Abstract
Different kill chain models have been defined and analyzed to provide a common sequence of actions followed in offensive cyber operations. These models allow analysts to identify these operations and to understand how they are executed. However, there is a lack of an equivalent model from a defensive point of view: this is, there is no common sequence of actions for the detection of threats and their accurate response. This lack causes not only problems such as unstructured approaches and conceptual errors but, what is most important, inefficiency in the detection and response to threats, as defensive tactics are not well identified. For this reason, in this work we present a defensive kill chain approach where tactics for teams in charge of cyber defense activities are structured and arranged. We introduce the concept of SOC Critical Path (SCP), a novel kill chain model to detect and neutralize threats. SCP is a technology–independent model that provides an arrangement of mandatory steps, in the form of tactics, to be executed by Computer Network Defense teams to detect hostile cyber operations. By adopting this novel model, these teams increase the performance and the effectiveness of their capabilities through a common framework that formalizes the steps to follow for the detection and neutralization of threats. In this way, our work can be used not only to identify detection and response gaps, but also to implement a continuous improvement cycle over time.
Highlights
The high benefits technology has contributed to are questionless, but so are the risks it introduces on a daily basis for individuals, organizations and countries
We introduce the concept of Security Operations Center (SOC) Critical Path (SCP), a novel kill chain model to detect and neutralize threats
The closest approach we have found is Matt Swann’s blue team cyber kill chain, which has not evolved in last few years and, as we will defend in section VI lacks mandatory tactics and focuses on incident handling, not on the whole cycle a SOC must follow to achieve its goals
Summary
The high benefits technology has contributed to are questionless, but so are the risks it introduces on a daily basis for individuals, organizations and countries Hostile actors such as foreign countries, terrorist groups and organized crime are well aware of these risks and they take advantage of them, from cyber crime to cyber war. Tactics specify what to do, at the highest level of description, to accomplish a certain mission, while techniques specify how tactics are implemented; procedures, outside of the scope of this work, describe a particular implementation. These tactics and techniques enable an effective threat detection and neutralization in a SOC. A threat is defined [6] as any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service; in this reference the authors identify four types of threat sources:
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
