GAINING THE ADVANTAGE
Applying Cyber Kill Chain® Methodology to Network Defense
THE MODERN DAY ATTACKER
Cyberattacks aren’t new, but the stakes at every level are higher than ever. Adversaries are more sophisticated, well-resourced, trained, and adept at launching skillfully planned intrusion campaigns called Advanced Persistent Threats (APT). Our nation’s security and prosperity depend on critical infrastructure. Protecting these assets requires a clear understanding of our adversaries, their motivations and strategies.
Adversaries are intent on the compromise and extraction of data for economic, political and national security advancement. Even worse, adversaries have demonstrated
their willingness to conduct destructive attacks. Their tools and techniques have the ability to defeat most common computer network defense mechanisms.
SOPHISTICATED WELL-RESOURCED MOTIVATED
1
THE LOCKHEED MARTIN CYBER KILL CHAIN®
The Cyber Kill Chain® framework is part of the Intelligence Driven Defense® model for the identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.
Stopping adversaries at any stage breaks the chain of attack! Adversaries must completely progress through all phases for success; this puts
the odds in our favor as we only need to block them at any given one
for success. Every intrusion is a chance to understand more about
our adversaries and use their persistence to our advantage.
The kill chain model is designed in seven steps:
f Defender’s goal: understand the aggressor’s actions f Understanding is Intelligence
f Intruder succeeds if, and only if, they can proceed through steps 1-6 and reach the final stage of the Cyber Kill Chain®.
2
3
4
5
6
7
RECONNAISSANCE Identify the Targets 1
ADVERSARY
The adversaries are in the planning phase of their operation. They conduct research to understand which targets will enable them
to meet their objectives.
f Harvest email addresses f Identify employees on
social media networks
f Collect press releases, contract awards, conference attendee lists
f Discover internet-facing servers
DEFENDER
Detecting reconnaissance as it happens can be very difficult, but when defenders discover recon – even well after the fact – it can reveal
the intent of the adversaries.
f Collect website visitor logs for alerting and historical searching.
f Collaborate with web administrators to utilize their existing browser analytics.
f Build detections for browsing behaviors unique to reconnaissance.
f Prioritize defenses around particular technologies or people based on recon activity.
WEAPONIZATION Prepare the Operation 2
ADVERSARY
The adversaries are in the preparation and staging phase of their operation. Malware generation is likely not done by hand – they use automated tools. A “weaponizer” couples malware and exploit into a deliverable payload.
f Obtain a weaponizer, either in-house or obtain through public or private channels
f For file-based exploits, select “decoy” document to present to the victim.
f Select backdoor implant and appropriate command and control infrastructure for operation
f Designate a specific “mission id” and embed in the malware
f Compile the backdoor and weaponize the payload
DEFENDER
This is an essential phase for defenders to understand. Though they cannot detect weaponization as it happens, they can infer by analyzing malware artifacts. Detections against weaponizer artifacts are often the most durable & resilient defenses.
f Conduct full malware analysis – not just what payload it drops, but how it was made.
f Build detections for weaponizers – find new campaigns and new payloads only because they re- used a weaponizer toolkit.
f Analyze timeline of when malware was created relative to when it was used. Old malware is “malware off the shelf” but new malware might mean active, tailored operations.
f Collect files and metadata for future analysis.
f Determine which weaponizer artifacts are common to which APT campaigns. Are they widely shared or closely held?
DELIVERY Launch the Operation 3
ADVERSARY
The adversaries convey the malware to the target. They have launched their operation.
f Adversary controlled delivery: f Direct against web servers
f Adversary released delivery: f Malicious email
f Malware on USB stick
f Social media interactions
f “Watering hole” compromised websites
DEFENDER
This is the first and most important opportunity for defenders to block the operation. A key measure
of effectiveness is the fraction
of intrusion attempts that are blocked at delivery stage.
f Analyze delivery medium – understand upstream infrastructure.
f Understand targeted servers and people, their roles and responsibilities, what information is available.
f Infer intent of adversary based on targeting.
f Leverage weaponizer artifacts to detect new malicious payloads at the point of Delivery.
f Analyze time of day of when operation began.
f Collect email and web logs for forensic reconstruction. Even if an intrusion is detected late, defenders must be able to determine when and how delivery began.
EXPLOITATION Gain Access to Victim 4
ADVERSARY
The adversaries must exploit a vulnerability to gain access. The phrase “zero day” refers to the exploit code used in just this step.
f Software, hardware, or human vulnerability
f Acquire or develop zero day exploit f Adversary triggered exploits for
server-based vulnerabilities f Victim triggered exploits
f Opening attachment of malicious email
f Clicking malicious link
DEFENDER
Here traditional hardening measures add resiliency, but custom capabilities are necessary to stop zero-day exploits at this stage.
f User awareness training and email testing for employees.
f Secure coding training for web developers.
f Regular vulnerability scanning and penetration testing.
f Endpoint hardening measures:
f Restrict admin privileges
f Use Microsoft EMET
f Custom endpoint rules to block shellcode execution
f Endpoint process auditing to forensically determine origin of exploit.
