Meta Proposes Revamped Approach to Online Kill Chain Frameworks

  /     /     /  
Publicated : 23/11/2024   Category : security


Meta Proposes Revamped Approach to Online Kill Chain Frameworks


A more holistic model beyond MITRE et al. is needed to help defenders better identify and understand commonalities in different online threat campaigns, the Facebook parent company says.



Two researchers at Facebook parent Meta have proposed a new framework approach for dealing with online threats, that uses a shared model for identifying, describing, comparing, and disrupting the individual phases of an attack chain.
The basis of their new Online Operations Kill Chain is the idea that all online attacks — however different and whatever their motivations — often share many of the same common steps. To launch any online campaign, for instance, an attacker would require at least an IP address, likely an email or mobile phone for verification, and capabilities for obscuring their assets. Later in the attack chain, the threat actor would need capabilities for gathering information, testing target defenses, executing the actual attack, evading detection, and remaining persistent.
Using a shared taxonomy and vocabulary to isolate and describe each of these phases can help defenders better understand an unfolding attack so they can look for opportunities to more quickly disrupt it, the Meta researchers said.
It will also enable them to compare multiple operations across a far wider range of threats than has been possible so far, to identify common patterns and weaknesses in the operation, the two Meta researchers, Ben Nimmo and Eric Hutchins, wrote in a new
white paper on their kill chain
. It will allow different investigative teams across industry, civil society, and government to share and compare their insights into operations and threat actors according to a common taxonomy, they noted.
Nimmo is Metas global threat intelligence lead. He has helped expose foreign election interference in the United States, UK, and France. Hutchins, a security engineer investigator on Metas influence operations team, was the co-author of Lockheed Martins influential
Cyber Kill Chain framework
for detecting and protecting against cyber intrusions.
The two researchers describe Metas Online Operations Kill Chain as something that is vital to uniting efforts in the fight against all forms of online threats, ranging from disinformation and interference campaigns to scams, fraud, and child safety. Currently the security teams and researcher addressing these different threat operations approach them as separate problems though they all have common elements, Nimmo tells Dark Reading.
We talk with so many different investigative teams around cyber espionage and fraud and online scams, and time and time again we hear your bad guys are doing the same thing as our bad guys, Nimmo says. Investigative teams can often miss the meaningful commonalities that might be present between different threat operations because defenders work in silos, he says.
Nimmo and Hutchins differentiate their new kill chain from the slew of other kill chain frameworks that are currently available, on the basis that its more broadly focused on online threats and provides a common taxonomy and vocabulary across all of them.
For example, Lockheed Martins
intrusion kill chain
, the
MITRE ATT&CK framework
, Optivs cyber fraud kill chain, and a proposed kill chain for attack takeovers from Digital Shadows are all tailored for specific online threats. They do not address the full spectrum of online threats that Metas kill chain does, Nimmo and Hutchins argued. 
Similarly, none of them address the problems caused by a lack of a common taxonomy and vocabulary across different threat types. For example, within the space of online political interference, its common for defenders to use the terms disinformation, information operations, misinformation incidents, malinformation, and influence operations interchangeably, though each term could have a distinct meaning.
Nimmo describes the new Online Operations Kill Chain as providing a common map and a dictionary of sorts that security teams can use to logically understand the sequence of a threat campaign, so they can look for ways to disrupt it. The goal is really to enable as much structured and transparent information sharing as possible, to help inform better defenses, Nimmo says.
Hutchins says Metas framework expands the scope of the existing kill chains while still focused on what the adversary is doing — the same principle behind the other frameworks. He perceives the model as allowing security experts across the industry to more easily share information they might have gathered from their specific vantage points. It provides an opportunity to put these different pieces together in a way we havent been able to before, Hutchins says.
Metas Online Operations Kills Chain breaks down an online threat campaign into 10 different phases — three more than Lockheed Martins kill chain. The 10 phases are:
1. Asset acquisition:
This is when the threat actor acquires assets required for launching an operation. Assets could range from an IP and email addresses to social media accounts, malware tools, Web domains, and even physical buildings and office space.
2. Disguising assets:
This phase includes efforts by the threat actor to make their malicious assets look authentic by, for instance, using fake and AI-generated profile pictures and impersonating real people and organizations.
3. Gathering information:
This can include using commercially available surveillance tools to conduct target reconnaissance, scraping public information, and harvesting data from social media accounts.
4. Coordinating and planning:
Examples include efforts by threat actors to coordinate efforts to harass people and entities via online bots and publishing lists of targets and hashtags.
5. Testing platform defenses:
The goal at this stage is to test the ability of defenders to detect and disrupt a malicious operation — for example, by sending spear-phishing emails to target individuals or testing new malware against detection engines.
6. Evading detection:
Measures at this stage can include using VPNs for routing traffic, editing images, and geofencing website audiences.
7. Indiscriminate engagement:
This is when a threat actor might engage in activities that make no effort to reach a target audience. In effect, it is a post and pray strategy, dropping their content onto the internet and leaving it to users to find it, according to the Meta researchers.
8. Targeted engagement:
The stage in an online operation where the threat actor directs the malicious activity at specific individuals and organizations.
9. Asset compromise:
In this phase, the threat actor takes over or attempts to take over accounts or information by for instance using phishing and other social engineering methods to acquire credentials or installing malware on a victim system.
10. Enabling longevity:
The part when a threat actor takes measures to persist through takedown attempts. Examples include replacing disabled accounts with new ones, deleting logs, and creating new malicious Web domains.
The framework does not prescribe any specific defensive measure, nor does it purport to help defenders understand the objectives of a campaign, Nimmo says. The kill chain is not a silver bullet. It is not a magic wand, he says. It is a way to structure our thinking on how to share information.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Meta Proposes Revamped Approach to Online Kill Chain Frameworks