• No results found

Defending against Advanced Threats: Addressing the Cyber Kill Chain

N/A
N/A
Protected

Academic year: 2021

Share "Defending against Advanced Threats: Addressing the Cyber Kill Chain"

Copied!
11
0
0

Loading.... (view fulltext now)

Full text

(1)

Featuring research from Gartner

Defending against Advanced Threats:

Addressing the Cyber Kill Chain

“We have known for a considerable period of time that the perimeter-centric security approach is not a panacea for all ills, but organizations should not move away from these controls because they provide a solid foundation. However, in order to allocate and prioritize resources, they should be extended with methods based on an understanding of the CKC. “ - Gartner Addressing the Cyber Kill Chain, Craig Lawson, 15 August 2014

The latest data breach reports on the daily news remind us of the rapidly changing state of enterprise security. No longer can the focus remain solely on a strong perimeter and end point protection; a new model and approach is required inclusive of the above but extending to deeper analysis and data protection as well. “The current pre-vention, prepre-vention, prevention approach to dealing with the threat landscape has failed to address advanced and targeted attacks with enough efficacy.”1 More is required

including updated thinking, a new course to address the challenge and next generation protection solutions. A traditional “castle moat and keep” defense mindset per-sists today as enterprises invest heavily in perimeter and endpoint protection solutions. While previously successful in protecting companies, these investments are no longer showing the same return. Attackers have innovated and exploited channels through these traditional defenses.

4

From the Gartner Files: Addressing the Cyber Kill Chain 11

About Proofpoint, Inc.

In this report:

Changing the conversation and focus to the mechanics of an advanced or targeted attack is key to disrupting mali-cious actions.

(2)

In 2011, researchers at Lockheed Martin devel-oped the Kill Chain modeled on evidence from network attacks.2 The Kill Chain is widely known,

understood and quoted in security circles. How-ever, it is not generally applied to companies’ security infrastructure investments. Gartner re-search recommends organizations: “Understand the flow of the kill chain to better understand your adversaries and therefore adjust your defensive tactics to improve your security posture.”3 Align

your defenses with reality. Augment existing defenses with best of breed solutions which deploy innovative techniques to detect, block and disrupt the attack before it occurs, shorten the response time and ultimately protect enterprise assets and data.

Proofpoint Aligned to the Cyber Kill

Chain Model

A suite of products which maps to the reality of the kill chain is optimum. A large collection is listed in Table 1 of the attached Gartner report. Our focus is a subset. Proofpoint’s solution set maps to the Cyber Kill Chain model as detailed in the diagram below.

About Proofpoint’s Superior Advanced

Threat Protection

Block, Detect, Respond, and Harden are the key pillars of the Proofpoint solution set. Proofpoint’s portfolio of industry-leading security solutions for blocking email-borne attacks, detecting new

advanced threats, automating incident response, and reducing the impact of potential breaches ad-dress the reality of today’s advanced attacks and aligns security infrastructure with the Kill Chain. Email which continues to be a critical business service is the top route for attackers. The Proof-point security suite detects and manages ad-vanced email-borne threats, provides security for sensitive data, and accelerates the identification and containment of new threats.

Stopping more advanced threats: Delivered

through the cloud-based Proofpoint Enterprise Protection Suite, organizations of all sizes have access to industry-leading inbound and outbound email security. This suite accurately classifies and blocks threats, while leveraging phishing detection, anti-spam and antivirus technologies.

Detecting advanced threats faster with

actionable intelligence: Proofpoint Targeted

Attack Protection detects phishing and web compromise attacks and provides organizations with actionable intelligence to quickly respond. Backed by continuous big data analysis of bil-lions of data points, Proofpoint provides detailed information around campaign type, targeted us-ers and potentially infected systems. Armed with this information, organizations can identify and manage new threats before they lead to data breaches and destructive compromises.

1Addressing the Cyber Kill Chain (Gartner), p. 1

2http://www.lockheedmartin.com/us/what-we-do/information-technology/cyber-security/cyber-kill-chain.html 3Ibid. 1 Block Known Threats Enterprise Protection Detect Unknown Threats Targeted Attack Protection Respond to Incidents Threat Response Harden Against Loss Regulatory Compliance Encryption Content Control

(3)

Automating incident response, accelera-ting threat remediation: Proofpoint Threat

Re-sponse provides users with an open, extensible platform that automates incident response and the incident management lifecycle. Reduc-ing security alert response time from hours to seconds, Proofpoint Threat Response delivers consistent information to users and streamlines collaboration and workflow. Alerts are auto-matically integrated across multiple security so-lutions such as those from Proofpoint, FireEye, Palo Alto Networks and Splunk. This solution enables users to investigate, verify, prioritize and contain today’s advanced threats.