INSTALLATION Establish Beachhead at the Victim 5
ADVERSARY
Typically, the adversaries install a persistent backdoor or implant in the victim environment to maintain access for an extended period of time.
f Install webshell on web server
f Install backdoor/implant on client victim
f Create point of persistence by adding services, AutoRun keys, etc.
f Some adversaries “time stomp” the file to make malware appear it is part of the standard operating system install.
DEFENDER
Endpoint instrumentation to detect and log installation activity. Analyze installation phase during malware analysis to create
new endpoint mitigations.
f HIPS to alert or block on common installation paths, e.g. RECYCLER.
f Understand if malware requires administrator privileges or only user.
f Endpoint process auditing to discover abnormal file creations.
f Extract certificates of any signed executables.
f Understand compile time of malware to determine if it is old or new.
COMMAND & CONTROL (C2) Remotely Control the Implants 6
ADVERSARY
Malware opens a command channel to enable the adversary to remotely manipulate the victim.
f Open two way communications channel to C2 infrastructure
f Most common C2 channels are over web, DNS, and email protocols
f C2 infrastructure may be adversary owned or another victim network itself
DEFENDER
The defender’s last best chance to block the operation: by blocking the C2 channel. If adversaries can’t issue commands, defenders can prevent impact.
f Discover C2 infrastructure thorough malware analysis.
f Harden network:
f Consolidate number of
internet points of presence
f Require proxies for all types of traffic (HTTP, DNS)
f Customize blocks of C2 protocols on web proxies.
f Proxy category blocks, including “none” or “uncategorized” domains.
f DNS sink holing and name server poisoning.
f Conduct open source research to discover new adversary
C2 infrastructure.
ACTIONS ON OBJECTIVES Achieve the Mission’s Goal 7
ADVERSARY
With hands-on keyboard access, intruders accomplish the mission’s goal. What happens next depends on who is on the keyboard.
f Collect user credentials
f Privilege escalation
f Internal reconnaissance
f Lateral movement through environment f Collect and exfiltrate data
f Destroy systems
f Overwrite or corrupt data f Surreptitiously modify data
DEFENDER
The longer an adversary has CKC7 access, the greater the impact. Defenders must detect this stage as quickly as possible by using forensic evidence – including network packet captures, for damage assessment.
f Establish incident response playbook, including executive engagement
and communications plan.
f Detect data exfiltration, lateral movement, unauthorized credential usage.
f Immediate analyst response to all CKC7 alerts.
f Forensic agents pre-deployed to endpoints for rapid triage.
f Network package capture to recreate activity.
f Conduct damage assessment with subject matter experts.
ANALYSIS: Identifying Patterns
Analysis of multiple intrusion kill chains over time draws attention to similarities and overlapping indicators. Defenders learn to recognize and define intrusion campaigns and understand the intruder’s mission objectives.
Identify patterns: what are they looking for, why are they targeting me?
This will help identify how to best protect yourself from the next attack. You can’t get ahead of the threat unless you understand the campaign.
RECONSTRUCTION: Prevent Future Attacks
Cyber Kill Chain® analysis guides understanding of what information is, and may be, available
for defensive courses of action. Stay focused on your threat landscape with vigilance.
RESILIENCE: Defend against Advanced Persistent Threats
The antidote to APT is a resilient defense. Measure the effectiveness of your countermeasures against the threats. Be agile to adapt your defenses faster than the threats.
TIPS FOR INTELLIGENT RECONSTRUCTION:
f Defenders must always analyze backward to understand earlier steps in the kill chain. The threats will come back again. Learn how they
got in and block it for the future.
f Blocked intrusions are equally important to analyze in depth to understand how the intrusion would have progressed.
f Measure effectiveness of your defenses if it progressed. Deploy mitigations
to build resilience for tomorrow.
JUST ONE MITIGATION BREAKS THE CHAIN
f The defender has the advantage with the Cyber Kill Chain® solution. All seven steps must be successful for a cyber attack to occur.
f The defender has seven opportunities to break the chain.
CONCLUSION
f Defenders CAN have the advantage:
f Better communicate and mitigate risks f Build true resilience
f Meaningfully measure results
f Getting Started: Remember there is no such thing as secure, only defendable.
f Start by thinking differently when you make changes to your processes, investments, metrics, communications with your team and leadership, staffing models, and architectures.
f Know your threats…it’s not just about network defense anymore. it’s about defending much more like your platforms and mobile users.
2
4
6
1
THREE WAYS TO USE HISTORY TO YOUR ADVANTAGE:
f Look for patterns to strengthen your defense
f Improve your organizational structure and response
f Know your potential threat surfaces, even the old ones
3
5
7
RESOURCES
White Paper
Video
cyber.security@lmco.com 855-LMCYBER 855-562-9237
LOCKHEED MARTIN, LOCKHEED and the STAR design trademarks used throughout are registered trademarks in the U.S. Patent and Trademark Office owned by Lockheed Martin Corporation.
© 2015 Lockheed Martin Corporation. All Rights Reserved. | #CMK201503001
Article
Connect