Breaking The Kill Chain: A Defensive Approach
Summary
TLDRThe video script delves into the concept of the 'cybersecurity kill chain,' a model developed by Lockheed Martin to outline the steps an attacker must complete to execute a successful cyber attack. The chain consists of seven stages, starting from reconnaissance to actions on objectives. The video emphasizes the importance of disrupting the chain at any point to prevent a breach. It offers a defensive approach using the NIST cybersecurity framework, discussing tools and strategies to create a multi-layered security plan. The script highlights the need for understanding the attacker's playbook, implementing measures like patch management, user awareness, and technical controls to mitigate risks at each stage. It also stresses the significance of post-infection tools, network segmentation, and the zero trust security model to limit damage and enhance detection capabilities. The video concludes by challenging viewers to evaluate their organization's security posture and dwell time, a critical metric for security directors.
Takeaways
- 🔍 **Reconnaissance**: The first step in a cyber attack is information gathering about the target, which can be done passively (e.g., from public sources) or actively (e.g., probing networks).
- 🛡️ **Defending Against Reconnaissance**: Limiting public exposure of information, disabling unused ports, and using honeypots and firewalls are key defenses against initial attack stages.
- 🔧 **Weaponization**: Attackers use collected information to select or create an exploit for a discovered vulnerability, often utilizing tools like Metasploit or Exploit DB.
- 🛠️ **Patch Management**: A fundamental defense against weaponization is regular patching, which eliminates vulnerabilities that could be exploited.
- ✉️ **Delivery**: The method of delivering the attack can vary widely, including through websites, social media, email, or physical devices like USBs, highlighting the importance of user awareness.
- 🚫 **Blocking Delivery**: Implementing email authentication methods like DKIM and SPF, web filtering, and disabling unnecessary services can limit an attacker's delivery options.
- 💥 **Exploitation**: Once a weapon is delivered, exploitation occurs, which may involve buffer overflows or other forms of attack that execute the attacker's payload.
- 🚨 **Detection and Prevention**: Data Execution Prevention (DEP), anti-exploit features, and sandboxing can help detect and prevent exploitation attempts.
- 📁 **Installation**: After exploitation, the attacker installs malware for persistent access, which can involve DLL hijacking, RATs, or PowerShell scripts.
- 🔗 **Command and Control**: The compromised system is then used to carry out the attacker's objectives, often under the direction of a command and control server.
- 🏛️ **Segmentation and Isolation**: Network segmentation and micro-segmentation can limit an attacker's ability to move laterally and can help contain the damage of a breach.
- 🔑 **Zero Trust Model**: Adopting a zero trust security model treats all users as untrusted until proven otherwise, which can significantly enhance detection and response to breaches.
Q & A
What is the Cybersecurity Kill Chain?
-The Cybersecurity Kill Chain is a model developed by Lockheed Martin that describes the seven sequential steps an attacker must complete to carry out a successful attack. These steps include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives.
What are the two stages of reconnaissance in the Cybersecurity Kill Chain?
-The two stages of reconnaissance are passive and active. Passive reconnaissance involves gathering information from publicly available sources without interacting with the target, while active reconnaissance includes probing the target's systems to find vulnerabilities.
How can an organization defend against passive reconnaissance?
-Defending against passive reconnaissance involves limiting the amount of detail exposed publicly. This can be achieved by controlling information on job postings, training materials, social media use, and by removing specific error messages from public servers.
What is a honey pot and how does it help in cybersecurity?
-A honey pot is a decoy tool used in cybersecurity that can mimic attractive targets for attackers. It serves to divert attention away from real systems and can help reveal the attackers' intentions and identities without compromising actual data or systems.
Why is patch management important in the weaponization stage of the Cybersecurity Kill Chain?
-Patch management is crucial in the weaponization stage because it involves keeping systems and applications up to date with the latest security patches. This prevents attackers from exploiting known vulnerabilities, as there would be no vulnerabilities left to exploit.
What are some technical controls that can be applied to protect against the delivery stage of an attack?
-Technical controls for the delivery stage include email security measures such as DKIM and SPF to detect spoofed emails, web filtering to prevent access to malicious sites, disabling auto-run features on USBs, and not granting users admin rights to limit the avenues of attack delivery.
What is the role of user awareness in defending against the delivery of an attack?
-User awareness is critical in defending against the delivery of an attack as it involves educating personnel on good security practices. This includes recognizing phishing attempts, understanding the risks of clicking on unknown links, and knowing how to handle emails and attachments safely.
