Online Operations Kill Chain in CTI

The Online Operations Kill Chain is meant to be a modern alternative to the Cyber Kill Chain to fit a wider range of cyber operations beyond cyber attacks, such as espionage, influence operations, scams, and fraud.

It’s intended for operations in which the source and target are human; though it can also be used for operations in which the source and/or target are machines.

The model was developed by Meta and introduced in a talk at CYBERWARCON 2022 in November 2022, and further described in a paper in March 2023.

One of the creators of the Online Operations Kill Chain, Eric Hutchins, was a co-creator of the Cyber Kill Chain.

Because the model is fairly new, it remains to be seen how widely it will be adopted in cyber threat intelligence and other areas of information security.

Online Operations Kill Chain

Online Operations Kill Chain Phases

The Online Operations Kill Chain includes 10 phases or links, which are the steps a cyber operation may progress through. Not all operations include all phases.

1. Acquiring Assets: acquire assets or capabilities (e.g., IP addresses, email addresses, social media accounts, malware, office space)
2. Disguising Assets: make fake accounts look authentic
3. Gathering Information: gather info, manually or automatically
4. Coordinating and Planning: coordinate and plan overtly or covertly, manually or automatically
5. Testing Platform Defenses: send or post a range of content with varying degrees of violation and see which are detected
6. Evading Detection: get around defenses
7. Indiscriminate Engagement: post and engage without targeting a particular audience
8. Targeted Engagement: post and engage, targeting a particular audience
9. Compromising Assets: take over accounts or info
10. Enabling Longevity: take steps to survive takedown or prolong operation after exposure

Online Operations Kill Chain in CTI

Cyber threat intelligence analysts can use the Online Operations Kill Chain to analyze a single operation to understand the TTPs, looking for weaknesses (ways to disrupt the operation).

The model can also be used to compare multiple operations, to identify common patterns and weaknesses.

Analysts can also use the model to share information about operations, because it provides a common taxonomy for threat actors and their operations.

Provide the information from this model to investigators and defenders so they can identify and detect operations earlier and more effectively, and improve defenses. Breaking a single link can disrupt part of an operation, and breaking many links can completely disrupt it.

Additional Resources

Phase-based Tactical Analysis of Online Operations [white paper]

As major elections loom, Meta unveils its internal Online Operations Kill Chain