Attacks/Breaches

7/6/2018
10:30 AM
Ryan Stolte
Ryan Stolte
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv

Reactive or Proactive? Making the Case for New Kill Chains

Classic kill chain models that aim to find and stop external attacks don't account for threats from insiders. Here what a modern kill chain should include.



The kill chain model is not new to most security professionals. Created in 2011 by Lockheed Martin, the model highlights the seven stages bad actors typically go through to steal sensitive information. In case you need a refresher, the steps include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objective. The goal for security analysts and investigators is to disrupt the chain early, before sensitive data slips out the door. Although the model works for certain kinds of attacks, in many others, it doesn't.

Using more sophisticated techniques than ever before, attackers are coming from both the inside and outside, whether they're employees seeking to do harm, compromised users, or external bad actors. The classic kill chain model was designed to help organizations combat external threats by bad actors. Some organizations try to squeeze other types of threats, such as those posed by insiders, into the classic model, which doesn't work because the behavior of insider threats is not the same as those of outsiders.

Reactive versus Proactive
Kill chain models are reactive by nature. The goal is to stop a potential attack in progress before damage is done. The traditional kill chain aligns with that goal, but there are other models for threats, like malicious insiders, that also fit reactive cyber-risk models.  A second type of cyber-risk model that can be extremely effective against threats, is a proactive model. That model flips the recipe on its head and seeks to reduce the attack surface before an attack occurs. Let's first look at examples of reactive cyber-risk models, which very commonly can fit into one of two categories:

Flight Risks: Employees looking to leave the company elevate the risk of data loss. They tend to be less sophisticated and exhibit less cautious behavior on their way out. The kill chain–style reactive risk model begins with looking for early indicators — for example, if an employee frequently visits job search websites, something he or she typically would not do. However, even if employees are visiting those kinds of websites, that doesn't necessarily mean they are a threat. They become a potential threat when they move to the next stage when, for example, they upload unusually large encrypted files to cloud storage at odd working hours.

A combination of those two stages — an employee has repeatedly visited job search websites and has uploaded an unusually large file at odd working hours — is a good indication that the person is a flight risk and must be closely monitored. The next stage entails the employee aggressively trying to pull sensitive data off the network. He may attempt to email sensitive data to an outside address, get blocked, and continue to try other methods until he succeeds.

The goal of this kill chain–style risk model is to identify people who are flight risks and approach them before the exfiltration occurs. Or if they do exfiltrate data, identify the activity and stop them before they cause real damage to the company. 

Persistent Insiders: Unlike flight risks, these threats are more sophisticated insiders who have no intention of leaving the organization. They repeatedly look for whatever sensitive data they can get their hands on to hurt the organization and/or sell for profit. Organizations won't see these employees looking at job search websites. Instead, they will visit websites where they can circumvent web proxies. These are websites that allow them to hide, and then jump to the Dark Web, for example, to move data and bypass controls.

The next stage of the chain is when they persistently try logging into systems to which they typically do not have access. They quietly "jiggle doors" looking for sensitive data that is outside the scope of their, their peers', and overall team's role.

Combining these two stages — visiting suspicious websites and jiggling doors — are good examples that indicate a person may be a persistent threat. The next stage is when the person acts. For example, on a regular basis, s/he may encrypt small amounts of sensitive data and exfiltrate it outside the network. By breaking the data down into small amounts, the person aims to evade detection, and by encrypting it, makes it even more difficult because the company cannot see what's inside.

Obviously, the goal is to stop the person before getting to the final stage of exfiltration. The chain shows the progression of events so that organizations can stop the threat before damage is done.  

Insider threat models are an example of a reactive chain of events. Many organizations have tried to squeeze these into the original kill chain model only to find they need to skip stages, and often feel like they're trying to put a square peg in a round hole. Leveraging the principal that emerged and was made popular by the kill chain is very important, but being flexible to adapt to today's threat landscape is critical to success. 

To take the leap to proactive cyber-risk management, consider a predictive model for combatting ransomware. Instead of looking for indicators of a threat in progress, the chain begins with identifying which machines, applications, and systems are susceptible to ransomware, and then determining which ones contain sensitive data. From there, organizations can easily understand which assets need better patching or tighter controls, and finally see which of these machines are actively being attacked and how effective their response has been. Together, this provides predictive, proactive visibility to reduce the attack surface and get ahead of the attackers.

Whereas reactive kill chain models aim to find threats and stop them before it's too late, proactive models aim to reduce attack opportunities before attackers strike. If companies adopt this broader set of models, in addition to applying the classic one, they will spend less human resources and time hunting threats and stay ahead of attackers before they cause harm.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Ryan Stolte is co-founder and CTO at Bay Dynamics, a cyber risk analytics company that enables enterprises and government agencies to prioritize and mitigate their most critical threats. Ryan has spent more than 20 years of his career solving big data problems with ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
7/6/2018 | 1:21:43 PM
Lockheed Martin at BlackHat and on GitHub
Back in 2013 DR did another article on kill chain and how Lockheed Martin approached that process.  In fact, Lockheed did a presentation at Black Hat and the conclusion of that paper back in 2012 was that their "current batch of Intrusion Detection products are clearly insufficient against today's targeted modern threats." Their presentation laid out "a series of models for how to rethink the problem from the ground up. Stepping back from our need to only instrument highly actionable events is the first and most important realization that we have outlined. The event pipeline provides a framework to understand how low confidence events can and should be assimilated into an effective intrusion detection program."

Jump to 2018 and that declaration of intent to develop a better kill chain process has Lockheed leading the industry with their Cyber Kill Chain, notably "proactive" and to some extent "predictive" in character.  As cool as this all sounds, I'm afraid that the industry still needs to bring this model and idea of cyber defense down to a more digestible level.  At Black Hat Lockheed sounded like the next step in cyber defense was ready to be revealed, but for the everyday security analyst, Cyber Kill Chain may come off like yet another expensive bloatware Enterprise product.  Luckily, Lockheed Martin has shared some of its tech on GitHub with several threat analysis and prevention tools that it has open-sourced.  Better understanding of kill chains and the attack phases may come from the FOSS community in the short term, with easily accessible and free implementations to play with.

In addition to the LM GitHub code, I recommend Security Onion (SO), a GNU/Linux OS for security professionals, to play with code related to the newer kill chain models.

 

    

 

      
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Why Password Management and Security Strategies Fall Short
Steve Zurier, Freelance Writer,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8584
PUBLISHED: 2018-11-14
An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC), aka "Windows ALPC Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers.
CVE-2018-8588
PUBLISHED: 2018-11-14
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8541, CVE-2018-8...
CVE-2018-8589
PUBLISHED: 2018-11-14
An elevation of privilege vulnerability exists when Windows improperly handles calls to Win32k.sys, aka "Windows Win32k Elevation of Privilege Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2.
CVE-2018-8592
PUBLISHED: 2018-11-14
An elevation of privilege vulnerability exists in Windows 10 version 1809 when installed from physical media (USB, DVD, etc, aka "Windows Elevation Of Privilege Vulnerability." This affects Windows 10, Windows Server 2019.
CVE-2018-8600
PUBLISHED: 2018-11-14
A Cross-site Scripting (XSS) vulnerability exists when Azure App Services on Azure Stack does not properly sanitize user provided input, aka "Azure App Service Cross-site Scripting Vulnerability." This affects Azure App.