Download Using an expanded cyber kill chain model to increase

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
Document related concepts

Mobile security wikipedia , lookup

Unix security wikipedia , lookup

Computer security wikipedia , lookup

Cyberwarfare wikipedia , lookup

Cyberattack wikipedia , lookup

Transcript 
USING AN
EXPANDED
CYBER KILL CHAIN MODEL
TO INCREASE ATTACK
RESILIENCY
SEAN T MALONE
@SEANTMALONE
WWW.SEANTMALONE.COM
WWW.FUSIONX.COM
PRESENTER BACKGROUND
• 10+ Years in Offensive Information
Security
• 4 Years of Adversary Simulation
with FusionX
• Executing Realistic Attack
Simulations – and Responding
When it’s NOT a Drill
2
AGENDA
• Legacy Cyber Kill Chain Model
• The Expanded Cyber Kill Chain Model
- The Internal Kill Chain
- The Target Manipulation Kill Chain
• Understanding the Stages of a Sophisticated Attack
• Using the Expanded Model to Build a Resilient Enterprise
3
LEGACY CYBER KILL CHAIN MODEL
Reconnaissance
• Harvesting email addresses, conference
information, etc.
Weaponization
• Coupling exploit with backdoor into
deliverable payload
Delivery
• Delivering weaponized bundle to the victim
via email, web, USB, etc.
Exploitation
• Exploiting a vulnerability to execute code
on victim’s system
Installation
• Installing malware on the asset
Command & Control (C2)
• Command channel for remote
manipulation of victim
Actions on Objectives
• With “Hands on Keyboard” access,
intruders accomplish their original goal
From http://cyber.lockheedmartin.com/solutions/cyber-kill-chain
4
LEGACY CYBER KILL CHAIN MODEL
“The Cyber Kill Chain model, as sexy as it
is, reinforces old-school, perimeterfocused, malware-prevention thinking.”
- Giora Engel, Deconstructing The Cyber Kill Chain,
Dark Reading 2014
“Excellent for [external] attacks,
but doesn’t exactly work for
insider threats.”
“In today’s environment, every
cyber attacker is a potential
insider.”
- Patrick Reidy, Combating the Insider Threat at
the FBI, Black Hat USA 2013
- Matt Devost, Every Cyber Attacker is an Insider,
OODA Loop 2015
5
“Perimeter Breach Kill Chain”
LEGACY CYBER KILL CHAIN MODEL
Reconnaissance
• Harvesting email addresses, conference
information, etc.
Weaponization
• Coupling exploit with backdoor into
deliverable payload
Delivery
• Delivering weaponized bundle to the victim
via email, web, USB, etc.
Exploitation
• Exploiting a vulnerability to execute code
on victim’s system
Installation
• Installing malware on the asset
Command & Control (C2)
• Command channel for remote
manipulation of victim
Actions on Objectives
• With “Hands on Keyboard” access,
intruders accomplish their original goal
GAME
OVER ?
6
Example Target Manipulation Objectives:
• Financial Theft
‒ Modify queued wire transfers to redirect payments
• Reputation Impact and Loss of Market Share through DoS
‒ Disable all company workstations
• Disable Infrastructure in Preparation for Kinetic Attack
‒ Quickly cycle smart electric meters to overload grid
• Provide Propaganda Support for Coup Attempt
‒ Hijack television broadcast
• Cause Terror in Regional Population
‒ Change concentration of chemicals added to water supply
THE EXPANDED CYBER KILL CHAIN MODEL
LEGACY CYBER
KILL CHAIN
INTERNAL KILL
CHAIN
TARGET
MANIPULATION
KILL CHAIN
Breach the Enterprise
Network Perimeter