Reducing the impact of data breaches

caused by advanced threats: The

easy-to-deploy, user-friendly Proofpoint

Content Control solution delivers enhanced visibility and control over sensitive con-tent. Through contextual data intelligence, privacy and security teams can effectively identify and manage information with PCI, HIPAA and FINRA regulated content and other high value information. Violations can be quarantined, copied or deleted to reduce the attack surface and potential impact of a data breach.

Proofpoint’s security solutions align with the new security strategy required to address the cyber kill chain. For more information on Proofpoint secu-rity suite solutions, please visit www.proofpoint. com/us/solutions - and read Gartner’s research on Addressing the Cyber Kill Chain, available on the following pages.

(4)

Addressing the Cyber Kill Chain

From the Gartner Files:

The Cyber Kill Chain model describes how at-tackers use the cycle of compromise, persistence and exfiltration against an organization. Once the kill chain is understood, CISOs can make prag-matic decisions to improve their security posture.

Key Challenges

• The current prevention, prevention, preven-tion approach to dealing with the threat landscape has failed to address advanced and targeted attacks with enough efficacy. • IT security organizations have historical

investments in a protection model that is out of balance with today’s threat landscape. • IT security organizations have largely not

taken into account the kill chain life cycle ap-proach to thinking about adversaries; this is a reason why attackers are continuing to be so successful.

• While the kill chain is easy to comprehend, resourcing to address it in the face of com-petitive business realities and innovation from adversaries is a key challenge. • Common security architectures and

compli-ance regimes are not prioritizing methods to address the kill chain.

Recommendations

• Understand the flow of the kill chain to better understand your adversaries and therefore adjust your defensive tactics to improve your security posture.

• Move to an architecture and develop sup-porting processes that address the postb-reach and exfiltration stages of the kill chain. • Augment existing prevention methods with

methods to detect, deny, disrupt and recover from the activity of threat actors.

• Implement methods that detect and deny threats at each stage of the kill chain. This will significantly increase the defensibility of your environment, since attackers need to execute all phases of the kill chain to be considered successful.

Strategic Planning Assumption

By 2017, security strategies of lean forward orga-nizations will routinely include a mapping of their security architecture and/or their processes to the kill chain life cycle.

Introduction

Targeted attacks have escalated in scale and frequency, and the potential for financial and reputational damage resulting from a breach has increased as a consequence. The ease with which traditional security defenses were bypassed in some incidents has left many organizations feel-ing powerless to defend themselves against these types of threats. This issue has become a concern at the executive boardroom level.

The leading operational archetype in information security practiced by a majority of organizations has a focus on the perimeter, organized accord-ing to defense-in-depth principles. While this gives the appearance of concentrating resources on the most exposed assets and attack vectors, it provides a false sense of security and represents a misallocation of resources. This model means adversary needs to be successful only once out of an unlimited number of attempts. Defenders, conversely, must be right every time.

This has led to a perception that, because there has been a successful malware infection or SQL injection attack against your organization, the adversary has won. The kill chain highlights that this is clearly not the case, because the adversary is victorious only when all phases of the Cyber Kill Chain (CKC) have been executed successfully. Rather than thinking that someone wins when an organization is compromised, you need to move to a mindset of: “Did they achieve their goal of exfiltrating data?”

(5)

The CKC is a reference model representing the stages of an attack, mapped distinctively to activities that encompass current attack meth-odologies. It breaks an attack into seven distinct stages or phases, each allowing a breach to be prevented, discovered or successfully mitigated. The CKC reference model can show how your organization can detect, deny, disrupt and recover at each phase. By aligning enterprise defenses to the same success criteria as that of adversaries, you can right size the prevention centric approach that has dominated enterprise thinking and spending on IT security to date.

Analysis

The Phases of the Cyber Kill Chain

The CKC is historically a well-understood concept in military circles that is now being ap-plied to cyber security. Originally developed by Lockheed Martin1 in 2011 as an intelligence-driven network defense process, it describes the phases that an adversary will take when targeting your environment, exfiltrating data and maintaining persistence in an organization. It is also similar to a majority of penetration testing methodologies and is often described as an at-tack chain. The two are closely related and can often be used interchangeably.

This research will show that the adversary is only successful when all phases of the kill chain have been executed. So rather than thinking that if adversaries compromise an organization they win, organizations need to move away from this mindset to ask: “Did they achieve their goal of exfiltrating data?” Our version of defeat is often described and measured in terms that are differ-ent than the way adversaries define victory. The CKC has seven stages:

1 Reconnaissance — This is anything that

can be defined as identification, target selec-tion, organization details, industry-vertical-legislative requirements, information on technology choices, social network activity or mailing lists. The adversary is essentially

looking to answer the questions: “How many methods do we assume will work with the highest degree of success?” and of those, “Which are the easiest to execute in terms of our investment of resources?”

