Abstract
Today, many Chief Information Security Officers (CISOs) and cybersecurity practitioners are looking
for an effective cybersecurity methodology that will help them achieve measurably better security for
their organization. One approach that has helped some organizations is to use classic intrusion analysis
frameworks to analyze cybersecurity risks and provide methodologies and technologies for responding
to attacks.
This paper provides background context on classic intrusion analysis frameworks, and shows how the
transition to the cloud undermines some of its key premises, naturally disrupting modern attacker
intrusion methods, i.e. “breaking intrusion kill chains”. This paper outlines how to use both the classic
intrusion analysis framework and the AWS Cloud to address external threats to your AWS environment’s
security.
Introduction
Cybersecurity threats continue to challenge organizations around the world. Many of the cybersecurity
strategies that organizations have employed over the past two decades have failed to stop network
compromises and data breaches. This has led many Chief Information Security Officers (CISOs) and
cybersecurity practitioners to look for more effective approaches to manage cybersecurity risk for their
organizations.
One such approach, pioneered by Lockheed Martin Corporation, is described in Intelligence-Driven
Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.
Intelligence-driven computer network defense is a necessity in light of advanced persistent threats. As
conventional, vulnerability-focused processes are insufficient, understanding the threat itself, its intent,
capability, doctrine, and patterns of operation is required to establish resilience. The intrusion kill chain
provides a structure to analyze intrusions, extract indicators and drive defensive courses of actions.
Furthermore, this model prioritizes investment for capability gaps, and serves as a framework to measure
the effectiveness of the defenders’ actions.
Since Lockheed Martin’s paper was published in 2011, many variations of this particular intrusion
analysis approach have been developed in the cybersecurity industry, and many organizations have
benefited from implementing this classic framework for intrusion analysis to guide mitigation and
response strategy for their on-premises infrastructure.
This whitepaper offers an assessment of the classic intrusion analysis framework from an AWS Cloud
perspective; pointing out where it applies, where it may not, and describing AWS mechanisms to support
and enhance any customers’ intrusion analysis approach.