Treat cyberspace like a battlefield

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.techrepublic.com/article/treat-cyberspace-like-a-battlefield/#.

Treating cyberspace like a battlefield is gaining momentum among
information-security professionals. Proponents also suggest private
organizations adapt military-style strategies to defend their internet
presence. One such game plan involves analyzing what Lockheed Martin calls
the Cyber Kill Chain. The concept first surfaced in the seminal paper:
Intelligence-Driven Computer Network Defense Informed by Analysis of
Adversary Campaigns and Intrusion Kill Chains.

The paper written by Eric M. Hutchins, Michael J. Clopperty, and Rohan M.
Amin develops a cyber-defense framework based on a well-known methodology
used by the military known as kill chain analysis. Writing in Foreign
Affairs, Admiral Jonathan Greenert, chief of US Naval operations, and
General Mark Welsh, chief of staff of the US Air Force, described the term
kill chain: "[T]o attack our forces, an adversary must complete a sequence
of actions, commonly referred to as a 'kill chain.' Because each step must
work, our forces can focus on the weakest links in the chain, not each and
every one."

That is interesting. Anyone involved in IT security has heard the mantra:
attackers only need one weakness, whereas defenders must protect every
eventuality.

Why now?

The authors specifically state the kill chain analysis is important because
of an uptick in Advanced Persistent Threats (APT). Also, kill chain
analysis offsets the fact that organizations do not collaborate anywhere
near as much as the bad guys who are attacking them. Arthur Wong, HP senior
vice-president and general manager of HP Enterprise Security Services
(ESS), told ZDNet, "When anyone wants to launch an attack on a particular
company, they're going into chat rooms and asking, 'Hey does anybody own a
computer or a system inside this company?', and someone will put up their
hand, or they'll know someone else, and a deal is negotiated."

Cyber kill chain

The authors took the military's kill chain analysis approach and revamped
it for use by private organizations, mentioning in the paper's
introduction, "Using a kill chain model to describe phases of intrusions,
mapping adversary kill chain indicators to defender courses of action,
identifying patterns that link individual intrusions into broader
campaigns, and understanding the iterative nature of intelligence gathering
based on the intelligence-driven computer network defense."

The introduction referred to "kill chain indicators." The military's
version of the indicators is known as F2T2EA: Find, Fix, Track, Target,
Engage, and Assess. The authors reworked the military's indicators to focus
on intrusion detection:

Reconnaissance: Research, identification, and selection of targets: for
example, crawling internet websites for email addresses, social
relationships, or information on specific technologies.

Weaponization: Creating a workable exploit by combining a trojan (get past
defenses) with a malware payload constructed to accomplish the attacker's
goals.

Delivery: Transmission of the weapon to the target. Popular APT delivery
vehicles are email attachments, websites, and USB removable media.

Exploitation: When the malware weapon is delivered, the payload activates
exploiting a vulnerable program or system.

Installation: Installation of a backdoor on the victimized system allows
the adversary to maintain contact.

Command and Control: APTs typically require manual intervention to explore
the victim's network. This is accomplished by the malware contacting a
remote command and control server.

Actions on Objectives: If everything goes according to plan, the attackers
now pursue the reason for the intrusion, possibly compromising additional
servers or exfiltrating data.

An "after the fact" example

A telling example was A "Kill Chain" Analysis of the 2013 Target Data
Breach. The report prepared for the Senate Committee on Commerce, Science,
and Transportation described Target's data breach using cyber kill chain
analysis. Granted, it was after the fact, but if you want to learn how this
militarization technique works, reading the report will help. The following
slide points out the weak links in the chain, and suggested ways to improve
Target's defenses so the attack will not happen again.

To militarize or not?

To learn if organizations are implementing cyber kill chain analysis, I had
a conversation with Rodrigo Bijou, consultant at the Data Guild in Palo
Alto. Bijou said, "I've been tasked by major U.S. banks to build features
into their security programs based on their concept of the cyber kill
chain.' Specifically, the roadmap for the work I was doing was to be
delivered in stages based on the cyber kill chain: Reconnaissance,
Exploitation, Exfiltration, etc."

What Bijou said next was especially interesting and something worth looking
into. "I think this [cyber kill chain], like APT and other buzz words,
points to a trend where marketing is becoming more influential in driving
product decisions, and what services are delivered," he said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!