In 2011, Rohan Amin and two of his colleagues at Lockheed Martin released a paper on the intrusion kill chain. Today, he is the Chief Information Officer for JP Morgan Chase, but this accomplishment pales in comparison with the impact of the intrusion kill chain. The kill chain, now often called the “cyber kill chain” propagated into every cyber professional’s toolkit and morphed into the famous, widely used MITRE ATT&CK Matrix. The idea is intuitive, but clever. An attacker needs to chain together a series of actions in order to successfully execute an attack on your network. If you can disrupt any of these actions quickly enough, the attacker will fail.
Security operations centers all over the world are clinging to the MITRE ATT&CK Matrix as a means to detect and disrupt their adversaries. SOC engineers go through each of the fourteen steps in the kill chain and create signatures for each attack technique. They push these signatures to their various network and endpoint sensors and follow up on the activity when a signature is matched. It works great!… until it doesn’t.
All detection signatures are imperfect. Those writing the signatures work hard to make sure that they accurately capture malicious activity. The authors are not the problem — the technique is. Any signature will have a certain sensitivity and specificity and these will have an inverse relationship. A security engineer can write the signature with higher sensitivity, lowering false negatives. This will also increase false positives. Engineers must expand their toolkit in order to improve both sensitivity and specificity.
Engineers must use data hydration to solve this issue. As campaigns progress, a security operations system should collect information related to a campaign into a data object. The import of data into these objects is called data hydration. The engineer must determine how to best generate these objects — one might start with network flows. If the engineer commands any influence over system development, keys can persist through the lifecycle of an interaction. For example, the web server can generate a key when communicating with the client browser; then the webserver can add that key to the database request which populates fields in the delivered web page. This way, if the attacker is pivoting to the database through the webserver, security operators will see these connected actions in a single object.
The use of data objects also enables correlation across multiple sensors. In the above example, network, host, and service sensors will all log the connection from the user to the webserver and also from the webserver to the database. The security operations system should import these disparate log entries into a single object which characterizes the interaction. The correlation of logs across multiple domains comprises the detection piece of extended detection and response (XDR).
Although no scheme will perfectly compile campaigns into a data object, data hydration will create visibility across multiple steps of the cyber kill chain. The security operations system may then adjust risk scores based on detection of a campaign. This architecture focuses your analysts on addressing true threats rather than closing out false positives.