How does the exploitation stage differ from the weaponization stage?
-The weaponization stage involves finding or creating an attack that exploits a vulnerability, while the exploitation stage is where the attack is actually executed. At this point, the attacker has delivered the weapon and is attempting to use it to gain unauthorized access or control over the target system.
What is the purpose of the installation phase in the Cybersecurity Kill Chain?
-The installation phase is where an attacker gains better access to the victim's system by injecting a payload that allows for future control. This could involve installing malware, making registry changes for persistence, or using other techniques to ensure they can maintain access even after the system is rebooted or patched.
What is the significance of network segmentation in limiting the damage of a breach?
-Network segmentation is significant in limiting the damage of a breach because it restricts the lateral movement of an attacker within the network. By isolating different parts of the network, the potential spread of an infection can be contained, making it easier to detect unusual activity and limiting the attacker's access.
How does the Zero Trust security model help in the command-and-control phase of the Cybersecurity Kill Chain?
-The Zero Trust security model assumes that any user or device within the network could be compromised and treats them as untrusted until proven otherwise. This approach helps in detecting infected machines and limiting the damage an attacker can do by eliminating the concept of an 'internal' network that is automatically trusted.
What is the dwell time in cybersecurity and why is it a critical metric?
-Dwell time refers to the length of time an attacker remains active within a network before being detected. It is a critical metric because it indicates how quickly an organization can identify and respond to a security breach. A longer dwell time suggests a slower response to threats, which can lead to more significant damage or data loss.
Outlines
🔍 Understanding the Cybersecurity Kill Chain
The video script introduces the Cybersecurity Kill Chain, a model developed by Lockheed Martin to detail the stages of a successful cyber attack. The model consists of seven sequential steps: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. To disrupt an attack, one must break one or more of these steps. The video uses the NIST Cybersecurity Framework as a reference to examine tools that can lead to a multi-layered security plan. The first step, reconnaissance, involves gathering information about the victim, which can be done passively (using public sources) or actively (probing networks). The video emphasizes the importance of limiting public exposure of information and disabling unused ports and services to defend against these initial stages.
🛡️ Defensive Measures Against the Kill Chain
The script continues by discussing defensive measures against the Cybersecurity Kill Chain. It covers the importance of patch management to prevent weaponization, as unpatched vulnerabilities are a common target for attackers. The video suggests using antivirus software, Intrusion Prevention Systems (IPS), and email security measures to protect against known malware and exploit attempts. It also addresses the delivery stage, emphasizing the role of user awareness in security training and phishing campaigns. Additional protective measures include email authentication methods like SPF and DKIM, web filtering, and disabling unnecessary services to limit the attack surface. The video also touches on the exploitation stage, where the attack is executed, and the installation stage, where the attacker gains better access to the system, suggesting the use of Data Execution Prevention (DEP) and anti-exploit features as last lines of defense.
🚨 Responding to the Kill Chain: Post-Infection and Incident Response
The video script concludes with the command-and-control and actions on objectives stages of the Cybersecurity Kill Chain. At this point, the system is compromised, and the attacker can execute their intended actions, which may vary based on their motivation. The video discusses strategies to limit the attacker's control and detect unusual activity, such as network segmentation and the use of next-generation firewalls with known command and control server databases. It also highlights the importance of Indicators of Compromise (IOCs) for post-breach detection. The script emphasizes the need for a solid incident response plan and the implementation of a Zero Trust security model to treat all users as untrusted until proven otherwise. The video ends by encouraging viewers to evaluate their organization's security posture at each phase of the kill chain and to consider the dwell time, which is the time an attacker remains undetected within a network.
Mindmap
Keywords
💡Cybersecurity Kill Chain
💡Reconnaissance
💡Weaponization
💡Delivery
💡Exploitation
💡Installation
💡Command and Control
💡Actions on Objectives
💡Patch Management
💡User Awareness
💡Zero Trust Security Model
💡Dwell Time
Highlights
The Cybersecurity Kill Chain is a model developed by Lockheed Martin to describe the steps an attacker must complete for a successful attack.
The model consists of seven sequential steps: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives.
To disrupt an attack, one or more steps of the kill chain must be broken.
Passive and active reconnaissance are two stages of gathering information about the victim.
Defending against passive reconnaissance involves limiting public exposure of information.
Active reconnaissance involves probing networks and systems for vulnerabilities.
Honey pots can be used as decoys against attackers, revealing their intentions.
