How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/authentication/167901072/security/attacks-breaches/240148399/how-lockheed-martin-s-kill-chain-stopped-securid-attack.html

By Kelly Jackson Higgins
Dark Reading
Feb 12, 2013

A few months after RSA had rocked the security world with news that it had been 
breached and its SecurID database exposed in a sophisticated attack, defense 
contractor Lockheed Martin discovered an intruder in its network using 
legitimate credentials.

"We almost missed it," says Steve Adegbite, director of cybersecurity for 
Lockheed Martin, of the intrusion sometime around May or early June 2011. "We 
thought at first it was a new person in the department ... but then it became 
really interesting."

The poser was using valid credentials of one of Lockheed's business partners, 
including the user's SecurID token. Adegbite says it soon became obvious that 
this user wasn't performing his or her normal operations. "They tripped a lot 
of alarms," he says. "They were trying to pull data in stages," and the 
attacker was going after data unrelated to the user's work he or she was 
impersonating, he says.

So Lockheed launched its homegrown Cyber Kill Chain framework, a process that 
basically tracks an intruder's movements and throws barriers in the way of each 
attempt to siphon data out of the network. Adegbite detailed this 
multimillion-dollar framework for stopping advanced persistent threat (APT) 
attackers last week at the Kaspersky Security Analyst Summit in San Juan, 
Puerto Rico. The Kill Chain aims to stop the attackers who get inside from 
taking anything with them on the way out.

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org