Breaking The Cyber Kill Chain. Disrupting attacks in the post-perimeter security era with Adaptive Defense

Similar documents
IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

POLIWALL: AHEAD OF THE FIREWALL

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

POLIWALL: AHEAD OF THE FIREWALL

Cisco Advanced Malware Protection for Endpoints

Breaking the Cyber Attack Lifecycle

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Defending Against Cyber Attacks with SessionLevel Network Security

Fighting Advanced Threats

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Symantec Advanced Threat Protection: Network

Cisco Advanced Malware Protection. Ross Shehov Security Virtual Systems Engineer March 2016

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Content Security: Protect Your Network with Five Must-Haves

Cisco Advanced Malware Protection for Endpoints

Advanced Threat Protection with Dell SecureWorks Security Services

Marble & MobileIron Mobile App Risk Mitigation

Five Steps For Securing The Data Center: Why Traditional Security May Not Work

IBM Security re-defines enterprise endpoint protection against advanced malware

The Next Generation Security Operations Center

Cisco Cyber Threat Defense - Visibility and Network Prevention

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Security from the Cloud

WHITE PAPER. Attack the Attacker HOW A MANAGED SECURITY SERVICE IMPROVES EFFICIENCY AND SAVES COST

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Continuous Network Monitoring

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Data- centric Security: A New Information Security Perimeter Date: March 2015 Author: Jon Oltsik, Senior Principal Analyst

Addressing the blind spots in your security strategy. BT, Venafi & Blue Coat

Cisco Advanced Malware Protection

Advanced Threats: The New World Order

idata Improving Defences Against Targeted Attack

Spear Phishing Attacks Why They are Successful and How to Stop Them

Evolution Of Cyber Threats & Defense Approaches

Bio-inspired cyber security for your enterprise

Security and Privacy

DEC Next Generation Security with Endpoint Detection and Response WHITE PAPER

KASPERSKY PRIVATE SECURITY NETWORK: REAL-TIME THREAT INTELLIGENCE INSIDE THE CORPORATE INFRASTRUCTURE

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Endpoint Threat Detection without the Pain

Things To Do After You ve Been Hacked

RETHINKING CYBER SECURITY

Addressing the Full Attack Continuum: Before, During, and After an Attack. It s Time for a New Security Model

Requirements When Considering a Next- Generation Firewall

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Enterprise Cybersecurity: Building an Effective Defense

Combating a new generation of cybercriminal with in-depth security monitoring

RETHINKING CYBER SECURITY

SPEAR-PHISHING ATTACKS

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Teradata and Protegrity High-Value Protection for High-Value Data

Comprehensive Advanced Threat Defense

Concierge SIEM Reporting Overview

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Protection Against Advanced Persistent Threats

A New Approach to Assessing Advanced Threat Solutions

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Overcoming Five Critical Cybersecurity Gaps

Breach Found. Did It Hurt?

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Securing Your Business with DNS Servers That Protect Themselves

Carbon Black and Palo Alto Networks

Defending Against Data Beaches: Internal Controls for Cybersecurity

Beyond the Hype: Advanced Persistent Threats

Zak Khan Director, Advanced Cyber Defence

The Hillstone and Trend Micro Joint Solution

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

September 20, 2013 Senior IT Examiner Gene Lilienthal

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

Solution Path: Threats and Vulnerabilities

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

After the Attack. The Transformation of EMC Security Operations

SOLUTION BRIEF. Next Generation APT Defense for Healthcare

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

SOURCEFIRE RNA (REAL-TIME NETWORK AWARENESS)

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

Nine Cyber Security Trends for 2016

Agenda , Palo Alto Networks. Confidential and Proprietary.