Gain Access to
Target Systems
Manipulate Target Systems
to Achieve Objective
8
THE EXPANDED CYBER KILL CHAIN MODEL
LEGACY CYBER KILL CHAIN
External
Weaponization
Reconnaissance
Common to Most
Objectives
Objective-Specific
Delivery
External
Exploitation
Installation
Command &
Control
Actions on
Objectives
INTERNAL KILL CHAIN
Internal
Internal
Reconnaissance Exploitation
Ent. Privilege
Escalation
Lateral
Movement
Target
Manipulation
TARGET MANIPULATION KILL CHAIN
Target
Target
Reconnaissance Exploitation
Weaponization
Installation
Execution
9
10
ALTERNATIVE: SPIRAL MODEL
11
ALTERNATIVE: TREE MODEL
X
Origin
X
Objective
X
X
X
X
12
UNDERSTANDING THE STAGES OF A
SOPHISTICATED ATTACK
13
INTERNAL RECONNAISSANCE
INTERNAL KILL CHAIN
Internal
Reconnaissance
Internal
Exploitation
OBJECTIVE
TIME REQUIRED
Data mine available systems
and map the internal
network and vulnerabilities
1 to 2+ Weeks
OFFENSIVE TTPS
DEFENSIVE TTPS
Enterprise
Privilege
Escalation
Lateral
Movement
Target
Manipulation
•
•
DOMEX of local files,
network shares, browser
history, wiki/SharePoint
Light service probing
•
•
Prevent: Granular resource
authorization
Detect: Behavioral changes
from this IP & user account
14
INTERNAL EXPLOITATION
INTERNAL KILL CHAIN
Internal
Reconnaissance
Internal
Exploitation
Enterprise
Privilege
Escalation
Lateral
Movement
Target
Manipulation
•
•
•
OBJECTIVE
TIME REQUIRED
Exploit information and
vulnerabilities on internal
systems
2 Days
OFFENSIVE TTPS
DEFENSIVE TTPS
System vulnerabilities
Web application
vulnerabilities
LLMNR/NBNS Spoofing
•
•
Prevent: Patch & vuln.
management (including dev
& test systems)
Detect: Endpoint protection
15
ENTERPRISE PRIVILEGE ESCALATION
INTERNAL KILL CHAIN
Internal
Reconnaissance
Internal
Exploitation
Enterprise
Privilege
Escalation
Lateral
Movement
Target
Manipulation
•
•
•
•
OBJECTIVE
TIME REQUIRED
Leverage compromised
accounts and trust
relationships to gain a high
level of privilege
1 to 3 Days
OFFENSIVE TTPS
DEFENSIVE TTPS
Kernel / system vulns.
Pass-the-hash & Mimikatz
Unprotected SSH keys
Creds in configuration files
•
•
Prevent: Run as leastprivilege accounts; use good
security hygiene
Detect: Behavioral analytics
16
LATERAL MOVEMENT
INTERNAL KILL CHAIN
Internal
Reconnaissance
Internal
Exploitation
OBJECTIVE
TIME REQUIRED
Pivot through compromised
systems into restricted
network zones
4 Hours
OFFENSIVE TTPS
DEFENSIVE TTPS
Enterprise
Privilege
Escalation
Lateral
Movement
Target
Manipulation
•
•
Target virtualization, backup,
config management layers
Layer SSH proxy tunnels to go
deep
•
•
Prevent: Segmented security
zones at all layers
Detect: Behavioral analysis of
successful login events
17
TARGET MANIPULATION KILL CHAIN
TARGET RECONNAISSANCE
OBJECTIVE
TIME REQUIRED
Map & understand objectivespecific systems
1 Week to 3 Months
OFFENSIVE TTPS
DEFENSIVE TTPS
Target
Reconnaissance
Target
Exploitation
Weaponization
Installation
Execution
•
•
DOMEX of Vendor
documentation, internal
training, source code
Standard admin utilities
•
•
Prevent: Restricted access to
documentation &
specifications
Detect: Access patterns
18
TARGET MANIPULATION KILL CHAIN
TARGET EXPLOITATION
Target
Reconnaissance
Target
Exploitation
OBJECTIVE
TIME REQUIRED
Gain access to target systems
via trust relationships or new
