Implementing Intrusion (Cyber) Kill Chain -A Plenary Overview

[Fi8sVrs]

The Intrusion (Cyber) Kill Chain is a phrase popularized by infosec industry professionals and introduced in a Lockheed Martin Corporation paper titled; “ Intelligence Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”.

The intrusion kill chain model is derived from a military model describing the phases of an attack. The phases of the military model are: find, fix, track, target, engage, and assess. The analyses of these phases are used to pinpoint gaps in capability and prioritize the development of needed systems. The first phase in this military model is to decide on a target (find). Second, once the target is decided you set about to locate it (fix). Next, you would surveill to gather intelligence (track). Once you have enough information, you decide the best way to realize your objective (target) and then implement your strategy (engage). And finally, you analyze what went wrong and what went right (assess) so that adjustments can be made in future attacks.

Lockheed Martin analysts began by mapping the phases of cyber attacks. The mapping focused on specific types of attacks, Advanced Persistent Threats (APTs) - The adversary/intruder gets into your network and stays for years– sending information, usually encrypted – to collection sites without being detected. Since the intruder spent so much time in the network, analysts were able to gather data about what was happening. Analysts could then sift through the data and begin grouping it into the military attack model phases. Analysts soon realized that while there were predictable phases in cyber attacks, the phases were slightly different from the military model. The intrusion (cyber) kill chain shown below, describe the phases of a cyber attack.

The chain of events or activities are as follows:

[table=width: 500, class: grid, align: center]

[tr]

[td]Link in the Chain[/td]

[td]Description[/td]

[/tr]

[tr]

[td]1. Reconnaissance[/td]

[td]

Research, identification and selection of targets- scraping websites for information on companies and their employees in order to select targets.[/td]

[/tr]

[tr]

[td]2. Weaponization[/td]

[td]Most often, a Trojan with an exploit embedded in documents, photos, etc.[/td]

[/tr]

[tr]

[td]3. Delivery[/td]

[td]Transmission of the weapon (document with an embedded exploit) to the targeted environment. According to Lockheed Martin's Computer Incident Response Team (LM-CIRT), the most prevalent delivery methods are email attachments,websites, and USB removable media.[/td]

[/tr]

[tr]

[td]4. Exploitation[/td]

[td]

After the weapon is delivered, the intruder's code is triggered to exploit an operating system or application vulnerability, to make use of an operating system's auto execute feature or exploit the users themselves.[/td]

[/tr]

[tr]

[td]5. Installation[/td]

[td]

Along with the exploit the weapon installs a remote access Trojan and/or a backdoor that allows the intruder to maintain presence in the environment[/td]

[/tr]

[tr]

[td]6. Command and Control[/td]

[td]Intruders establish a connection to an outside collection server from compromised systems and gain 'hands on the keyboard' control of the target's compromised network/systems/applications.[/td]

[/tr]

[tr]

[td]7. Actions on Objective[/td]

[td]

After progressing through the previous 6 phases, the intruder takes action to achieve their objective. The most common objectives are: data extraction, disruption of the network, and/or use of the target's network as a hop point.[/td]

[/tr]

[/table]

Lockheed Martin's analysts also discovered while mapping the intruder's activities, that a break (kill) in any one link in the chain would cause the intrusion to fail in its objective. This is one of the major benefits of the intrusion kill chain framework as security professionals have traditionally taken a defensive approach when it comes to incident response. This means that intrusions can be dealt with offensively too.

Lockheed Martin's case studies reveal that knowledge about previous intrusions and how they were accomplished allow analysts to recognize those previously used tactics and exploits in current attacks. For example, mapping of three intrusions revealed that all three were delivered via email, all three used very similar encryption, all three used the same installation program and connected to the same outside collection site. All of the intrusions were stopped before they accomplished their objective.

How did they do this? How can my company utilize this approach?

Monitoring and mapping is the key.

The following list contains some of the necessary components (not in any particular order) needed to do intrusion mapping and setting up the kill.

· Network Intrusion Detection (NIDS)

· Network Intrusion Prevention (NIPS)

· Host Intrusion Detection (HIDS)

· Firewall access control lists (ACL)

· Full packet inspection

· A mature IT asset management system

· A mature and comprehensive Configuration Management Database (CMDB)

· Device and system hardening

· Secure configurations baselines

· Website inspection

· Honeypots

· Anti-virus and anti-malware

· Verbose logging – network devices, servers, databases, and applications

· Log correlation

· Alerting

· Patching

· Email and FTP inspection and filtering

· Network tracing tools

· Information Security staff trained in tracking and mapping events end-to-end

· Coordination and partnering with IT, Application Owners, Database Administrators, Business Units and Management both in investigation and communicating the mapped intrusions.

In short, in order to implement intrusion kill chain activity a company needs to have a mature inter-operating and information security program. Additionally, they need trained staff that can investigate, map and advise 'kill' activities, keep a compendium of mapped intrusions, analyze and compare old and new intruder activity, code use, and delivery methods to thwart current and future intrusions.

The intrusion (cyber) kill chain is not an endeavor that can be successfully implemented in place of a comprehensive Information Security Program, it’s another tool to be used to protect the company's data assets.

The good news is if your company doesn't have a mature information security program there is a lot you can do while making plans to introduce an intrusion kill chains in your department's arsenal.

· Educate your employees to watch for suspicious emails. For instance, emails that seem to be off – such as, someone in accounting receiving an invitation to attend a marketing conference. Let them know that they shouldn't open attachments included in email like this.

· Make sure you have anti-virus and anti-malware software installed and up to date.

· Start an inventory of your computing devices, laptops, desktops, tablets, smartphones, network devices and security devices.

· You have an advantage over intruders. You know your network and what is normal and usual, they don't. Notice user behavior that is not usual and look into it. For example, a login at 2am for someone who works 9 to 5. Or an application process that normally runs overnight that is kicking off during the day.

· Keep your security patches up to date.

· Create and monitor baseline configurations.

· Write, publish and communicate information security policies and company standards.

· Turn on logging and start collecting and keeping logs. Start with network devices and firewalls and then add servers and databases. Set up alerts for things such as repeated attempts at access.

· Spend some time using search engines from outside your network to see how much information can be learned about your company from the Internet. You'd be surprised how much you can find including sensitive documents.

All of these practices and activities give you more information about your computing environment and what is normal and usual. The more you know about your environment, the more likely it is that you will spot the intruder before any damage is done.

Source