2 Weaponization or Packaging — This takes

many forms: Web application exploitation, off-the-shelf or custom malware, compound document vulnerabilities (PDF, Office) or wa-tering hole attacks. These are prepared with general, opportunistic or very specific intel-ligence on a target.

3 Delivery — Transmission of the payload is

either target-initiated (users browse to a mali-cious Web presence, leading to the dropping of malware, or they open a malicious PDF file) or attacker-initiated (SQL injection or network service exploitation).

4 Exploitation — After delivery to the user or

server, the malicious payload will gain a foothold in the environment by compromising it, usually by exploiting a known vulnerability for which a patch has often been available for months or years. While zero-day exploitation does occur, in a majority of cases, it is often not necessary. 5 Installation — This often takes the form of a

remote-access trojan (RAT). The application is usually stealthy in its operation, allowing persistence or “dwell time” to be achieved. The adversary can then control this without alerting the organization — a common outcome.

6 Command and Control — In this phase,

adversaries have control of assets within your organization through methods of control such as DNS, Internet Control Message Proto-col (ICMP), websites and social networks or other methods of command and control. This channel is how the adversary tells the controlled “asset” what to do next and what information to gather. The methods used to gather data under command include screen captures, keystroke monitoring, password

(6)

cracking, gathering of sensitive content and documents, and network monitoring for credentials. Often a staging host is identified to which all internal data is copied, and then compressed and/or encrypted and made ready for exfiltration.

7 Actions on Targets — This final phase

cov-ers how the advcov-ersary exfiltrates data and maintains dwell time in an organization and then takes measures to identify more targets, expand their footprint within an organization and — most critical of all — exfiltrate data.

Why Attackers Are So Successful

Adversaries will continue to achieve their objec-tive of successfully completing the CKC unless defenders implement an approach that takes into consideration how an attack is executed. This is difficult to achieve because most soft-ware has not been developed using a security development life cycle (SDL), applications have increased in complexity and people remain a weak link.

We have known for a considerable period of time that the perimeter-centric security approach is not a panacea for all ills, but organizations should not move away from these controls be-cause they provide a solid foundation. However, in order to allocate and prioritize resources, they should be extended with methods based on an understanding of the CKC. Whether adversaries

are motivated by geopolitical, activist or finan-cial motives, they seek to fulfill specific goals of obtaining an organization’s data. Although we tend to think of IT security in terms of network security, host security and identity security, an “adversary-centric” model is a better-suited and more effec-tive approach in today’s threat landscape.

How Organizations Should Address

the Cyber Kill Chain

Instead of continuing to invest primarily in defend-ing an organization’s perimeter, a more pragmatic approach focuses on detecting, denying, disrupt-ing and recoverdisrupt-ing as it allows for identification capabilities after a breach. This places the focus on protecting enterprise data, instead of looking at this as a collection of technology point solutions. A success rate of 100% for prevention against all steps of the attack chain is not attainable. This is also not necessary, as attackers must complete all phases to achieve their goals. Therefore planning for the prevention of privilege escalation, detect-ing postcompromise activity, stoppdetect-ing exfiltration of sensitive data and denying the attacker persis-tence are key.

At a high level, you must take the seven phases of the kill chain that are illustrated in Table 1 and then identify how you can detect, deny, disrupt and recover at each phase.

Figure 2. Diagram of the Cyber Kill Chain

(7)

Phase Detect Deny or Contain Disrupt,

Eradi-cate or Deceive Recover

Reconnaissance Web analytics, Internet scanning activity reports, vulnerability scan-ning, external penetration test-ing, SIEM, DAST/ SAST, threat intel-ligence, TIP

firewall ACL, sys-tem and service hardening, net-work obfuscation, logical segmenta-tion

honeypot SAST/DAST

Weaponization sentiment analy-sis, vulnerability announcements, VA NIPS, NGFW, patch manage-ment, configura-tion hardening, application reme-diation SEG, SWG,

Delivery user training, security analytics, network behav-ioral analysis, threat intelligence, NIPS, NGFW, WAF, DDoS, SSL inspection, TIP SWG, NGIPS, ATD, TIP

