USING AN EXPANDED CYBER KILL CHAIN MODEL TO INCREASE ATTACK RESILIENCY SEAN T MALONE

Similar documents
Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

Post-Access Cyber Defense

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Penetration Testing Report Client: Business Solutions June 15 th 2015

Advanced Threat Protection with Dell SecureWorks Security Services

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Breaking the Cyber Attack Lifecycle

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Protecting Your Organisation from Targeted Cyber Intrusion

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

RSA Security Anatomy of an Attack Lessons learned

Enterprise Cybersecurity: Building an Effective Defense

September 20, 2013 Senior IT Examiner Gene Lilienthal

Defending Against Data Beaches: Internal Controls for Cybersecurity

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

TAKING SECURITY TESTING TO THE NEXT LEVEL 5 MAY 2014 STAN HEGT

Enterprise Cybersecurity: Building an Effective Defense

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Locked Shields Kaur Kasak 24 Sept 2013

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Network Security Landscape

Seven Strategies to Defend ICSs

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Covert Operations: Kill Chain Actions using Security Analytics

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Penetration Test Report

After the Attack. The Transformation of EMC Security Operations

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Defending Against Cyber Attacks with SessionLevel Network Security

BlackRidge Technology Transport Access Control: Overview

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Concierge SIEM Reporting Overview

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led

Internal Penetration Test

Top 20 Critical Security Controls

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Understanding the Security Vendor Landscape Using the Cyber Defense Matrix

Vulnerability Assessment and Penetration Testing

Presented by: Mike Morris and Jim Rumph

Pass-the-Hash. Solution Brief

Protecting Your Data From The Inside Out UBA, Insider Threats and Least Privilege in only 10 minutes!

Penetration Testing Services. Demonstrate Real-World Risk

Data- centric Security: A New Information Security Perimeter Date: March 2015 Author: Jon Oltsik, Senior Principal Analyst

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Ty Miller. Director, Threat Intelligence Pty Ltd

Where every interaction matters.

WHY ATTACKER TOOLSETS DO WHAT THEY DO

Advanced Persistent Threats

5 Steps to Advanced Threat Protection

Cybersecurity and internal audit. August 15, 2014

Stay ahead of insiderthreats with predictive,intelligent security

Metasploit The Elixir of Network Security

SIEM is only as good as the data it consumes

IBM Security Strategy

Bad Romance: Three Reasons Hackers <3 Your Web Apps & How to Break Them Up

Why Device Fingerprinting Provides Better Network Security than IP Blocking. How to transform the economics of hacking in your favor

Helping Government Agencies Become Secure by Default

Practical Steps To Securing Process Control Networks

24/7 Visibility into Advanced Malware on Networks and Endpoints

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

CMPT 471 Networking II

Penetration Testing - a way for improving our cyber security

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps

External Scanning and Penetration Testing in PCI DSS 3.0. Gary Glover, Sr. Director of Security Assessments

Practical Threat Intelligence. with Bromium LAVA

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Security A to Z the most important terms

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

Software that provides secure access to technology, everywhere.

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

DoD Strategy for Defending Networks, Systems, and Data

Developing Secure Software in the Age of Advanced Persistent Threats

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

Penetration Testing with Kali Linux

External Supplier Control Requirements

Strategies to Mitigate Targeted Cyber Intrusions Mitigation Details

8/27/2015. Brad Schuette IT Manager City of Punta Gorda (941) Don t Wait Another Day

Discovering Threats by Monitoring Behaviors on Endpoints

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Advanced Threats: The New World Order

ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks

Network/Cyber Security

Evolution Of Cyber Threats & Defense Approaches

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

DYNAMIC DNS: DATA EXFILTRATION

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Information Technology Branch Access Control Technical Standard

IT Security Risks & Trends

Hunting for Indicators of Compromise

Transcription:

USING AN EXPANDED CYBER KILL CHAIN MODEL TO INCREASE ATTACK RESILIENCY SEAN T MALONE @SEANTMALONE WWW.SEANTMALONE.COM WWW.FUSIONX.COM

PRESENTER BACKGROUND 10+ Years in Offensive Information Security 4 Years of Adversary Simulation with FusionX Executing Realistic Attack Simulations and Responding When it s NOT a Drill 2