Whitepaper. Advanced Threat Hunting with Carbon Black

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

The Path Ahead for Security Leaders

CyberArk Privileged Threat Analytics. Solution Brief

Seven Things To Consider When Evaluating Privileged Account Security Solutions

OPC & Security Agenda

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

Perspectives on Cybersecurity in Healthcare June 2015

Meeting FFIEC Guidance and Cutting Costs with Automated Fraud Prevention. White Paper

Big Data Analytics in Network Security: Computational Automation of Security Professionals

Benefits of Machine Learning. with Behavioral Analysis in Detection of Advanced Persistent Threats WHITE PAPER

Transcription:

Breaking The Cyber Kill Chain Disrupting attacks in the post-perimeter security era with Adaptive Defense

Breaking The Cyber Kill Chain Disrupting attacks in the post-perimeter security era with Adaptive Defense Modern computer attacks have evolved much more rapidly than protective solutions, leaving information security organizations with multiple blind spots when looking for the next cyber strike. For over a decade enterprises have deployed defense-in-depth technologies to provide a layered approach to security, with the desired intent of mitigating the ever-evolving threats from the perimeter to the desktop. These static defenses initially provided a solid set of countermeasures, but as organizations adopt fluid and elastic technologies such as virtualization and bring-your-owndevice (BYOD) mobility, the static defense-in-depth approach begins to look more like the infamous French Maginot Line than an effective fortification. Cyber criminals have capitalized on this, refining their methods of attack and bypassing these defenses. This causes the average IT department to lose critical visibility into new iterations of malware that target previously unknown zero-day vulnerabilities. The signature-based technology prevalent in the vast majority of enterprise defense-in-depth architectures completely lacks the means to defend against these zero-day, multi-stage, and polymorphic attacks. Same security ineffectiveness is introduced by anomaly detection tools or perimeter sandboxing devices (easily bypassed by armored malware). Many of these new attacks are more complex, involving vertical and horizontal movement across multiple elements of the datacenter. Unfortunately, traditional perimeter and static defenses are unable to detect or effectively defend against the spread of these attacks at the core of the network. In fact, most of the advanced persistent threats (APT) that are responsible for massive data breaches follow this pattern of vertical and horizontal movement to conquer enterprise networks and eventually steal data through a technique commonly referred to as data exfiltration. In fact, even if the malicious tools that criminals use are constantly changing, the underlying methods employed by advanced attackers are so predictable that the security research community has given this multi-stage chain of events its own name: the kill chain. The emerging defense philosophy is that if security departments can institute the right defense- Page 1 of 5

in-depth technology and the right processes to stop attacks during an earlier stage of the kill chain, they can stop the consequences that come during later stages, such as mass infection and data compromise. The problem is that until now, technological blind spots have prevented organizations from detecting, analyzing, and disrupting the early and middle stages of the cyber-attack kill chain. Fortunately, a new generation of advanced malware detection and containment technology has now made it possible to eliminate these blind spots by breaking the kill chain barrier. Here's how kill chain analysis works and why these new platforms can have an unprecedented impact on fighting the early stage of these threats. Understanding Kill Chain Analysis The concept of a cyber-security kill chain, first introduced to the information security world from security incident responders at Lockheed Martin, illustrates the usual structure of an APT attack in a model that can help the defenders better fight the bad actors. As the security community has taken the idea and run with it, it has refined that kill chain model, which can be simplified into six stages of attack: Stage One: External scan or footprinting of the target network or target systems Stage Two: Initial exploit of vulnerability based on information gained in Stage One via social engineering, drive-by download attack, watering hole attack, or any other weapon in the attacker's arsenal Stage Three: Secondary exploit of infected systems, typically using more advanced zeroday vulnerabilities to compromise internal accounts Stage Four: Solidifying internal control within the network through admin accounts compromised during Stage Three, essentially gaining insider access to certain internal systems Stage Five: Lateral movement throughout the network, compromising more machines, taking over more accounts, and searching for sensitive or targeted data Stage Six: Acquisition and exfiltration of sensitive or targeted data "Kill chain analysis illustrates that the adversary must progress successfully through each stage of the chain before it can achieve its desired objective; just one mitigation disrupts the chain and the adversary." 1 -- Intelligence- Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains; Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin; Lockheed Martin Corporation The progression through this kill chain is often a lengthy process sometimes taking a year or longer. The idea for defense is to not only block attacks as early in the kill chain as possible but also institute controls that would allow the organization to track an attack if any part of it slips through early-stage defense and progresses into later stages. 1 http://papers.rohanamin.com/wp-content/uploads/papers.rohanamin.com/2011/08/iciw2011.pdf Page 2 of 5