EPP backup or EPP

cleanup

Exploitation EPP, NIPS, SIEM, WAF

EPP, NGIPS, ATD, WAF

NIPS, NGFW, EPP, ATD

data restoration from backups Installation EPP, endpoint

fo-rensics or ETDR, sandboxing, FIM EPP, MDM, IAM, endpoint con-tainerization/app wrapping EPP, HIPS, incident forensics tools incident response, ETDR Command and Control

NIPS, NBA, net-work forensics, SIEM, DNS secu-rity, TIP IP/DNS reputation blocking, DLP, ATA DNS redirect, threat intelligence on DNS, egress filtering, NIPS incident response, system restore

Action on Targets logging, SIEM, DLP, honeypot, TIP, DAP egress filtering, SWG, trust zones, DLP QoS, DNS, DLP, ATA incident response

Source: Gartner (August 2014)

(8)

The section below expands on the table above, giving specific examples and guidance that orga-nizations can investigate. Adding more technology is often not required, but CISOs should take full advantage of improving the effectiveness of exist-ing tools and processes already at their disposal.

Reconnaissance

This phase is often executed without knowledge of your organization. Approaches for this phase are: • Perform regular external scanning and

pene-tration testing to highlight what an adversary would find if and when your organization comes under scrutiny. This information can be used to remediate vulnerabilities, reduc-ing the attack surface area.

• Use search engines to uncover cached content that can be used for exploits or that discloses information that would make it easier to target the environment.

• Utilize sentiment analysis, a newer method for monitoring both public and underground Internet sites, to look for activity that is spe-cifically related to your organization.

• Ensure that perimeter controls and Internet-facing services are aggressively enforcing the principle of least privilege, including service hardening.

• Use analytics to detect indicators of unwant-ed activity against Internet-facing services like Web servicers, DNS servers, email and VPN gateways.

• Use honeypots where adversary activity can be monitored for exploitation tactics.

• Use software application security testing (SAST) and security development life cycle (SDL) to make sure that applications aren’t leaking sensitive details and are processing untrusted input correctly.

Weaponization

This phase is often performed with no specific knowledge of the organization being targeted. Organizations need to take proactive steps: • Keep abreast of newly disclosed

vulnerabili-ties and have up-to-date data about which vulnerabilities have weaponized exploits avail-able for them. With this information, prioritize patching them or implementing mitigating controls like virtual patching through intrusion prevention systems (IPSs).

• Investigate the use of threat intelligence pro-viders that can add value with threat forecast-ing and advanced notification of impendforecast-ing activity against your organization. An example would be notification of a phishing template becoming available for sale that is designed to look identical to your organization’s. • Investigate the use of threat intelligence

plat-forms (TIPs) to add in threat and adversary tracking.

Delivery

An array of traditional controls can assist greatly in denying access to your environment:

• Firewall or next-generation firewall to control traffic at the perimeter

• Next-generation intrusion prevention to pro-vide visibility and prevention of compromise attempts

(9)

• Email and Web gateway security to enforce multiple methods of content inspection for malicious and unwanted activity

• Distributed denial of service (DDoS) pre-vention to ensure the business can continue to transact under high volumes of traffic or other methods of application-specific DDoS activity

• Web application firewall (WAF) to prevent the exploitation of e-commerce infrastructure • Network behavioral analysis (NBA) and

security analytics, where network traffic pat-terns and content can be reviewed for indi-cators of compromise and suspicious activity • Payload inspection technology that uses

techniques like CPU emulation and sand-boxing to provide a behavioral-centric method of malware detection

• DNS security to give visibility and protection against the resolution of unwanted or mali-cious hosts

Exploitation

An array of network, host and server technolo-gies in conjunction with continuous monitoring can detect and deny access to the organization’s environment:

• Security information and event management (SIEM) to correlate the events and logs from multiple security, infrastructure and identity elements to provide better visibility of mali-cious behavior

• Prevention-focused security technologies like firewall, endpoint protection platform (EPP), network generation intrusion prevention sys-tem (NGIPS), email and Web security

• Advanced targeted attack (ATA) or advanced persistent threat (APT) technologies that can provide enhanced detecting against new threats or variants of existing threats

• Security analytics to review full session analy-sis detailing the exploitation and subsequent activity with a high level of details

• Threat intelligence usage in SIEM and network security technologies to provide additional detec-tion and prevendetec-tion opportunities

Installation

During this phase of the kill chain, host-specific methods are the primary method to detect the execution of malicious content:

• EPP can deliver multiple methods of malware prevention, browser security and application whitelisting.

• Mobile device management can control and deny unwanted applications to run on bring your own device (BYOD) devices. This can also deny user-installed applications from ac-cessing corporate-sensitive data via methods like per-application authentication VPN and containerization.

• Identity and strong authentication methods can reduce the chance of installation and ac-cess to data.