Firewalls with IPS capabilities can help protect against active reconnaissance techniques.
Patch management is crucial for defending against the weaponization stage of attacks.
Antivirus and IPS tuned to detect exploit attempts are important during the weaponization stage.
User awareness and security training are vital against the delivery of attacks.
Technical controls like email authentication methods and web filtering can limit delivery channels.
Data Execution Prevention (DEP) and anti-exploit features serve as last lines of defense against exploits.
Sandboxing can detect and block malicious files post-infection.
Isolation techniques and post-infection monitoring tools can help limit the spread of an attack.
Segmentation and micro-segmentation can limit the damage of a breach and ease detection.
Indicators of Compromise (IoCs) are useful for post-breach detection and response.
The Zero Trust security model treats all users as untrusted until proven otherwise, enhancing network security.
The Cybersecurity Kill Chain serves as a blueprint for building a robust cybersecurity program.
Rating security posture at each phase of the kill chain helps organizations assess their readiness against attacks.
Dwell time, the duration an attacker remains undetected in a network, is a critical metric for security effectiveness.
Transcripts
first developed by Lockheed Martin the
cybersecurity kill chain is a model for
describing the steps an attacker must
complete to carry out a successful
attack the model is made up of seven
sequential steps including
reconnaissance weaponization delivery
exploitation installation command and
control and finally actions on
objectives to disrupt the attack one or
more of these steps must be broken for
the entire chain to fail and in order
for us to do that we need to understand
their playbook using the NIST
cybersecurity framework as a reference
well look at tools at every phase that
will lead to a multi-layered security
plan for our organization I'm Andy with
the Cecil perspective and this video is
called breaking the kill chain a
defensive approach reconnaissance the
first step of any cybersecurity attack
is to gather information about the
victim also known as reconnaissance the
two different stages of reconnaissance
are passive and active during the
passive reconnaissance stage an attacker
will use indirect methods to gather
information from publicly available
sources like who is Aaron registrations
google show dan job listings and company
websites once an attacker has collected
as much public information as possible
then move on to active reconnaissance
this involves some level of interaction
with your organization during this phase
the attacker will actively probe your
networker system looking for open ports
and services this includes technical
tools like an map for port scanning and
banner grabbing and vulnerability
scanners now vulnerability scanners are
very loud and obvious so attackers will
usually limit their scope or slow scan
over a period of time to avoid being
caught defending against passive
reconnaissance means limiting the level
of detail we expose publicly that means
limiting the information we put on job
postings training personnel and
acceptable use of social media sites and
removing specific error messages from
public servers our first protective
measure is ensure that unused ports and
services are disabled this limits the
number of entry points an attacker can
use to get into your system honey pots
are a great tool that can be used as a
decoy against the would-be attacker not
only do they divert attention away from
real systems but it also reveals what
they're after and who they are a
firewall with IPS capabilities on the
perimeter will provide filtering and
segmentation while also monitoring for
port scans and banner grabs most
next-generation firewalls can block
connections from tor networks and known
proxy IP addresses which are commonly
used during this phage to obfuscate the
real IP from Anna
hacker the entire goal the
reconnaissance phase is to find a
weakness that can be exploited
once the attacker has found that
weakness they can move on to the next
step
weaponization once an attacker has found
a weakness their next step is to find or
create an attack that will exploit that
vulnerability the weapon of choice will
depend on the information they collected
from you during the reconnaissance step
some commonly used weapons during this
phase are tools like Metasploit or
exploit DB these are repositories for
known exploits the Beal framework which
is commonly used to generate evasion
code from malware social engineering
toolkit if they decided they will
deliver the malware through a social
engineering campaign and of course many
others since this stage is all about
what the attacker uses as a weapon we
need to have some of the basics covered
and that includes things like patch
management patch management continues to
be one of the best defensive measures
against the weaponization stage because
you can't exploit a vulnerability if
there's no vulnerability to exploit the
vast majority of today's breaches are
still due to unpatched
servers office macros JavaScript browser
plugins are all common avenues for an
attacker to exploit so disabling these
alone will greatly reduce your exposure
as well some technical controls we can
apply at the stage or things like
antivirus on the endpoint and perimeter
to protect against known malware an IPS
has specifically tuned to look for
exploit attempts and not just port
scanning and banner grabbing like in the
reconnaissance stage an email security
that includes antivirus and anti-spyware
features that we can enable during this
phase the attacker is selecting which
tool to use but they haven't actually
delivered yet how they deliver the
attack is as critical as what they
choose for a weapon and that brings us