vulnerabilities
1 Hour
OFFENSIVE TTPS
DEFENSIVE TTPS
Weaponization
Installation
Execution
•
•
Default credentials, EOL
systems, vendor backdoors
Trust relationships with
central authentication system
•
•
Prevent: Change defaults &
segregate authentication
Detect: Endpoint protection
and behavioral analytics
19
TARGET MANIPULATION KILL CHAIN
WEAPONIZATION
Target
Reconnaissance
Target
Exploitation
OBJECTIVE
TIME REQUIRED
Develop platform-specific
malware to subvert target
systems & business
processes
1 Week to 3 Months
OFFENSIVE TTPS
DEFENSIVE TTPS
Weaponization
Installation
Execution
•
•
Duplicate target environment
in a lab
Extract, decompile, and
reverse proprietary software
•
•
Prevent: Harden/obfuscate
applications to make
reversing difficult
Detect: N/A - working offline
20
TARGET MANIPULATION KILL CHAIN
INSTALLATION
Target
Reconnaissance
Target
Exploitation
OBJECTIVE
TIME REQUIRED
Deploy custom malware to
target systems
1 Hour
OFFENSIVE TTPS
DEFENSIVE TTPS
Weaponization
Installation
Execution
•
•
Patch or replace scripts,
binaries, and configurations
Tamper with detective
controls
•
•
Prevent: Application signing
Detect: File integrity
monitoring, redundant
processing systems
21
TARGET MANIPULATION KILL CHAIN
EXECUTION
Target
Reconnaissance
Target
Exploitation
OBJECTIVE
TIME REQUIRED
Activate malware to subvert
target system operation,
with material consequences
1 Second
OFFENSIVE TTPS
DEFENSIVE TTPS
Weaponization
Installation
Execution
•
•
Wait for optimal timing
(market or geopolitical)
May be all at once or slow
damage over time
•
•
Response controls – have you
war-gamed this?
Breach insurance may help
mitigate impact
22
BUILDING A RESILIENT ENTERPRISE
23
THE RESILIENT MINDSET
EVERY CONTROL
WILL FAIL
If the adversary has access to:
• The internal corporate network
• Any username and password
• All documentation & specifications
What would you do differently?
24
Prevention Controls
Threshold of Defender Success
Detection &
Response Controls
THE CYBER DEFENSE THRESHOLD
(For a Given Adversary Sophistication)
Time Required for Adversary to
Achieve Objective
Time Required to Detect
and Eradicate Intrusion
25
CHANGING THE ECONOMICS
Safe Zone
(Negative Adversary ROI)
Level of
Sophistication
=
Level of Adversary’s
Investment
Adversary Investment ($)
Value to Adversary of
Defended Asset ($)
Danger Zone
(Positive Adversary ROI)
Strength of Defenses (Prevention + Detection)
26
FINAL THOUGHTS,
QUESTIONS, AND DISCUSSION
SEAN T MALONE
@SEANTMALONE
(SLIDES AVAILABLE AT) WWW.SEANTMALONE.COM
27
Related documents
D efe ns iv
D efe ns iv
TODAY’S TECHNOLOGY CAN CHANGE IN THE BLINK OF AN EYE.
TODAY’S TECHNOLOGY CAN CHANGE IN THE BLINK OF AN EYE.
Courage
Courage
Siemplify, a fast-growing cyber security start
Siemplify, a fast-growing cyber security start
Artificial Intelligence Engineer
Artificial Intelligence Engineer
Maritime Cyber Vulnerabilities in the Energy Domain
Maritime Cyber Vulnerabilities in the Energy Domain
• Overview of Cyber Security & need of cyber security • Introduction
• Overview of Cyber Security & need of cyber security • Introduction
Blood Notes
Blood Notes
apdf nov 4 - 0910 sakada
apdf nov 4 - 0910 sakada
The Origin Organism - Florence`s Soesanto Portfolio
The Origin Organism - Florence`s Soesanto Portfolio