Blind Spot Barriers to Stop the Kill Chain The principle of blocking attacks sounds simple enough. But the difficulty in execution lies within today's information security toolset. As seen below, the ability of legacy tools to detect known attacks varies significantly. This is of particular concern for enterprises that face these threats - as well as the exponentially increasing zero-day and targeting attacks - on a daily basis. Here's how one expert, Allen Harper, executive vice president and chief hacker of Tangible Security, author of Gray Hat Hacking, and a seasoned security researcher, explains the problem: The idea of the kill chain is to break this chain as early as possible. But until now there's not been any good tools available to do that particularly if you put zero-days on the table. Most of today's tools are signature-based and with that, good luck finding techniques that have never been seen before. As a result, the vast majority of tools designed to stop attacks during the first half of the kill chain let the most dangerous threats slip by. Meanwhile, many additional layers of security that departments have stacked on top of this shaky foundation have not been effective due to a number of reasons. For example, data leak protection is designed primarily to detect attacks during the final stage too late in the kill chain to be much more than a last-ditch gamble. And many anomaly-based network protection tools require so much tuning, care, and feeding that in spite of advanced capabilities, organizations don't have the personnel or expertise to use them effectively. Many times these tools sleep right through problems, which results in false negatives and a subsequently dangerous false sense of security that allows attackers to keep progressing through the kill chain while security teams think their computer systems are protected. Page 3 of 5

Several years ago, honeypots offered many within the security community hope for more reliable method of detecting malicious behavior on the network. The idea of these fake systems is that any activity on them is necessarily malicious, or at least misconfigured. Unfortunately, until now honeypots have proven so manpower intensive they're manually implemented and maintained that they've fallen into disfavor. Even Harper, a champion of honeypot methods as a former participant in the Honeynet Project, says he's been resistant to using honeypots regularly over recent years. Clearly, if organizations are to use kill chain analysis and adjustments, something has to change technologically. Disrupting Malicious Movement Before the End of the Kill Chain TrapX hopes to be the agent of that change. A valuable tool in APT defense, the TrapX platform offers an affordable and automated way to track and block malicious behavior before attackers reach the end of the kill chain. TrapX has taken the honeypot idea to the next level. The company's virtualized automated honeypot platform not only emulates hundreds of nodes across the network it also senses hostile scans and spins up targeted honeypots where they're needed most. By embedding dozens or hundreds of sensors throughout the core of the network, TrapX protects a much larger surface area than traditional solutions and fundamentally denies malware the freedom to move. These honeypot sensors form the foundation of a malware trap that picks up anomalous behavior at stage one of the kill chain. But TrapX doesn't stop there; it goes several steps further to take out any attacks in later stages that may have slipped by the honeycomb of sensors. The system can be deployed on a single virtual server, eliminating the installation and maintenance of physical honeypots or agents on hundreds of physical and virtual servers. The problem with most security technologies these days is that they lack the capability to track attacks once they've gotten past the first few stages of the kill chain. But when TrapX's malware trap sensors pick up malicious activity, the platform uses sandboxing to perform root cause analysis, pairs that information with external threat intelligence feeds, and leverages an internal business intelligence engine to remediate the root cause throughout the entire network. Information is fed into an integrated deep packet inspection (DPI) engine to offer visibility into the kind of telltale outbound traffic seen from attacks that have progressed later into the kill chain. This approach can be seen in the diagram below: Page 4 of 5

The solution spans multiple phases of the event lifecycle: Detecting and blocking the kill chain in the early stages, including dynamic generation of virtual honeypots in realtime when scans are detected Leveraging a malware trap engine to automatically sandbox the attacker in a honeynet Conducting deep automated forensics of the payload, providing evidence for prosecution Integrating outside threat intelligence to derive attribution Pushing automatically generated signature policy to the DPI engines monitoring out-bound network traffic Detecting any host on the network that has been compromised with the malware This Adaptive Defense approach provides unprecedented capabilities for detecting, analyzing, blocking, and remediating threats in real time as they progress through their unique sequences. "TrapX has radically lowered the cost of deploying honeypot networks, while raising the cost for attackers who are now much more likely to have their exploits discovered and exposed. Their solution is very unique in the marketplace, and represents the kind of new countermeasures that will be critical for disrupting multiple kill chain stages of sophisticated APTs, Harper says. Page 5 of 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information