to the third stage delivery by this
point the attacker has selected the
weapon based on their earlier
reconnaissance now the delivery stage is
where they try one or multiple avenues
to deliver the weapon the delivery of
the attack buries by the kind of attack
but some common examples can include
things like web sites malicious or clean
an attacker can infect a legitimate web
site they know your users frequent
social media user input this means the
attacker has some level of interaction
with a public server like a web site or
a database email if the attacker has
found a partner your company uses during
the reconnaissance phase they can embed
malware into an order form that your
employees are more likely to open if
they fish the email to make it look like
a
coming from a partner USB common attacks
are believed infected USBs in public
areas and around employees cars hoping
the temptation for them to put it into
their laptop is too much
the single best security measure against
the delivery of the attack is user
awareness this includes security
training and phishing campaigns that
teaches personnel the basics of good
security practices while all the
protective measures we discuss in the
weaponization stage still apply there's
a few extra measures you can take to
limit the delivery channels an attacker
can use email security but specifically
dkm and SPF DCAM an SPF our email
authentication methods to detect spoofed
emails SPF make sure that emails are
coming from an authorized IP of the
domain while DCAM uses digital
signatures to verify authenticity both
techniques help ensure the emails are
coming from legitimate authorized
channels web filtering can prevent a
user from accessing questionable or
known bad websites disabling USPS and
not giving users admin rights also
prevents a big portion on delivery
mechanisms and malware's typically use
DNS filtering while websites block web
requests destined to malicious sites
using a DNS security solution can block
any DNS lookup attempt to prevent
communications over any protocol I
always use this in combination with web
filtering remember SSL account for the
majority of web and email traffic you
see today so if you're not doing SSL
inspection in all of your delivery
channels you may be completely blind to
what's passing through that encrypted
tunnel exploitation during the
exploitation stage the attacker has
effectively delivered the weapon of
choice to the victim and the attack has
been executed this means we have failed
to keep the weapon out of our
environment and the only thing left for
the attacker to do is pull the trigger
the actual exploit could come in the
form of a buffer overflow a sequel
injection malware that was undetected by
our antivirus solution a client-side
exploit that was executed on an old
version of JavaScript and of course many
others protective measures are limited
once an attacker has been able to
execute the exploit but some do exist
DEP or data execution prevention is a
software and hardware feature which
attempts to prevent execution of code in
memory where it doesn't belong anti
exploit is a feature on some antivirus
solutions and monitor known applications
for unusual calls to memory both of
these techniques acts as a last line of
defense against common exploit attempts
the reality is when an attacker gets to
this point you're relying on post and
tools like a sandbox to detect exploits
that have already been executed a
sandbox has some preventive capabilities
depending on the scenario but for most
Network environments you have what's
called patient zero patient zero refers
to the first time an unknown file is
seen on the network the first person to
download the file would be infected
because the malware analysis can take
several minutes to complete however once
sandbox determines that the file is
malicious it can then block that file
and protect all your other users it will
alert you that the patient zero is
infected and you can move on towards
your mediation and recovery steps it's
worth noting that an exploit takes
advantage of some weakness in an
application or operating system but it's
not the finish line for the attack the
goal of the exploit is to gain better
access and that leads us to our next
step installation the exploitation and
the installation phase go hand-in-hand
a successful exploit allows me to inject
a payload that will give me a better
level of access to accomplish my mission
from an attackers perspective gaining
better access allows me to control the
victim at any point in the future even
after a system has been patched or
rebooted some common payload and
techniques during the stage involve DLL
hijacking injecting meterpreter or
similar payload installing a remote
access tool otherwise known as rat
registry changes to make a program
automatically startup or persistent and
executing PowerShell in file this
attacks once an attacker has gotten this
far into the system very limited
protective tools exist Linux based
systems can use chroot jail as a way to
isolate processes from the rest of
system and in this way limiting the
amount of data the malicious file has
access to Windows based systems can
disable PowerShell altogether on systems
that don't require it fortunately we
have really good post-infection tools we
can use at this stage the monitor system
files a registry for unusual activities
a good UBA or EDR solution should flag
any new unauthorized program that has
been installed as well as detect any
changes to registry and system processes
the unauthorized changes to system
processes and registries should cause a
log and alert to go off and way before
you get to this stage your team should
already have an SOP or plan for this
type of event this includes things like
identifying if the device is
mission-critical removing the device
from the network changing all
