Two researchers at Facebook parent Meta have proposed a new framework approach for dealing with online threats, that uses a shared model for identifying, describing, comparing, and disrupting the individual phases of an attack chain.
The basis of their new "Online Operations Kill Chain" is the idea that all online attacks — however different and whatever their motivations — often share many of the same common steps. To launch any online campaign, for instance, an attacker would require at least an IP address, likely an email or mobile phone for verification, and capabilities for obscuring their assets. Later in the attack chain, the threat actor would need capabilities for gathering information, testing target defenses, executing the actual attack, evading detection, and remaining persistent.
Shared Taxonomy and Vocabulary
Using a shared taxonomy and vocabulary to isolate and describe each of these phases can help defenders better understand an unfolding attack so they can look for opportunities to more quickly disrupt it, the Meta researchers said.
"It will also enable them to compare multiple operations across a far wider range of threats than has been possible so far, to identify common patterns and weaknesses in the operation," the two Meta researchers, Ben Nimmo and Eric Hutchins, wrote in a new white paper on their kill chain. "It will allow different investigative teams across industry, civil society, and government to share and compare their insights into operations and threat actors according to a common taxonomy," they noted.
Nimmo is Meta's global threat intelligence lead. He has helped expose foreign election interference in the United States, UK, and France. Hutchins, a security engineer investigator on Meta's influence operations team, was the co-author of Lockheed Martin's influential Cyber Kill Chain framework for detecting and protecting against cyber intrusions.
The two researchers describe Meta's Online Operations Kill Chain as something that is vital to uniting efforts in the fight against all forms of online threats, ranging from disinformation and interference campaigns to scams, fraud, and child safety. Currently the security teams and researcher addressing these different threat operations approach them as separate problems though they all have common elements, Nimmo tells Dark Reading.
Breaking Down the Silos
"We talk with so many different investigative teams around cyber espionage and fraud and online scams, and time and time again we hear 'your bad guys are doing the same thing as our bad guys,'" Nimmo says. Investigative teams can often miss the meaningful commonalities that might be present between different threat operations because defenders work in silos, he says.
Nimmo and Hutchins differentiate their new kill chain from the slew of other kill chain frameworks that are currently available, on the basis that it's more broadly focused on online threats and provides a common taxonomy and vocabulary across all of them.
For example, Lockheed Martin's intrusion kill chain, the MITRE ATT&CK framework, Optiv's cyber fraud kill chain, and a proposed kill chain for attack takeovers from Digital Shadows are all tailored for specific online threats. They do not address the full spectrum of online threats that Meta's kill chain does, Nimmo and Hutchins argued.
Similarly, none of them address the problems caused by a lack of a common taxonomy and vocabulary across different threat types. For example, within the space of online political interference, it's common for defenders to use the terms "disinformation," "information operations," "misinformation incidents," "malinformation," and "influence operations" interchangeably, though each term could have a distinct meaning.
A Map & a Dictionary
Nimmo describes the new Online Operations Kill Chain as providing a common map and a dictionary of sorts that security teams can use to logically understand the sequence of a threat campaign, so they can look for ways to disrupt it. "The goal is really to enable as much structured and transparent information sharing as possible," to help inform better defenses, Nimmo says.
Hutchins says Meta's framework expands the scope of the existing kill chains while still focused on what the adversary is doing — the same principle behind the other frameworks. He perceives the model as allowing security experts across the industry to more easily share information they might have gathered from their specific vantage points. "It provides an opportunity to put these different pieces together in a way we haven't been able to before," Hutchins says.
Meta's Online Operations Kills Chain breaks down an online threat campaign into 10 different phases — three more than Lockheed Martin's kill chain. The 10 phases are:
1. Asset acquisition: This is when the threat actor acquires assets required for launching an operation. Assets could range from an IP and email addresses to social media accounts, malware tools, Web domains, and even physical buildings and office space.
2. Disguising assets: This phase includes efforts by the threat actor to make their malicious assets look authentic by, for instance, using fake and AI-generated profile pictures and impersonating real people and organizations.
3. Gathering information: This can include using commercially available surveillance tools to conduct target reconnaissance, scraping public information, and harvesting data from social media accounts.
4. Coordinating and planning: Examples include efforts by threat actors to coordinate efforts to harass people and entities via online bots and publishing lists of targets and hashtags.
5. Testing platform defenses: The goal at this stage is to test the ability of defenders to detect and disrupt a malicious operation — for example, by sending spear-phishing emails to target individuals or testing new malware against detection engines.
6. Evading detection: Measures at this stage can include using VPNs for routing traffic, editing images, and geofencing website audiences.
7. Indiscriminate engagement: This is when a threat actor might engage in activities that make no effort to reach a target audience. "In effect, it is a 'post and pray' strategy, dropping their content onto the internet and leaving it to users to find it," according to the Meta researchers.
8. Targeted engagement: The stage in an online operation where the threat actor directs the malicious activity at specific individuals and organizations.
9. Asset compromise: In this phase, the threat actor takes over or attempts to take over accounts or information by for instance using phishing and other social engineering methods to acquire credentials or installing malware on a victim system.
10. Enabling longevity: The part when a threat actor takes measures to persist through takedown attempts. Examples include replacing disabled accounts with new ones, deleting logs, and creating new malicious Web domains.
The framework does not prescribe any specific defensive measure, nor does it purport to help defenders understand the objectives of a campaign, Nimmo says. "The kill chain is not a silver bullet. It is not a magic wand," he says. "It is a way to structure our thinking on how to share information."