Tuesday, November 11, 2014

Other Links of the Cyber Kill Chain


My blog is in Turkish but as this post was commented on in a rather large English speaking group, I wanted to spare anyone who'd be interested the pain of having to read it using Google translate. This post followed a post introducing the "Cyber Kill Chain" concept. 

Lockheed Martin, the company manufacturing aircrafts such as F-16, F-117 and the F-35 introduced the term "Cyber Kill Chain".

Pic 1: F-35 manufactured by Lockheed Martin

Pic 2: Turkey is one of the countries involved in the F-35 project

The "Cyber Kill Chain" approach introduced by the Incident Response Team at Lockheed Martin can be considered as a list of "unfortunate events" that are required for an attack to be successful.

The steps of a successful attack can be briefly listed as follows:
  1. Information gathering: Gathering information on the target. This step also include "Open Source Intelligence" (gathering information freely and openly available about the target) so the attacker can have a better understanding of the target.  
  2. Weaponization: Preparing the necessary software, backdoor or exploit code for the attack.
  3. Delivery: Sending the weaponized code to the target.
  4. Exploit: Activate the backdoor or exploit code to gain initial access to target systems. 
  5. Installation: Installing persistent backdoors and other code needed to move within the target network.
  6. Taking command: Gaining remote access to target systems and/or network.
  7. The kill: Performing the real attack depending on the needs of the attacker (leaking or deleting data, eavesdropping, etc..) 

Breaking the above mentioned chain in one or several steps will stop the attack or seriously cripple its success. Focusing on breaking this "Cyber Kill Chain" should be considered as a viable and efficient defense technique. However, it should be noted that the step at which we can break the chain will impact the cost and complexity of the defenses required. For example, placing a firewall is easier compared to a complex log gathering and correlation solution that aims to uncover possible malicious movements within the network. 
It would be safe to assume that aiming to break the chain as early as possible will, not only be easier and cheaper, but also provide us with an additional layer of security. There isn't much that can be done about the reconnaissance step as it's relatively hard to control information indexed by third parties. 
Perimeter security measures such as IDS/IPS (Intrusion Detection System / Intrusion Prevention Systems) or firewalls will try to avoid the initial breach. Having different VLANs, controlling LAN traffic with a firewall and monitoring logs we can stop the attacker from moving within the network or installing more backdoors. 
This is where vulnerability management comes into play, as an additional layer of security between the open source intelligence gathering and the attack. 
Vulnerability scanning will give us an overview about how vulnerable our systems and network are to an attacker. One might easily argue that vulnerability scanning won't provide every single attack vector that can be exploited by a skilled attacker and be right. As a strong believer in the "golden mean" or its more understandable version "perfect is the enemy of good", I think we shouldn't dismiss vulnerability scanning as an effective proactive security measure just because "it's not a pentest" or "hackers don't use Nessus" or "they can APT the hell out of you anyway". 
Basically, an attacker can have 3 good attack vectors he can use to gain access to the target system and network. These are; systems that can be reached from the internet, systems that can reach the internet and internal systems with known vulnerabilities. 
Systems that can be reached from the Internet: Knowing what systems are reachable from the Internet is vital. Any attacker worth his/her salt will be able to locate every Internet facing IP in your network. When we hear the words "Internet facing" we tend to think about that web server in our DMZ or such. I wih life was that simple. There have been many times I've found servers and clients open to the internet about which the Admins knew nothing. Regularly controlling all internet facing systems within your IP range will able you to spot these before attackers do (proactive security at its finest). 
Systems that can reach the internet: Basically all your clients. We need to remember that browsers are not the only systems that can reach the internet. Things such as instant messaging solutions and stock market tracking applications should also be taken into account. 
Known vulnerabilities on internal systems: This is the MS08-067 or the unpatched windows we find during penetration tests. They provide a good foothold for any movement within the network. 
These 3 attack vectors provide good opportunities to break the kill chain. 

Pic 3: "Cyber Kill Chain" facing an effective vulnerability management process (representational)

Creating and implementing even a basic vulnerability management process will provide an extra layer of security. Imagine having an invisible layer between the step where the attacker gathers information on your company using Google and the step here he/she is trying to avoid being detected by the IPS. 
A vulnerability management system can even be implemented using an open source vulnerability scanner such as OpenVAS or using a more rounded commercial tool such as Tenable's Security Center. 

Pic 4: Screenshot from Tenable Security Center 

No comments:

Post a Comment

MITRE ATT&CK Gerçek Hayatta Ne İşimize Yarar?

  Rusya kaynaklı siber saldırılar webinarı sırasında üzerinde durduğum önemli bir çalışma vardı. MITRE ATT&CK matrisini ele alıp hangi...