credentials for users that were logged
in and so on once a system is determined
to be infected you can then begin the
process of restoring that system to a
known
State command-and-control at this stage
the system has been completely
compromised and in control of the
attacker if they completed the previous
steps correctly their access is
persistent even if you reboot or passive
vulnerability the infected device could
immediately be used to carry out the
mission or it could sit back and wait
for further instructions from its
command and control server or defended
tactics are going to be around limiting
what they can control and detecting
unusual activity limiting the damage of
a breach starts with segmentation
segmentation will make it harder for the
attacker to move laterally and easier to
detect using audit logs if you have the
ability to do micro segmentation through
a zero trust security model even better
this would essentially leave the
infected user completely isolated on a
port until they can verify the machine
is clean and have been authenticated as
for technical controls most
next-generation firewalls have a
database of known command and control
servers enabling this feature will help
lock remote access from known bad actors
there are also many free and paid DNS
servers that offer botnet and command
control protection at the DNS level
attackers will often use evasion
techniques such as DBA or fast flux to
generate a large number of domains that
are used as rendevouz blocking access to
recently observed domains will stop
connections to these common hubs well on
the topic of next-generation firewalls
make sure you're using layer 7
application control to block commonly
known remote access tools like telnet
SSH netcat PowerShell RDP and various
other protocols you really have no
business leaving your network if you do
have business case for using these tools
try to lock it down to specific IP
addresses an attacker will almost always
use encrypted connections to avoid being
caught so if you're not doing full SSL
deep packet inspection you're completely
blind to any communication attempts
going through that tunnel for detection
indicators of compromised or I OCS are
excellent post detective tools as well
an IOC is an observed behavior by a user
server that are indicative of a breach
io sees can be observed and collected on
the endpoint or could be collected by a
syn device with an IO C feed actions on
objective with the machine now infected
and the attacker in full control they
can now execute the action to achieve
their objective the action is predicated
by the motivation of the attacker so
understanding the type of attacker that
could be targeting your organization is
critical attackers could be motivated by
financial reasons
little nation-state malicious insiders
are simply wanting to move laterally to
go after a more important system on the
network if the goal is data exfiltration
we can look into tools that prevent data
from moving off of the endpoint or
server on endpoint tools like DLP or UVA
solutions have complementary features to
detect and prevent specific files from
moving off the network the problem is if
an attacker has already gained access to
your system doing something as simple as
a screen shot on a protected document
would not be detected by most of these
tools lateral movement is a common step
for an attacker to take once it being
access into a system at which point they
begin their reconnaissance stage all
over again to gain information about the
internal network this is why network
segmentation between different clearance
levels is so important to a network
design the zero truss security model is
built around the idea that eventually
we're all gonna fall victim to this
stage of the kill chain by removing the
idea of trust on your inside network you
can treat all users as untrusted until
proven otherwise well we won't go into
detail the zero trust security model
this model is very effective at
detecting infected machines and limiting
the damage that can be done by the
attacker once a compromised machine is
identified you can begin your incident
response planning and eventually reimage
the system before putting it back on
your network the seaso perspective the
kill chain is more than just a model for
how an attack is executed it's also a
blueprint for building a good
cybersecurity program by using multiple
layers of security throughout each phase
we make it more more challenging for the
attack to be successful and that by
itself may be a victory because so many
attacks are just opportunistic in nature
the challenge I always give my clients
is to rate their security posture from 1
to 10 at each phase of the chain
how would your organization deal with an
attack who got all the way through to
the installation phase do you have the
processes in place I could detect that
if so how long would the attacker sit in
that phase before it's remediated
minutes hours days dwell time is the
length of time an attackers active
inside the network before being detected
for C cells and security directors this
is a critical metric to follow according
to a report by the Ponte Motta Institute
and IBM the average dwell time is a
hundred and ninety-one days now in the
video on that scary statistic and I hope
you found all of this informative please
comment hit like subscribe to stay on
top of all of our latest releases here
at the seaso perspective
استعرض المزيد من الفيديوهات ذات الصلة
Cyber Kill Chain | Cyber Kill Chain Explain | What is Cyber Kill Chain? Kill Chain | Cybersecurity
Cyber Security Interview Tips | Interview Topics Cyber Security Interview Preparation 2021
Розділ 16: Основи мережної безпеки CCNA-1
STRIDE Threat Modeling for Beginners - In 20 Minutes
The 3 Types Of Security Controls (Expert Explains) | PurpleSec
Understanding and Getting Started with ZERO TRUST
5.0 / 5 (0 votes)