Meta’s Cyber Kill Chain

What Is Meta's Cyber Kill Chain?

The Cyber Kill Chain®, devised by Lockheed Martin, is a framework to protect organizations from a cyberattack. But with Web 3.0 looming, leaders at Meta introduced a new Cyber Kill Chain.

As technology continues to evolve, so do threat actors. Today’s cyberattacks are far more sophisticated than the attacks that led to the establishment of the first Cyber Kill Chain in 2014, calling for new ways to identify cyberattacks in progress. 

Security leaders have criticized the Cyber Kill Chain for lacking cloud and distributed security abilities. It mainly focuses on perimeter security, quickly becoming a secondary focus for organizations switching to cloud-based implementations, introducing new IoT devices, and utilizing connected workers across the globe. It also doesn’t account for the various attack vectors and types that have become more prominent among SD-WAN implementations. Cybersecurity is becoming a crucial issue in light of these changes, but the old Cyber Kill Chain doesn’t address endpoint security for devices and users that don’t reside on-prem. 

One of the creators of the original Cyber Kill Chain recently introduced a new approach to cybersecurity at this year’s Cyberwarcon event. Cyberwarcon is a conference focusing on cyberattacks, threat actors, and their influence on society. It’s a meeting of the minds on how to better identify and explore threats to spread awareness about cyberattack activities and enable organizations to reduce their attack surface and eliminate threats. 

Online Operations Kill Chain

Eric Hutchins, who is now a security engineer and investigator for Meta, along with his colleague Ben Nimmo, the global lead for threat intelligence at the organizations, presented a new Kill Chain model at the conference to address the evolving needs of organizations in the face of more sophisticated and intelligent threat actors.

Today’s remote workers and cloud-based organizations have different needs than on-prem implementations. They need advice on things like how to know if your phone is hacked by a malicious threat actor, how to protect your credentials from onlooking threats, and how to tell if a website is legitimate. 

The new Cyber Kill Chain model needed to apply to many different operations. Threat actors are turning to in-browser attacks to launch account takeovers, like the Ghostwriter campaign that targeted Eastern European countries to threaten their position against incoming military operations. While this is a high-level, large-scale attack that many organizations will never face, it represents a shift in the goals, vectors, and techniques that hackers use to infiltrate and cause chaos for online organizations. 

The Online Operations Kill Chain was designed to bridge the gaps left in the original Cyber Kill Chain approach that could be widely applied to numerous attack types. 

10 Steps of the Online Operations Kill Chain

Meta’s new Online Operations Kill Chain follows a similar approach to that of the original Cyber Kill Chain, with updated steps aligned with today’s threats. This approach still uses a step-by-step taxonomy to understand and identify advanced threats but considers new attack vectors and techniques that threat actors use when they launch a cyberattack.

1. Acquire Assets

The first stage of a cyberattack involves getting the credentials and access necessary to launch an attack. This could mean obtaining an IP address, crypto wallet, email address, phone number, and any other information criminals might need to perform their operation and make it seem legit. 

2. Disguise Assets

At this point, adversaries attempt to make their assets seem authentic. Whatever operation they plan to perform is meant to be seen on the internet. These assets, whether an app, web page, business, or account, must appear as authentic as possible to attract and trick their victims. 

3. Gather Information

During this phase, attackers perform recon to learn about the environment the operation is working within and gather information about the targets they wish to assault. This is where bad actors will phish for credentials and learn about vulnerabilities they can exploit. 

4. Coordintate and Plan

After duping their victims, trapping them with an asset, and obtaining information about the organization’s systems, attackers coordinate and create a plan to launch their operation. This stage can last days, weeks, or months as the assets continue to create a seamless attack. 

5. Test Defenses

At this phase, threat actors will use smaller-scale, less obvious techniques to test a network’s vulnerabilities, defenses, and security response to various events. Sophisticated adversaries take their time and conduct a few tests to pinpoint the best opportunities to carry out their operations. 

6. Evade Detection

Today’s attackers don’t mask their presence. Instead, they hide in plain sight to fly below the radar without triggering security systems. For example, the attackers could use Unicode characters to make doppelganger websites. This makes it easier for them to continue masquerading as legitimate assets without making a scene and alerting cyber teams. 

7. Engage Indiscriminately

Many less sophisticated attack campaigns use a technique that involves throwing different operations at their targets and seeing what works and what is thwarted. More advanced attackers may use more precise attempts to engage specific victims. 

8. Target Engagements

This is the phase where the adversary focuses their efforts on a victim. They have engaged them, tricked them, gathered info on them, discovered their insecurities, and now they are ready to launch their attack. 

9. Compromise Assets

The cyber intrusion is launched, and the target is officially under attack. At this stage, compromising assets means getting anything that the operations need to get the keys to their treasure chest, so to speak, whether that’s admin credentials, access to financial accounts, or the ability to shut a business down. 

10. Enable Persistence

Now, operations encounter the defenders. The specific way they encounter them will depend on the type of cybersecurity tools and methods their target uses. It’s called persistence because attackers rarely pack up and go home at the first sign of resistance. They typically have enough knowledge of a system to aim for a plan B. 

The creators of the Online Operations Kill Chain express that this version of the Cyber Kill Chain is modular, and the order of steps may vary from threat to threat. While many operations are likely to appear very similar with the rise of ransomware gangs and hacker groups, more sophisticated attacks could appear with slight differences to throw their targets off track. 

The Online Operations Kill Chain is meant to identify phases commonly used in the new era of distributed networks and software-defined perimeters. It is a framework to measure an organization’s effectiveness in making defense moves earlier in the Kill Chain and stopping threats before anything becomes compromised. 

Meta’s Cyber Kill Chain vs. Lockheed Martin's Cyber Kill Chain

The original Cyber Kill Chain met the needs of on-premise implementations but didn’t account for attack vectors related to online activities and distributed endpoints. The new Online Operations Kill Chain gives organizations a broad framework to help identify attackers and protect their assets by creating security protocols that address common points along the new Cyber Kill Chain. Organizations with software-defined perimeters or who interact with third parties and vendors with distributed networks need to adopt a broad Kill Chain model such as the Online Operations Kill Chain.

BlackBerry’s suite of Cylance cybersecurity solutions was 100 percent successful in preventing both the Wizard Spider and Sandworm attack emulations very early in MITRE ATT&CK's® 2022 evaluation—before any damage occurred. 

BlackBerry’s CylancePROTECT® and CylanceOPTICS® solutions provided comprehensive detections on individual attack techniques with high confidence, helping to reduce wasted resources spent chasing false positives.