Meta kill chain model is based on the principle that, fundamentally, if you are running an online operation, no matter what you plan to do with it, some commonalities will apply. Meta researchers say their Online Operations Kill Chain framework offers a common taxonomy for understanding the threat landscape and detecting vulnerabilities. So, check out Meta’s new kill chain model.
In April 2014, Lockheed Martin revolutionized the cyber defense business by publishing a seminal white paper Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. This paper triggered a new wave of thinking about digital adversaries, specifically, nation-state advanced persistent threat groups (APTs).
The paper’s authors argued that by leveraging knowledge of how these adversaries operate, cyber defenders “can create an intelligence feedback loop, allowing defenders to establish a state of information superiority that decreases the adversary’s likelihood of success in each subsequent invasion attempt.”
This so-called kill chain model could “describe phases of raids, map indicators of adversary kill chains to defenders’ courses of action, identify patterns that link individual raids to broader campaigns, and understand the iterative nature of information collection form the basis of intelligence oriented computer network defense.”
Eight years later, one of the paper’s authors, Eric Hutchins, now an investigative security engineer at Meta, and his colleague, Ben Nimmo, Meta’s global threat intelligence lead, presented a new Meta kill chain model at the Cyberwarcon conference this year that cuts across the typical silos of online operations to provide a common framework they call the “online operations kill chain.”
A common taxonomy of threats
Focusing on the unique challenges facing online operations, Meta researchers created a common threat taxonomy that can help them better understand the threat landscape and detect vulnerabilities in the sector’s collective defense. “The first job was obviously just understanding what was going on and what the bad actors were doing,” Nimmo told Cyberwarcon attendees.
“So it was really about analyzing them, breaking them down, and then breaking them down. What we increasingly saw was that the more we understood these threat actors, the more there were commonalities between them. There would be commonalities between different operations of the same type, but there would also be commonalities between very different operations. So over the last 18 months, we’ve created a framework that really allows us to break down and tabulate, analyze these similarities across all types, all different types of operations that we deal with,” Nimmo said.
Hutchins said one of the biggest challenges in creating the Meta kill chain model was ensuring it applied to many different operations that cut across the silos of espionage and information operations. “The opponents, of course, do not comply with the terms of the rules,” he said.
“A great example of this type of operation is the Ghostwriter campaign, an operation that uses both account takeovers and grants. But once those accounts are compromised, you use them to conduct an influence operation.” Ghostwriter was an influence campaign that targeted Lithuania, Latvia, and Poland and promoted narratives critical of the North Atlantic Treaty Organization (NATO) presence in Eastern Europe.
Meta kill chain model is designed to bridge the gap between harmful information operations and other types of malicious behavior online, Nimmo said. “We designed it for any type of operation where, if you will, there is a human being at both ends of the chain. There’s an actor who’s trying to get an effect and there’s some kind of human being that they’re targeting. We designed it as broadly as possible.”
“You need to be able to go online. If you’re going to operate on social media, you’ll probably need social media accounts,” Nimmo said. “There will be similarities that we can see, detect, share, describe, and deal with. And that is the basis of this approach. He’s looking for those commonalities and trying to turn them into a single structure.”
Meta kill chain model consists of ten phases
- Acquire assets, which can, for example, obtain an IP address, email addresses, phone numbers, crypto wallets, or whatever adversaries need to operate. “We saw a wonderful operation in Russia earlier this year where they seem to have bought a bunch of bean bags for their operators to sit in,” Nimmo said.
- Disguising assets, which is how adversaries make their assets appear authentic because the operations must be seen on the internet.
- Gather information in a reconnaissance phase to understand the environment the operation is working in or the targets it is seeking.
- Coordinate and plan, which is how assets direct and organize themselves.
- Test the defenses to see what happens. “If you’re a sophisticated adversary, you’re not just going to throw everything out there and see what happens,” Nimmo said, without running something like an A/B test first.
- Avoiding detection, which is “not so much changing the plane’s paint scheme or changing its tail number, but literally flying below the radar’s kind of appearance,” Hutchins said, “like using Unicode characters to create doppelganger websites.”.
- Engage indiscriminately, which Nimmo said is similar to just throwing things at the wall and seeing if they stick. “Many spam campaigns tend to do this. It’s usually on the less sophisticated end of the spectrum, but it’s anything where you’re throwing content out there and just hoping someone picks it up.”
- Targeting engagements, which is similar to how individuals are targeted in the real world when an adversary zeroes in on a victim.
- Compromised assets, which is the stage where the actual cyber intrusion occurs. “That’s when it gets really serious,” Nimmo said. “To take over the assets the target is using. Compromising assets is getting anything an operation does to get the keys to someone else’s treasure chest.”
- Enable persistence, which is when “operations first meets us as defenders,” Hutchins said.
This new ten-step Meta kill chain model is modular, Hutchins emphasized. “Not all operations will use all phases in the same way. You’re going to have a mix and match, and that’s okay.” The goal is to “identify the complete phases of the kill chain and understand opportunities to detect and disrupt them as early as possible. Use it as a framer to measure your effectiveness of moving early in the kill chain. And then share as a community.”
Meta kill chain model should be a call to action
James Robinson, deputy CISO at Netskope and a big proponent of using meta kill chain models across the cybersecurity industry gives the new Meta kill chain model high marks, at least based on a cursory overview. “It looks like a solid model. I would say that would almost make this a call to action for the industry.”
The bottom line for Robinson is that organizational defenders must begin adopting kill chain models like the Meta model. “I would say the main thing for any CSO is to continue investing in threat modeling and the kill chain. Start small and make it a practice within your organization. It’s as simple as it gets, for you to start building that kind of mindset of being able to look at a kill chain, the TTPs that exist, and all the other pieces.