Breaking The Kill Chain: A Defensive Approach

00:00

first developed by Lockheed Martin the

00:02

cybersecurity kill chain is a model for

00:03

describing the steps an attacker must

00:05

complete to carry out a successful

00:06

attack the model is made up of seven

00:09

sequential steps including

00:10

reconnaissance weaponization delivery

00:14

exploitation installation command and

00:17

control and finally actions on

00:19

objectives to disrupt the attack one or

00:22

more of these steps must be broken for

00:23

the entire chain to fail and in order

00:25

for us to do that we need to understand

00:26

their playbook using the NIST

00:28

cybersecurity framework as a reference

00:29

well look at tools at every phase that

00:31

will lead to a multi-layered security

00:32

plan for our organization I'm Andy with

00:35

the Cecil perspective and this video is

00:36

called breaking the kill chain a

00:38

defensive approach reconnaissance the

00:42

first step of any cybersecurity attack

00:44

is to gather information about the

00:45

victim also known as reconnaissance the

00:48

two different stages of reconnaissance

00:49

are passive and active during the

00:51

passive reconnaissance stage an attacker

00:53

will use indirect methods to gather

00:54

information from publicly available

00:55

sources like who is Aaron registrations

00:58

google show dan job listings and company

01:01

websites once an attacker has collected

01:03

as much public information as possible

01:04

then move on to active reconnaissance

01:06

this involves some level of interaction

01:08

with your organization during this phase

01:10

the attacker will actively probe your

01:12

networker system looking for open ports

01:13

and services this includes technical

01:15

tools like an map for port scanning and

01:17

banner grabbing and vulnerability

01:19

scanners now vulnerability scanners are

01:21

very loud and obvious so attackers will

01:22

usually limit their scope or slow scan

01:24

over a period of time to avoid being

01:26

caught defending against passive

01:28

reconnaissance means limiting the level

01:30

of detail we expose publicly that means

01:32

limiting the information we put on job

01:33

postings training personnel and

01:35

acceptable use of social media sites and

01:37

removing specific error messages from

01:39

public servers our first protective

01:41

measure is ensure that unused ports and

01:43

services are disabled this limits the

01:45

number of entry points an attacker can

01:46

use to get into your system honey pots

01:49

are a great tool that can be used as a

01:50

decoy against the would-be attacker not

01:52

only do they divert attention away from

01:54

real systems but it also reveals what

01:56

they're after and who they are a

01:57

firewall with IPS capabilities on the

01:59

perimeter will provide filtering and

02:01

segmentation while also monitoring for

02:03

port scans and banner grabs most

02:05

next-generation firewalls can block

02:06

connections from tor networks and known

02:08

proxy IP addresses which are commonly

02:10

used during this phage to obfuscate the

02:12

real IP from Anna

02:13

hacker the entire goal the

02:15

reconnaissance phase is to find a

02:16

weakness that can be exploited

02:18

once the attacker has found that

02:19

weakness they can move on to the next

02:21

step

02:21

weaponization once an attacker has found

02:25

a weakness their next step is to find or

02:27

create an attack that will exploit that

02:28

vulnerability the weapon of choice will

02:30

depend on the information they collected

02:32

from you during the reconnaissance step

02:33

some commonly used weapons during this

02:35

phase are tools like Metasploit or

02:36

exploit DB these are repositories for

02:39

known exploits the Beal framework which

02:41

is commonly used to generate evasion

02:42

code from malware social engineering

02:44

toolkit if they decided they will

02:46

deliver the malware through a social

02:47

engineering campaign and of course many

02:49

others since this stage is all about

02:51

what the attacker uses as a weapon we

02:53

need to have some of the basics covered

02:54

and that includes things like patch

02:56

management patch management continues to

02:58

be one of the best defensive measures

03:00

against the weaponization stage because

03:01

you can't exploit a vulnerability if

03:03

there's no vulnerability to exploit the

03:05

vast majority of today's breaches are

03:06

still due to unpatched

03:08

servers office macros JavaScript browser

03:11

plugins are all common avenues for an

03:13

attacker to exploit so disabling these

