(PROOF) Project Cyber Kill Chain
(PROOF) Project Cyber Kill Chain
(PROOF) Project Cyber Kill Chain
Adversaries
Table of Contents
Introduction
5
6
7
8
8
9
9
9
10
10
11
12
Conclusion
13
14
14
Appendix B: Attributes
15
Appendix C
17
References
17
Common Attributes
Extended Attributes
15
16
Introduction
Modern network intrusions are more likely to target individuals and rely
on social engineering or deception over brute force. Defense against
such attacks should focus on the adversary, not the tools. By
DHA are considered to have gained Entry into a network once they
have bypassed primary security barriers. This often coincides with the
delivery of some weaponized payload (e-mail attachments, websites,
and USB drives) and basic access to one or more non-critical internal
environments.
Once DHA have gained access to low privilege/local credential system
(often via exploitation of system vulnerability or application
sometimes even the user themselvesto execute malicious code) and
are able to stay resident in the environment, they are considered to
have gained a Foothold. Detection of Foothold events includes alerts of
localized compromises of a system, compromise of employee
credentials, uploading of tools, installation of remote access tools, and
efforts to escalate privileged access.
The ability to move beyond the Foothold suggests Lateral Movement
capability of the DHA, which puts the immediate network and adjacent
logical environments at risk. However, opportunities to detect the DHA
at this phase also increases. For instance, detecting movement in
network flow data. While Lateral Movement may be a significant step
toward a DHAs goal, in McRaven's Relative Superiority model it does
not yet correspond with reaching the RS Line. It is, in some respects, a
"make or break" phase.
DHA Acquires Control in an environment when they gain privileged
access to assets and resources in an area and in most cases signals
that the adversary has achieved Relative Superiority and their attack is
more likely to succeed than to fail. Detection is still possible, but taking
action against DHA with privileged access and control over an entire
environment becomes difficult. Acquire Control is an escalated version
of Entry (basic access to non-privileged systems). For some types of
intrusions, Acquire Control often coincides with increased Lateral
Movement.
DHA is said to have Acquired a Target when they can assess a target
asset, neutralize point defenses, and consolidate control over an asset,
resources, or capabilities. Acquire Target is an escalated version of
Foothold (control of a non-privileged environment). Deactivation of key
administrative controls, filtering and compression of data files for
extraction, or PKI system compromise are several means for detecting
that a DHA has control of a target.
At the Implement/Execute phase, we see the execution of attack code
or the implementation of a process on an acquired target. DHA will
move to extract or destroy data, consolidate and integrate control, and
may sometimes communicate demands.
Attributes of an Intrusion
The ability to associate events allows us to expand upon the Cyber Kill
Chain model and produce a clearer picture of each attack. Building
these pictures depends on attributes, which are the least common
denominator in describing base types of actions and allow us to
connect, group, and correlate activities that may otherwise appear
unrelated. Attributes can be time of first detection, the duration of the
event, identifiers, source of alerts or detection, targeting, indicator of
compromise, and the base type of action themselves.
Attributes, also known in the security community as indicators or
markers, range in type: Common (soft markers) and Extended (hard
Visualizing Threats
However, as they move past network defenses and gain further control
of the targeted environment the processes in place will begin to fail. A
barometer for the RS line in CND could be moving past Lateral
Movement. Similarly, network defenses and processes that continue to
function and manage to contain DHA to Lateral Movement are
performing at a CMM-like Mitigating level. On the other hand, DHA that
has moved up the Kill Chain to acquire its target and execute its attack
code to the point where it is able to remain concealed suggests a total
loss of control from network administrators of the targeted
environmentreducing operating maturity to Chaotic.
In general, the further up the Cyber Kill Chain DHA are able to move,
the less predictive our environment (and the processes in place) will
become.
Classifying Threats
In Threat Genomics, the authors state: "Two actors attempting the
same attack, even with similar tools, goals, and timeframe, may still
differ in their approach due to cultural and organizational differences
between the two." Recognizing this concept encourages us to focus on
and recognize the types of traits and behaviorand therefore the kinds
of attackswhich serious adversaries display.
For example, in one situation we may encounter a DHA that prefers an
extended reconnaissance followed by rapid intrusion and concealment
phases in order to avoid detection. On the other hand, another DHA
may dedicate more time to the intrusion, either perceiving it a minimal
risk or perhaps even desiring detection and attribution. What causes
these differences in observable behavior? The authors in Threat
Genomics suggest: "These variations in observable expression may
have a cultural basis, an organizational basis, or a combination of the
two."
Turning back to McRaven. There six observable principles found
present in all significant and successful operations: simplicity, security,
repetition, surprise, speed, and purpose. These six principles are traits
that most successful military attacks possess (those that reached
Relative Superiority quickly and succeeded). Similarly, during a
successful cyber intrusion, patterns of actions and transitions between
types of action will be observed. When mounting a defense against a
DHA, we want to identify types of actions that separate them from less
sophisticated cyber intruders, which would allow for more robust
defenses.
Mounting a Defense
Once we have acquired knowledge of the adversary, appropriate
courses of actions can be leveraged by aligning defenses to each
phase of the intrusion. The U.S. Department of Defense (DOD)
information operations doctrine serves as a solid foundation when
building a matrix for possible courses of action. The doctrine lists a set
of six possible actions: detect, deny, disrupt, degrade, deceive, and
destroy.
