Interview Question: How Would You Move Through KillChain? How Would You Defend It?

egrizzly

So guys, how would you answer the interview question "Walk me through how you would move through the Delivery Exploitation, Installation, C2, and Actions On Objectives phases of the cyber kill chain as well as how to prevent yourself from using those techniques".

JDMurray

Well, first of all, it's pretty good of them to list the stages of the Lockheed Martin Kill Chain (r) for you. Typically, the first question is to ask you to list the stages so they can hear that you know them.

The Kill Chain (or Attack Chain for those people that don't want to use Lockheed's registered trademark in their process documentation) is used to describe the stages of a cyber attack. The idea is the sooner you can stop a cyber attack (i.e. in the earlier Kill Chain stages) the less impact (i.e., cost) the attack will incur. By understanding the attack stages, you can plan your network defenses to detect and mitigate any attack sooner rather than later. This folds into Lockheed's other register trademark: Intelligence-Driven Computer Network Defense (r). (See the two papers I've linked below.)

Seven Ways to Apply the Cyber Kill Chain®with a Threat Intelligence Platform (PDF)

Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains (PDF)

egrizzly

Thanks for the additional links JD.  Yeah, prior to the interview there are websites I hunted down that that mitigation steps for the LM Cyber Kill Chain however they were all preventative.  It would be nice to learn of the controls as the threat is detected though.  The link below shows the controls for the adversaries advance through the cyber kill chain (scroll down).  These CKK phase-specific controls found throughout the web are part of some sort of Lockheed Martins action-matrix.  Like I said though, they seem to be defense based and not something you would do during the incident.

Controls To Cyber Kill Chain