Breaking The Cyber Kill Chain. Disrupting attacks in the post-perimeter security era with Adaptive Defense

Transcription

1 Breaking The Cyber Kill Chain Disrupting attacks in the post-perimeter security era with Adaptive Defense

2 Breaking The Cyber Kill Chain Disrupting attacks in the post-perimeter security era with Adaptive Defense Modern computer attacks have evolved much more rapidly than protective solutions, leaving information security organizations with multiple blind spots when looking for the next cyber strike. For over a decade enterprises have deployed defense-in-depth technologies to provide a layered approach to security, with the desired intent of mitigating the ever-evolving threats from the perimeter to the desktop. These static defenses initially provided a solid set of countermeasures, but as organizations adopt fluid and elastic technologies such as virtualization and bring-your-owndevice (BYOD) mobility, the static defense-in-depth approach begins to look more like the infamous French Maginot Line than an effective fortification. Cyber criminals have capitalized on this, refining their methods of attack and bypassing these defenses. This causes the average IT department to lose critical visibility into new iterations of malware that target previously unknown zero-day vulnerabilities. The signature-based technology prevalent in the vast majority of enterprise defense-in-depth architectures completely lacks the means to defend against these zero-day, multi-stage, and polymorphic attacks. Same security ineffectiveness is introduced by anomaly detection tools or perimeter sandboxing devices (easily bypassed by armored malware). Many of these new attacks are more complex, involving vertical and horizontal movement across multiple elements of the datacenter. Unfortunately, traditional perimeter and static defenses are unable to detect or effectively defend against the spread of these attacks at the core of the network. In fact, most of the advanced persistent threats (APT) that are responsible for massive data breaches follow this pattern of vertical and horizontal movement to conquer enterprise networks and eventually steal data through a technique commonly referred to as data exfiltration. In fact, even if the malicious tools that criminals use are constantly changing, the underlying methods employed by advanced attackers are so predictable that the security research community has given this multi-stage chain of events its own name: the kill chain. The emerging defense philosophy is that if security departments can institute the right defense- Page 1 of 5

3 in-depth technology and the right processes to stop attacks during an earlier stage of the kill chain, they can stop the consequences that come during later stages, such as mass infection and data compromise. The problem is that until now, technological blind spots have prevented organizations from detecting, analyzing, and disrupting the early and middle stages of the cyber-attack kill chain. Fortunately, a new generation of advanced malware detection and containment technology has now made it possible to eliminate these blind spots by breaking the kill chain barrier. Here's how kill chain analysis works and why these new platforms can have an unprecedented impact on fighting the early stage of these threats. Understanding Kill Chain Analysis The concept of a cyber-security kill chain, first introduced to the information security world from security incident responders at Lockheed Martin, illustrates the usual structure of an APT attack in a model that can help the defenders better fight the bad actors. As the security community has taken the idea and run with it, it has refined that kill chain model, which can be simplified into six stages of attack: Stage One: External scan or footprinting of the target network or target systems Stage Two: Initial exploit of vulnerability based on information gained in Stage One via social engineering, drive-by download attack, watering hole attack, or any other weapon in the attacker's arsenal Stage Three: Secondary exploit of infected systems, typically using more advanced zeroday vulnerabilities to compromise internal accounts Stage Four: Solidifying internal control within the network through admin accounts compromised during Stage Three, essentially gaining insider access to certain internal systems Stage Five: Lateral movement throughout the network, compromising more machines, taking over more accounts, and searching for sensitive or targeted data Stage Six: Acquisition and exfiltration of sensitive or targeted data "Kill chain analysis illustrates that the adversary must progress successfully through each stage of the chain before it can achieve its desired objective; just one mitigation disrupts the chain and the adversary." 1 -- Intelligence- Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains; Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin; Lockheed Martin Corporation The progression through this kill chain is often a lengthy process sometimes taking a year or longer. The idea for defense is to not only block attacks as early in the kill chain as possible but also institute controls that would allow the organization to track an attack if any part of it slips through early-stage defense and progresses into later stages. 1 Page 2 of 5