AGENDA Legacy Cyber Kill Chain Model The Expanded Cyber Kill Chain Model - The Internal Kill Chain - The Manipulation Kill Chain Understanding the Stages of a Sophisticated Attack Using the Expanded Model to Build a Resilient Enterprise 3

LEGACY CYBER KILL CHAIN MODEL Weaponization Delivery Installation Command & Control (C2) Actions on Objectives Harvesting email addresses, conference information, etc. Coupling exploit with backdoor into deliverable payload Delivering weaponized bundle to the victim via email, web, USB, etc. Exploiting a vulnerability to execute code on victim s system Installing malware on the asset Command channel for remote manipulation of victim With Hands on Keyboard access, intruders accomplish their original goal From http://cyber.lockheedmartin.com/solutions/cyber-kill-chain 4

LEGACY CYBER KILL CHAIN MODEL The Cyber Kill Chain model, as sexy as it is, reinforces old-school, perimeterfocused, malware-prevention thinking. - Giora Engel, Deconstructing The Cyber Kill Chain, Dark Reading 2014 Excellent for [external] attacks, but doesn t exactly work for insider threats. - Patrick Reidy, Combating the Insider Threat at the FBI, Black Hat USA 2013 In today s environment, every cyber attacker is a potential insider. - Matt Devost, Every Cyber Attacker is an Insider, OODA Loop 2015 5

LEGACY CYBER KILL CHAIN MODEL Perimeter Breach Kill Chain Weaponization Delivery Installation Command & Control (C2) Actions on Objectives Harvesting email addresses, conference information, etc. Coupling exploit with backdoor into deliverable payload Delivering weaponized bundle to the victim via email, web, USB, etc. Exploiting a vulnerability to execute code on victim s system Installing malware on the asset Command channel for remote manipulation of victim With Hands on Keyboard access, intruders accomplish their original goal GAME OVER? 6

Example Manipulation Objectives: Financial Theft Modify queued wire transfers to redirect payments Reputation Impact and Loss of Market Share through DoS Disable all company workstations Disable Infrastructure in Preparation for Kinetic Attack Quickly cycle smart electric meters to overload grid Provide Propaganda Support for Coup Attempt Hijack television broadcast Cause Terror in Regional Population Change concentration of chemicals added to water supply

THE EXPANDED CYBER KILL CHAIN MODEL LEGACY CYBER KILL CHAIN Breach the Enterprise Network Perimeter INTERNAL KILL CHAIN Gain Access to Systems TARGET MANIPULATION KILL CHAIN Manipulate Systems to Achieve Objective 8

THE EXPANDED CYBER KILL CHAIN MODEL LEGACY CYBER KILL CHAIN External Weaponization Delivery External Installation Command & Control Actions on Objectives Common to Most Objectives Internal Internal INTERNAL KILL CHAIN Ent. Privilege Escalation Lateral Movement Manipulation Objective-Specific TARGET MANIPULATION KILL CHAIN Weaponization Installation Execution 9

10

ALTERNATIVE: SPIRAL MODEL 11

ALTERNATIVE: TREE MODEL X X Origin X Objective X X X 12

UNDERSTANDING THE STAGES OF A SOPHISTICATED ATTACK 13

INTERNAL RECONNAISSANCE INTERNAL KILL CHAIN Internal Internal Enterprise Privilege Escalation Lateral Movement Manipulation OBJECTIVE Data mine available systems and map the internal network and vulnerabilities OFFENSIVE TTPS DOMEX of local files, network shares, browser history, wiki/sharepoint Light service probing TIME REQUIRED 1 to 2+ Weeks DEFENSIVE TTPS Prevent: Granular resource authorization Detect: Behavioral changes from this IP & user account 14

INTERNAL EXPLOITATION INTERNAL KILL CHAIN Internal Internal Enterprise Privilege Escalation Lateral Movement Manipulation OBJECTIVE Exploit information and vulnerabilities on internal systems OFFENSIVE TTPS System vulnerabilities Web application vulnerabilities LLMNR/NBNS Spoofing TIME REQUIRED 2 Days DEFENSIVE TTPS Prevent: Patch & vuln. management (including dev & test systems) Detect: Endpoint protection 15

