Implementing an Intrusion (Cyber) Kill Chain
The Intrusion (Cyber) Kill Chain is a phrase popularized
by infosec industry professionals and introduced in a Lockheed Martin
Corporation paper titled; “ Intelligence
Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and
Intrusion Kill Chains”.
The intrusion kill chain model is derived from a military
model describing the phases of an attack. The phases of the military model are:
find, fix, track, target, engage, and assess. The analyses of these phases are
used to pinpoint gaps in capability and prioritize the development of needed
systems. The first phase in this military model is to decide on a target
(find). Second, once the target is decided you set about to locate it (fix). Next,
you would surveill to gather intelligence (track). Once you have enough
information, you decide the best way to realize your objective (target) and
then implement your strategy (engage). And finally, you analyze what went wrong
and what went right (assess) so that adjustments can be made in future attacks.
Lockheed Martin analysts began by mapping the phases of
cyber attacks. The mapping focused on specific types of attacks, Advanced
Persistent Threats (APTs) - The adversary/intruder gets into your network and
stays for years– sending information, usually encrypted – to collection sites
without being detected. Since the intruder spent so much time in the network,
analysts were able to gather data about what was happening. Analysts could then
sift through the data and begin grouping it into the military attack model
phases. Analysts soon realized that while there were predictable phases in
cyber attacks, the phases were slightly different from the military model. The intrusion (cyber) kill chain shown below,
describe the phases of a cyber attack.
The chain of events or activities are as follows:
Link in the Chain
|
Description
|
1.
Reconnaissance
|
Research, identification and selection of targets-
scraping websites for information on companies and their employees in order
to select targets.
|
2.
Weaponization
|
Most often, a Trojan with an exploit embedded in
documents, photos, etc.
|
3. Delivery
|
Transmission of the weapon (document with an embedded
exploit) to the targeted environment.
According to Lockheed Martin's Computer Incident Response Team
(LM-CIRT), the most prevalent delivery methods are email
attachments,websites, and USB removable media.
|
4. Exploitation
|
After the weapon is delivered, the intruder's code is
triggered to exploit an operating system or application vulnerability, to
make use of an operating system's auto execute feature or exploit the users
themselves.
|
5. Installation
|
Along with the exploit the weapon installs a remote
access Trojan and/or a backdoor that allows the intruder to maintain presence
in the environment
|
6. Command and
Control
|
Intruders establish a connection to an outside
collection server from compromised systems and gain 'hands on the keyboard'
control of the target's compromised network/systems/applications.
|
7. Actions on
Objective
|
After progressing through the previous 6 phases, the
intruder takes action to achieve their objective. The most common objectives are: data extraction, disruption of the network,
and/or use of the target's network as a hop point.
|
Lockheed Martin's analysts also discovered while
mapping the intruder's activities, that a break (kill) in any one link in the
chain would cause the intrusion to fail in its objective. This is one of the
major benefits of the intrusion kill chain framework as security professionals
have traditionally taken a defensive approach when it comes to incident
response. This means that intrusions can be dealt with offensively too.
Lockheed Martin's case studies reveal that knowledge
about previous intrusions and how they were accomplished allow analysts to
recognize those previously used tactics and exploits in current attacks. For example, mapping of three intrusions
revealed that all three were delivered via email, all three used very similar encryption,
all three used the same installation program and connected to the same outside
collection site. All of the intrusions were stopped before they accomplished
their objective.
How did they do this? How can my company utilize this
approach?
Monitoring and mapping is the key.
The following list contains some of the necessary
components (not in any particular order) needed to do intrusion mapping and
setting up the kill.
·
Network Intrusion Detection (NIDS)
·
Network Intrusion Prevention (NIPS)
·
Host Intrusion Detection (HIDS)
·
Firewall access control lists (ACL)
·
Full packet inspection
·
A mature IT asset management system
·
A mature and comprehensive Configuration
Management Database (CMDB)
·
Device and system hardening
·
Secure configurations baselines
·
Website inspection
·
Honeypots
·
Anti-virus and anti-malware
·
Verbose logging – network devices, servers,
databases, and applications
·
Log correlation
·
Alerting
·
Patching
·
Email and FTP inspection and filtering
·
Network tracing tools
·
Information Security staff trained in tracking
and mapping events end-to-end
·
Coordination and partnering with IT, Application
Owners, Database Administrators, Business Units and Management both in
investigation and communicating the mapped intrusions.
In short, in order to implement intrusion kill chain
activity a company needs to have a mature inter-operating and information security
program. Additionally, they need trained staff that can investigate, map and
advise 'kill' activities, keep a compendium of mapped intrusions, analyze and
compare old and new intruder activity, code use, and delivery methods to thwart
current and future intrusions.
The intrusion (cyber) kill chain is not an endeavor that
can be successfully implemented in place of a comprehensive Information
Security Program, it’s another tool to be used to protect the company's data
assets.
The good news is if your company doesn't have a mature
information security program there is a lot you can do while making plans to
introduce an intrusion kill chains in your department's arsenal.
·
Educate your employees to watch for suspicious
emails. For instance, emails that seem to be off – such as, someone in
accounting receiving an invitation to attend a marketing conference. Let them
know that they shouldn't open attachments included in email like this.
·
Make sure you have anti-virus and anti-malware software
installed and up to date.
·
Start an inventory of your computing devices,
laptops, desktops, tablets, smartphones, network devices and security devices.
·
You have an advantage over intruders. You know
your network and what is normal and usual, they don't. Notice user behavior that is not usual and
look into it. For example, a login at 2am
for someone who works 9 to 5. Or an application process that normally runs
overnight that is kicking off during the day.
·
Keep your security patches up to date.
·
Create and monitor baseline configurations.
·
Write, publish and communicate information
security policies and company standards.
·
Turn on logging and start collecting and keeping
logs. Start with network devices and firewalls and then add servers and
databases. Set up alerts for things such
as repeated attempts at access.
·
Spend some time using search engines from
outside your network to see how much information can be learned about your
company from the Internet. You'd be
surprised how much you can find including sensitive documents.
All of these practices and activities give you more
information about your computing environment and what is normal and usual. The
more you know about your environment, the more likely it is that you will spot
the intruder before any damage is done.
Disclaimer:- Before conclusion, on behalf of Team VOGH, I would like to personally thank Mr. Adrian Stolarski for sharing this remarkable article with our readers. I would also like to thank Ryan Fahey of Infosec Institute for his spontaneous effort.