The purpose of a Courses of Action Matrix (Table 1) is twofold: First, it
can be used as a barometer to quickly assess what sort of defenses are
in place in the network prior to intrusion; second, it can serve as a
guide during post-intrusion analysis to gauge where additional
resources should be directed to counter a similar attack in the future.
A more complete table represents network defense resiliency, and our
primary goal when faced with DHA. However even with the best
defenses, zero-day exploits and attacks areby definitionimpossible
to stop. Creating a robust defense structure that includes DHA analysis,
the Cyber Kill Chain, and threat sequences, shows that we recognize
zero-day exploits as just one breakthrough in the overall attack
process. DHA are likely to reuse known tools or infrastructure in other
phases, allowing established defenses to render the major
improvement in the attack arsenal useless.
By implementing defenses across the board of actions (Detect, Deny,
etc.) and down each phase of the kill chain, we can achieve a
defensive strategy that leverages redundancy to force DHA to pursue
more comprehensive alterations toward their objectives. The end result
is an effective deterrent that increases the DHA cost per intrusion.
Intrusion Reconstruction
"Kill chain analysis is a guide for analysts to understand what
information is available for defensive courses of action."
Most detected intrusions reveal only a limited set of attributes about a
single phase (e.g., detecting the intrusion at the Command and
Control, or C2otherwise referred to as the Acquiring Control and
Acquiring Target phases for in this paper; see Figure 5). Since the goal
in CND is to populate the courses of action matrix with the maximum
number of options, our aim is to gain as much knowledge as possible
regarding an intrusion during each phase of the kill chain.
Lets break down a scenario in which an intrusion was detected during
Acquiring Control/Acquiring Target. Because the DHA wasnt detected
until that phase, we can assume that movement past barriers between
prior phases was successful. Therefore, analyzing all available data
may help give insight as to where the defenses failed. By reproducing
how the intrusion was able to bypass the delivery phase, for instance,
we can setup appropriate courses of action to mitigate future attacks.
The goal should always be to move our detection and analysis down
the kill chain (toward Reconnaissance; see Figure 6) and implement
courses of actions to force the adversary away from Relative
Superiority (e.g., if the attacker is able to acquire control by means of a
zero-day attack, their chances of successfully completing their mission
rises exponentially).
instance), such a dataset has not yet been published for organizational
dimensions. However, we can still use this early research as a basis for
seeking answers to simple questions like are adversaries free actors?
and are they corporate or military?
By using these additional metrics in DHA classification, we can begin to
construct a rich history of datamuch like our attack pattern libraries
to fully leverage additional organizational and cultural dimensions
research as its published.
Conclusion
Determined Human Adversaries (DHA) and Advanced Persistent
Threats (APT) leverage an array of tools and strategies and represent
the modern threat to organizations, governments, and businesses.
Creating a defense against such intrusions relies on combining past
knowledge (military doctrines) to build a framework that applies to
computer networks.
Below is a summary of key lessons.
First, build upon existing knowledge. Creating a whole new model to
describe network intrusions is certainly more romantic, but no one has
been given a reward for recreating the wheel. By building upon military
frameworks, the researchers featured here were able to construct new
applications atop a strong and tested foundation.
Second, qualitative metrics are a good start. Quantitative metrics are
desirable, but a still immature history of events limits our ability to
mimic the quantitative certainty employed by the military (e.g., "air
superiority in day-time attacks lends an additional X% chance of
mission success"). Instead, we should recognize that qualitative
metrics give us sufficient knowledge to begin implementing "smarter"
defenses. Qualitative/category-based labels, consistent criteria, and
attack patterns are strong steps toward defining threats.
Finally, careful analysis can occur prior to attacks. We do not need to
wait for intrusions to begin creating a library of attack patterns and
DHA profiles. Looking through prior attacks in the literature that
correlate with the risks an organization may expose in its network is
the first step. We then create a Courses of Action matrix for defenses
that are already in place and run through prior intrusions in war game
style scenarios to search for weaknesses and find areas where added
resources would be beneficial.
Appendix B: Attributes
Appendix B contains a list of Common and Extended Attributes from
reference 3.
Common Attributes
Extended Attributes
References
1. Espenschied, Jonathan A., "A Discussion of Threat Behavior:
Attackers & Patterns." White paper, Microsoft Trustworthy
Computing, 2012.
2. Hutchins, Eric M. et al., "Intelligence-Driven Computer Network
Defense Informed by Analysis of Adversary Campaigns and
Intrusion Kill Chains." White paper, Lockheed Martin Corporation.
3. Espenschied, Jonathan A. and Gunn, Angela, "Threat Genomics."
White paper, Microsoft Trustworthy Computing, 2012.
4. Cloppert, Michael, "Intelligence-Driven Response for Combating
the Advanced Persistent Threat." Slide deck, Lockheed Martin
CIRT, 2010.
5. Amin, Rohan M., "Detecting Targeted Malicious Email Through
Supervised Classification of Persistent Threat and Recipient
Oriented Features." Ph.D. diss., George Washington University,
2011.