ENTERPRISE PRIVILEGE ESCALATION INTERNAL KILL CHAIN Internal Internal Enterprise Privilege Escalation Lateral Movement Manipulation OBJECTIVE Leverage compromised accounts and trust relationships to gain a high level of privilege OFFENSIVE TTPS Kernel / system vulns. Pass-the-hash & Mimikatz Unprotected SSH keys Creds in configuration files TIME REQUIRED 1 to 3 Days DEFENSIVE TTPS Prevent: Run as leastprivilege accounts; use good security hygiene Detect: Behavioral analytics 16

LATERAL MOVEMENT INTERNAL KILL CHAIN Internal Internal Enterprise Privilege Escalation Lateral Movement Manipulation OBJECTIVE Pivot through compromised systems into restricted network zones OFFENSIVE TTPS virtualization, backup, config management layers Layer SSH proxy tunnels to go deep TIME REQUIRED 4 Hours DEFENSIVE TTPS Prevent: Segmented security zones at all layers Detect: Behavioral analysis of successful login events 17

TARGET RECONNAISSANCE TARGET MANIPULATION KILL CHAIN Weaponization Installation Execution OBJECTIVE Map & understand objectivespecific systems OFFENSIVE TTPS DOMEX of Vendor documentation, internal training, source code Standard admin utilities TIME REQUIRED 1 Week to 3 Months DEFENSIVE TTPS Prevent: Restricted access to documentation & specifications Detect: Access patterns 18

TARGET EXPLOITATION TARGET MANIPULATION KILL CHAIN Weaponization Installation Execution OBJECTIVE Gain access to target systems via trust relationships or new vulnerabilities OFFENSIVE TTPS Default credentials, EOL systems, vendor backdoors Trust relationships with central authentication system TIME REQUIRED 1 Hour DEFENSIVE TTPS Prevent: Change defaults & segregate authentication Detect: Endpoint protection and behavioral analytics 19

WEAPONIZATION TARGET MANIPULATION KILL CHAIN Weaponization Installation Execution OBJECTIVE Develop platform-specific malware to subvert target systems & business processes OFFENSIVE TTPS Duplicate target environment in a lab Extract, decompile, and reverse proprietary software TIME REQUIRED 1 Week to 3 Months DEFENSIVE TTPS Prevent: Harden/obfuscate applications to make reversing difficult Detect: N/A - working offline 20

INSTALLATION TARGET MANIPULATION KILL CHAIN Weaponization Installation Execution OBJECTIVE Deploy custom malware to target systems OFFENSIVE TTPS Patch or replace scripts, binaries, and configurations Tamper with detective controls TIME REQUIRED 1 Hour DEFENSIVE TTPS Prevent: Application signing Detect: File integrity monitoring, redundant processing systems 21

EXECUTION TARGET MANIPULATION KILL CHAIN Weaponization Installation Execution OBJECTIVE Activate malware to subvert target system operation, with material consequences OFFENSIVE TTPS Wait for optimal timing (market or geopolitical) May be all at once or slow damage over time TIME REQUIRED 1 Second DEFENSIVE TTPS Response controls have you war-gamed this? Breach insurance may help mitigate impact 22

BUILDING A RESILIENT ENTERPRISE 23

THE RESILIENT MINDSET EVERY CONTROL WILL FAIL If the adversary has access to: The internal corporate network Any username and password All documentation & specifications What would you do differently? 24

THE CYBER DEFENSE THRESHOLD Threshold of Defender Success Detection & Response Controls Prevention Controls (For a Given Adversary Sophistication) Time Required for Adversary to Achieve Objective Time Required to Detect and Eradicate Intrusion 25

CHANGING THE ECONOMICS Value to Adversary of Defended Asset ($) Safe Zone (Negative Adversary ROI) Level of Sophistication = Level of Adversary s Investment Adversary Investment ($) Danger Zone (Positive Adversary ROI) Strength of Defenses (Prevention + Detection) 26

FINAL THOUGHTS, QUESTIONS, AND DISCUSSION (SLIDES AVAILABLE AT) SEAN T MALONE @SEANTMALONE WWW.SEANTMALONE.COM 27

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information