Kill chain analysis illustrates that the adversary must progress successfully through each stage of the chain before it can achieve its desired objective; just one mitigation disrupts the chain and the adversary.

—Hutchins, Cloppert, and Amin, LockheedMartin Kill Chain Paper, 2010

The Diamond model integrates … and complements Kill Chain analysis by broadening the perspective which provides needed granularity and the expression of complex relationships amongst intrusion activity.

—Caltagirone, Pendergast, and Betz,Diamond Model Paper, 2011

When tracking the threat, “Groups are defined as named intrusion sets, threat groups, actor groups, or campaigns that typically represent targeted, persistent threat activity.”

—Strom, Applebaum, Miller, Pennington, and Thomas,ATT&CK: Design and Philosophy, March 2020

Overview

In this chapter, I reveal precisely why intrusion kill chain prevention is a first principle strategy. Since its inception in 2010, it completely changed how infosec practitioners thought about defending their organizations in cyberspace. Instead of trying to block technical tools that hackers used, the strategy elevated the network defender's purpose to defeat the adversary behind the tools. The idea was disruptive. Three research efforts contributed to the thesis. The first published was the original Lockheed Martin Kill Chain Paper that described the strategy. The second was the DOD's Diamond model that operationalized Cyber ...