03:15

alone will greatly reduce your exposure

03:17

as well some technical controls we can

03:19

apply at the stage or things like

03:21

antivirus on the endpoint and perimeter

03:22

to protect against known malware an IPS

03:25

has specifically tuned to look for

03:26

exploit attempts and not just port

03:28

scanning and banner grabbing like in the

03:30

reconnaissance stage an email security

03:31

that includes antivirus and anti-spyware

03:36

features that we can enable during this

03:39

phase the attacker is selecting which

03:40

tool to use but they haven't actually

03:42

delivered yet how they deliver the

03:44

attack is as critical as what they

03:46

choose for a weapon and that brings us

03:48

to the third stage delivery by this

03:50

point the attacker has selected the

03:52

weapon based on their earlier

03:53

reconnaissance now the delivery stage is

03:55

where they try one or multiple avenues

03:56

to deliver the weapon the delivery of

03:59

the attack buries by the kind of attack

04:00

but some common examples can include

04:02

things like web sites malicious or clean

04:04

an attacker can infect a legitimate web

04:06

site they know your users frequent

04:08

social media user input this means the

04:11

attacker has some level of interaction

04:12

with a public server like a web site or

04:14

a database email if the attacker has

04:17

found a partner your company uses during

04:19

the reconnaissance phase they can embed

04:20

malware into an order form that your

04:22

employees are more likely to open if

04:24

they fish the email to make it look like

04:26

a

04:26

coming from a partner USB common attacks

04:29

are believed infected USBs in public

04:31

areas and around employees cars hoping

04:33

the temptation for them to put it into

04:34

their laptop is too much

04:35

the single best security measure against

04:37

the delivery of the attack is user

04:39

awareness this includes security

04:40

training and phishing campaigns that

04:42

teaches personnel the basics of good

04:43

security practices while all the

04:45

protective measures we discuss in the

04:47

weaponization stage still apply there's

04:49

a few extra measures you can take to

04:50

limit the delivery channels an attacker

04:52

can use email security but specifically

04:55

dkm and SPF DCAM an SPF our email

04:58

authentication methods to detect spoofed

04:59

emails SPF make sure that emails are

05:02

coming from an authorized IP of the

05:03

domain while DCAM uses digital

05:05

signatures to verify authenticity both

05:07

techniques help ensure the emails are

05:09

coming from legitimate authorized

05:10

channels web filtering can prevent a

05:12

user from accessing questionable or

05:14

known bad websites disabling USPS and

05:17

not giving users admin rights also

05:18

prevents a big portion on delivery

05:20

mechanisms and malware's typically use

05:22

DNS filtering while websites block web

05:25

requests destined to malicious sites

05:27

using a DNS security solution can block

05:29

any DNS lookup attempt to prevent

05:31

communications over any protocol I

05:32

always use this in combination with web

05:35

filtering remember SSL account for the

05:37

majority of web and email traffic you

05:39

see today so if you're not doing SSL

05:40

inspection in all of your delivery

05:42

channels you may be completely blind to

05:44

what's passing through that encrypted

05:45

tunnel exploitation during the

05:49

exploitation stage the attacker has

05:51

effectively delivered the weapon of

05:53

choice to the victim and the attack has

05:54

been executed this means we have failed

05:56

to keep the weapon out of our

05:57

environment and the only thing left for

05:59

the attacker to do is pull the trigger

06:00

the actual exploit could come in the

06:02

form of a buffer overflow a sequel

06:04

injection malware that was undetected by

06:07

our antivirus solution a client-side

06:09

exploit that was executed on an old

06:10

version of JavaScript and of course many

06:12

others protective measures are limited

06:15

once an attacker has been able to

06:16

execute the exploit but some do exist

06:18

DEP or data execution prevention is a

06:21

software and hardware feature which

06:23

attempts to prevent execution of code in

06:24

memory where it doesn't belong anti

06:26

exploit is a feature on some antivirus

06:28

solutions and monitor known applications

06:30

for unusual calls to memory both of

06:32

these techniques acts as a last line of

06:34

defense against common exploit attempts

06:35

the reality is when an attacker gets to

06:37