4 Blind Spot Barriers to Stop the Kill Chain The principle of blocking attacks sounds simple enough. But the difficulty in execution lies within today's information security toolset. As seen below, the ability of legacy tools to detect known attacks varies significantly. This is of particular concern for enterprises that face these threats - as well as the exponentially increasing zero-day and targeting attacks - on a daily basis. Here's how one expert, Allen Harper, executive vice president and chief hacker of Tangible Security, author of Gray Hat Hacking, and a seasoned security researcher, explains the problem: The idea of the kill chain is to break this chain as early as possible. But until now there's not been any good tools available to do that particularly if you put zero-days on the table. Most of today's tools are signature-based and with that, good luck finding techniques that have never been seen before. As a result, the vast majority of tools designed to stop attacks during the first half of the kill chain let the most dangerous threats slip by. Meanwhile, many additional layers of security that departments have stacked on top of this shaky foundation have not been effective due to a number of reasons. For example, data leak protection is designed primarily to detect attacks during the final stage too late in the kill chain to be much more than a last-ditch gamble. And many anomaly-based network protection tools require so much tuning, care, and feeding that in spite of advanced capabilities, organizations don't have the personnel or expertise to use them effectively. Many times these tools sleep right through problems, which results in false negatives and a subsequently dangerous false sense of security that allows attackers to keep progressing through the kill chain while security teams think their computer systems are protected. Page 3 of 5

5 Several years ago, honeypots offered many within the security community hope for more reliable method of detecting malicious behavior on the network. The idea of these fake systems is that any activity on them is necessarily malicious, or at least misconfigured. Unfortunately, until now honeypots have proven so manpower intensive they're manually implemented and maintained that they've fallen into disfavor. Even Harper, a champion of honeypot methods as a former participant in the Honeynet Project, says he's been resistant to using honeypots regularly over recent years. Clearly, if organizations are to use kill chain analysis and adjustments, something has to change technologically. Disrupting Malicious Movement Before the End of the Kill Chain TrapX hopes to be the agent of that change. A valuable tool in APT defense, the TrapX platform offers an affordable and automated way to track and block malicious behavior before attackers reach the end of the kill chain. TrapX has taken the honeypot idea to the next level. The company's virtualized automated honeypot platform not only emulates hundreds of nodes across the network it also senses hostile scans and spins up targeted honeypots where they're needed most. By embedding dozens or hundreds of sensors throughout the core of the network, TrapX protects a much larger surface area than traditional solutions and fundamentally denies malware the freedom to move. These honeypot sensors form the foundation of a malware trap that picks up anomalous behavior at stage one of the kill chain. But TrapX doesn't stop there; it goes several steps further to take out any attacks in later stages that may have slipped by the honeycomb of sensors. The system can be deployed on a single virtual server, eliminating the installation and maintenance of physical honeypots or agents on hundreds of physical and virtual servers. The problem with most security technologies these days is that they lack the capability to track attacks once they've gotten past the first few stages of the kill chain. But when TrapX's malware trap sensors pick up malicious activity, the platform uses sandboxing to perform root cause analysis, pairs that information with external threat intelligence feeds, and leverages an internal business intelligence engine to remediate the root cause throughout the entire network. Information is fed into an integrated deep packet inspection (DPI) engine to offer visibility into the kind of telltale outbound traffic seen from attacks that have progressed later into the kill chain. This approach can be seen in the diagram below: Page 4 of 5

6 The solution spans multiple phases of the event lifecycle: Detecting and blocking the kill chain in the early stages, including dynamic generation of virtual honeypots in realtime when scans are detected Leveraging a malware trap engine to automatically sandbox the attacker in a honeynet Conducting deep automated forensics of the payload, providing evidence for prosecution Integrating outside threat intelligence to derive attribution Pushing automatically generated signature policy to the DPI engines monitoring out-bound network traffic Detecting any host on the network that has been compromised with the malware This Adaptive Defense approach provides unprecedented capabilities for detecting, analyzing, blocking, and remediating threats in real time as they progress through their unique sequences. "TrapX has radically lowered the cost of deploying honeypot networks, while raising the cost for attackers who are now much more likely to have their exploits discovered and exposed. Their solution is very unique in the marketplace, and represents the kind of new countermeasures that will be critical for disrupting multiple kill chain stages of sophisticated APTs, Harper says. Page 5 of 5