Giora Engel on The Cyber Kill Chain:
If you must use the Chain model, zero in on No. 7. Focus on detecting ongoing attacks — attackers that have already breached your perimeter — before the damage is done. Instead of analyzing old malware, deploy a breach detection system that automatically detects and analyzes the changes in user and computer behavior that indicate a breach. These subtle changes are usually low-key and slow, and affect only a small number of computers, but the right analysis and context can flag them as malicious.
Source: Deconstructing The Cyber Kill Chain
Authentication, authorization, and accounting (AAA) is a term used to describe how an enterprise controls access to technology resources and data. In addition, some organization expand on this to also provides guidelines that help determine how and what policies are enforced and when audits are completed on this access. These combined processes are considered critical requirements for effective network management and security.
Conventional network defense tools such as intrusion detection systems and anti-virus focus on the vulnerability component of risk, and traditional incident response methodology presupposes a
successful intrusion. An evolution in the goals and sophistication of computer network intrusions has rendered these approaches insucient for certain actors. A new class of threats, appropriately dubbed the Advanced Persistent Threat” (APT), represents well-resourced and trained adversaries that conduct multi-year intrusion campaigns targeting highly sensitive economic, proprietary, or national security information. These adversaries accomplish their goals using advanced tools and techniques designed to defeat most conventional computer network defense mechanisms. Network defense techniques which leverage knowledge about these adversaries can create an intelligence feedback loop, enabling defenders to establish a state of information superiority which decreases the adversary’s likelihood of success with each subsequent intrusion attempt. Using a kill chain model to
describe phases of intrusions, mapping adversary kill chain indicators to defender courses of action, identifying patterns that link individual intrusions into broader campaigns, and understanding the iterative nature of intelligence gathering form the basis of intelligence-driven computer network defense (CND). Institutionalization of this approach reduces the likelihood of adversary success, informs network defense investment and resource prioritization, and yields relevant metrics of performance and eectiveness. The evolution of advanced persistent threats necessitates an intelligence-based model because in this model the defenders mitigate not just vulnerability, but the threat component of risk, too.
Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
WinHex, FTK, EnCase and SMART
1. Device is imaged using a tool. The image created is a clone with an exact bit-for-bit copy of the source device
2. Device is searched to collect items of interest and to recover data as needed