this point you're relying on post and

06:39

tools like a sandbox to detect exploits

06:41

that have already been executed a

06:43

sandbox has some preventive capabilities

06:46

depending on the scenario but for most

06:47

Network environments you have what's

06:49

called patient zero patient zero refers

06:51

to the first time an unknown file is

06:53

seen on the network the first person to

06:54

download the file would be infected

06:56

because the malware analysis can take

06:57

several minutes to complete however once

07:00

sandbox determines that the file is

07:01

malicious it can then block that file

07:03

and protect all your other users it will

07:05

alert you that the patient zero is

07:06

infected and you can move on towards

07:08

your mediation and recovery steps it's

07:10

worth noting that an exploit takes

07:12

advantage of some weakness in an

07:13

application or operating system but it's

07:15

not the finish line for the attack the

07:17

goal of the exploit is to gain better

07:19

access and that leads us to our next

07:21

step installation the exploitation and

07:25

the installation phase go hand-in-hand

07:26

a successful exploit allows me to inject

07:28

a payload that will give me a better

07:29

level of access to accomplish my mission

07:31

from an attackers perspective gaining

07:34

better access allows me to control the

07:35

victim at any point in the future even

07:37

after a system has been patched or

07:39

rebooted some common payload and

07:41

techniques during the stage involve DLL

07:42

hijacking injecting meterpreter or

07:45

similar payload installing a remote

07:47

access tool otherwise known as rat

07:49

registry changes to make a program

07:51

automatically startup or persistent and

07:53

executing PowerShell in file this

07:55

attacks once an attacker has gotten this

07:57

far into the system very limited

07:59

protective tools exist Linux based

08:01

systems can use chroot jail as a way to

08:04

isolate processes from the rest of

08:05

system and in this way limiting the

08:07

amount of data the malicious file has

08:08

access to Windows based systems can

08:10

disable PowerShell altogether on systems

08:12

that don't require it fortunately we

08:14

have really good post-infection tools we

08:16

can use at this stage the monitor system

08:18

files a registry for unusual activities

08:20

a good UBA or EDR solution should flag

08:23

any new unauthorized program that has

08:25

been installed as well as detect any

08:27

changes to registry and system processes

08:29

the unauthorized changes to system

08:31

processes and registries should cause a

08:33

log and alert to go off and way before

08:35

you get to this stage your team should

08:37

already have an SOP or plan for this

08:38

type of event this includes things like

08:40

identifying if the device is

08:41

mission-critical removing the device

08:44

from the network changing all

08:45

credentials for users that were logged

08:46

in and so on once a system is determined

08:49

to be infected you can then begin the

08:51

process of restoring that system to a

08:52

known

08:53

State command-and-control at this stage

08:56

the system has been completely

08:58

compromised and in control of the

09:00

attacker if they completed the previous

09:01

steps correctly their access is

09:03

persistent even if you reboot or passive

09:05

vulnerability the infected device could

09:07

immediately be used to carry out the

09:09

mission or it could sit back and wait

09:10

for further instructions from its

09:12

command and control server or defended

09:14

tactics are going to be around limiting

09:15

what they can control and detecting

09:17

unusual activity limiting the damage of

09:20

a breach starts with segmentation

09:21

segmentation will make it harder for the

09:23

attacker to move laterally and easier to

09:25

detect using audit logs if you have the

09:27

ability to do micro segmentation through

09:29

a zero trust security model even better

09:31

this would essentially leave the

09:32

infected user completely isolated on a

09:34

port until they can verify the machine

09:36

is clean and have been authenticated as

09:38

for technical controls most

09:40

next-generation firewalls have a

09:41

database of known command and control

09:42

servers enabling this feature will help

09:44

lock remote access from known bad actors

09:46

there are also many free and paid DNS

09:48

servers that offer botnet and command

09:50

control protection at the DNS level

09:52

attackers will often use evasion

09:53

techniques such as DBA or fast flux to

09:56

