Some of Elemendar’s core clients for our flagship product READ. are cyber threat intelligence vendors looking to enrich their text-based reports with our software. CTI vendors may be some of our core customers however, the CTI market is a big place full of a multitude of service offerings and business models. Before entering any engagement, we first model our future customers and have developed a number of ways of doing this. 

One method that we would like to share with the wider community is the approach of mapping CTI vendors to the Lockheed Martin Cyber Kill Chain, a method that is outlined below. 

What is the Lockheed Martin Cyber Kill Chain?

Lockheed Martin Cyber Kill Chain was developed in the early 2000’s and published in the catchily titled Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. The Kill Chain is an abstraction of an adversaries operation that travels through seven phases, from “Reconnaissance” to success for the attacker with the final “Action on the Objective” phase. The full kill chain is shown below, and you should check out the original paper if you are unfamiliar with this model.

 

Figure 1: the 7 steps of the Lockheed Martin Kill Chain 

Despite an initially muted reception, the Kill Chain has become a cornerstone of modern CTI, arguably surpassing models such as MITRE Attack, Dimond Model (developed to link Kill Chains) and the NIST framework. 

The model and the wider paper is multifaceted, but one of the main objectives of the Kill Chain is for the defender to “break” the adversaries attack at various stages of the attack using the method.  

But the Kill Chain models the cyber threat, not vendors, so how do you apply it?

Take a moment and think about the relationship between a boot and a footprint. Both are intrinsically related but yet still distinct. This is analogous to the relationship between the cyber threat and cyber security vendors; the cyber threat being the ‘boot’ as it exists on its own, and the ‘footprint’ being the vendors as it exists because of the actions of the threat. Analogical nuances aside the two key points from this relationship are as follows: 

  • CTI vendors can be mapped to the distinct steps of the Cyber Kill Chain based upon the services they offer. 
  • Most CTI vendors “master” with a core competency that maps to one or two phases of the Kill Chain.
  • Very few vendors cover all phases of the Kill Chain with their services offering. 

As an example 

Shown below is a basic mapping of the types of CTI vendors that correspond to the various steps of the Cyber Kill Chain:

Figure 2: Kill Chain steps mapped to vendors

An important point to signal at this juncture is that the above mapping is neither good nor bad, it is just a way of contextualising CTI vendors against the phases of the threat. 

Utility of the approach 

The method outlined in this blog is not presented as an exact science and we reserve the right to be wrong about our classification of vendors. However, the above approach can be useful within a number of contexts which I have outlined below:

  • For the CISO looking to develop their CTI vendor strategy: for large organisations cyber security vendors are an integral part of a cyber strategy but it can be hard to integrate various tactical vendor capabilities into a wider strategy. By considering how each vendor aligns with the cyber threat, an astute CISO is more able to coherently align her defences against the adversary.
  • For those new to CTI: the CTI (let alone wider cyber security) vendor landscape can be overwhelming for those new to the discipline. By using the above approach a sense of coherency around the vendor landscape can be developed and it soon becomes obvious what step of the kill chain the vendor was focusing on with their initial product vision. 
  • For those looking to vend to CTI vendors: CTI vendors, selling and forming partnerships with other CTI vendors is increasingly common. Framing this potential relationship within the context of the Kill Chain can provide a coherency in the combined offering, with different steps being more logical to blend than other i.e. reconnaissance and weaponisation.