Martin have changed the way we think about defense against cyber attacks — he has a strong grasp of the security challenges faced by organization and the experience to outsmart attackers. Head here to see how Lockheed Martin can defend your data against the threat of cyber-attacks.
Mikhael Felker is a technology writer and entrepreneur with expertise in security, privacy, regulations, compliance, mobile, and cloud.