generate a large number of domains that

09:57

are used as rendevouz blocking access to

10:00

recently observed domains will stop

10:01

connections to these common hubs well on

10:04

the topic of next-generation firewalls

10:05

make sure you're using layer 7

10:07

application control to block commonly

10:08

known remote access tools like telnet

10:10

SSH netcat PowerShell RDP and various

10:14

other protocols you really have no

10:15

business leaving your network if you do

10:17

have business case for using these tools

10:19

try to lock it down to specific IP

10:21

addresses an attacker will almost always

10:23

use encrypted connections to avoid being

10:25

caught so if you're not doing full SSL

10:27

deep packet inspection you're completely

10:29

blind to any communication attempts

10:31

going through that tunnel for detection

10:33

indicators of compromised or I OCS are

10:36

excellent post detective tools as well

10:37

an IOC is an observed behavior by a user

10:40

server that are indicative of a breach

10:42

io sees can be observed and collected on

10:44

the endpoint or could be collected by a

10:46

syn device with an IO C feed actions on

10:50

objective with the machine now infected

10:52

and the attacker in full control they

10:54

can now execute the action to achieve

10:56

their objective the action is predicated

10:58

by the motivation of the attacker so

11:00

understanding the type of attacker that

11:01

could be targeting your organization is

11:03

critical attackers could be motivated by

11:05

financial reasons

11:06

little nation-state malicious insiders

11:09

are simply wanting to move laterally to

11:11

go after a more important system on the

11:13

network if the goal is data exfiltration

11:15

we can look into tools that prevent data

11:17

from moving off of the endpoint or

11:19

server on endpoint tools like DLP or UVA

11:22

solutions have complementary features to

11:24

detect and prevent specific files from

11:25

moving off the network the problem is if

11:27

an attacker has already gained access to

11:29

your system doing something as simple as

11:31

a screen shot on a protected document

11:32

would not be detected by most of these

11:34

tools lateral movement is a common step

11:36

for an attacker to take once it being

11:38

access into a system at which point they

11:40

begin their reconnaissance stage all

11:41

over again to gain information about the

11:43

internal network this is why network

11:45

segmentation between different clearance

11:46

levels is so important to a network

11:48

design the zero truss security model is

11:51

built around the idea that eventually

11:52

we're all gonna fall victim to this

11:53

stage of the kill chain by removing the

11:55

idea of trust on your inside network you

11:58

can treat all users as untrusted until

12:00

proven otherwise well we won't go into

12:02

detail the zero trust security model

12:03

this model is very effective at

12:05

detecting infected machines and limiting

12:07

the damage that can be done by the

12:08

attacker once a compromised machine is

12:10

identified you can begin your incident

12:12

response planning and eventually reimage

12:14

the system before putting it back on

12:15

your network the seaso perspective the

12:19

kill chain is more than just a model for

12:21

how an attack is executed it's also a

12:23

blueprint for building a good

12:24

cybersecurity program by using multiple

12:26

layers of security throughout each phase

12:28

we make it more more challenging for the

12:29

attack to be successful and that by

12:31

itself may be a victory because so many

12:33

attacks are just opportunistic in nature

12:35

the challenge I always give my clients

12:37

is to rate their security posture from 1

12:39

to 10 at each phase of the chain

12:40

how would your organization deal with an

12:42

attack who got all the way through to

12:44

the installation phase do you have the

12:46

processes in place I could detect that

12:47

if so how long would the attacker sit in

12:50

that phase before it's remediated

12:51

minutes hours days dwell time is the

12:54

length of time an attackers active

12:56

inside the network before being detected

12:58

for C cells and security directors this

13:00

is a critical metric to follow according

13:02

to a report by the Ponte Motta Institute

13:04

and IBM the average dwell time is a

13:06

hundred and ninety-one days now in the

13:08

video on that scary statistic and I hope

13:10

you found all of this informative please

13:12

comment hit like subscribe to stay on

13:14

top of all of our latest releases here

13:15

at the seaso perspective