Once identified, recover from the situation by being able to:

• Perform incident response

• Recover compromised data from backups • Restore servers and end-user devices back to

(10)

• Potentially comply with law enforcement at-tempts to prosecute malicious actors • Report on details of the breach and other

compliance mandates (such as reports to financial regulators, on any further impact expected by the company)

Command and Control

With this phase of the CKC, look for methods that detect the adversary’s attempts to control assets that have been previously compromised. If there are infected devices with remote-access trojans or rootkits, use methods such as:

• IP and DNS reputation-filtering capabilities of network behavioral analysis (NBA) tools, network forensics tools, next-generation firewalls, intrusion prevention systems and security Web gateways

• DNS security, where internal DNS servers themselves have threat intelligence capabilities to deny name resolution of malicious hosts • SIEMs with watchlists, threat intelligence and

other policies configured to detect this type of out-of-character behavior

Action on Targets

During this phase, the adversary is trying to perform the most important part of its activity. This is to exfil-trate the data gathered in this and earlier phases of the kill chain. Methods to be addressed are: • After a compromise, all subsequent attack

activity is performed as internal or trusted users. A SIEM, data loss prevention (DLP) or database activity monitoring and protection (DAP) function performing continuous moni-toring can assist with identifying trusted user access to data that is not specific to their role, access to data in volumes previously unseen, access to data at times of day that is out of character, and access to data from locations previously unseen.

• Network behavioral analysis can highlight de-vices that are moving data around that is not part of its role (traffic to hosts that stand out), an exceedingly high volume of DNS traffic to an external DNS server that is not defined for external host name resolution, traffic protocols being actively used that are against policy. • Next-generation firewalls can identify a

trust-ed user attempting clearly malicious activity such as an FTP session to an unexpected destination.

(11)

ACL access control list ATD advanced threat defense

DAP database activity monitoring and

protection

DAST dynamic application security testing DBSM database security monitoring DLP data loss prevention

EPP endpoint protection, including host-

based features like firewall, anti-mal ware, whitelisting and disk encryption

ETDR endpoint threat detection and response FIM file integrity monitoring

HIPS host-based intrusion prevention system IAM identity and access management

MDM master data management NGFW next-generation firewall

NGIPS network generation intrusion preven-

tion system

NIPS network intrusion prevention system QoS quality of service

SEG secure email gateway

SIEM security information and event

management

SSL Secure Sockets Layer SWG secure Web gateway

TIP threat intelligence platform

VA vulnerability assessment

Acronym Key and Glossary Terms

Evidence

“Mitre’s Cybersecurity Threat-Based Defense” 1 “Lockheed Martin’s Cyber Kill Chain”

Source: Gartner Research, G00263765, Craig Lawson, 15 August 2014

About Proofpoint, Inc.

Proofpoint Inc. (NASDAQ:PFPT) is a leading next-generation security and compliance company that provides cloud-based solutions for comprehensive threat protection, incident response, secure commu-nications, social media security, compliance, archiving and governance. Organizations around the world depend on Proofpoint’s expertise, patented technologies and on-demand delivery system. Proofpoint protects against phishing, malware and spam, while safeguarding privacy, encrypting sensitive infor-mation, and archiving and governing messages and critical enterprise information. More information is available at www.proofpoint.com.

Defending against Advanced Threats: Addressing the Cyber Kill Chain is published by Proofpoint Editorial content supplied by Proofpoint is independent of Gartner analysis. All Gartner research is used with Gartner’s permission, and was originally published as part of Gartner’s syndicated research service available to all entitled Gartner clients. © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner’s endorsement of Proofpoint’s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner’s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced indepen-dently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp.

References

Related documents

We help customers solve their biggest and most complex cyber challenges, from providing computer network defense and addressing advanced persistent threats to cyber.. hardening

– The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to

Confirm and carry out the following procedure until software is upgraded. When the power supply is shut off during operation, the following re-setup is required. Please hand

We develop an endogenous growth model with R&D spillovers to study the long run consequences of o¤shoring with …rm heterogeneity and incomplete contracts.. In so doing, we

As per RQ1, we are interested in the physical location of the protest event. As mentioned, participants in the Student Strike 4 Climate may feel an increased need to ground the

By increasing the level of protection associated with the authentication process by requiring a second factor, Two-Factor authentication mitigates the risk of attackers

The monetary policy divergences of the main central banks and the fall in oil prices shaped the behaviour of the international financial markets.. BANCO DE ESPAÑA 3 ECONOMIC

Lycopodium provided preliminary and detailed design, cost estimating, procurement and construction management services for Orica Australia in the upgrade of their Hydrochloric