In the world of Cybersecurity, after a security breach has
happened, there are few key things that have to take place. First, is that you need to bring your
business back up as quickly as possible in a seamless fashion. This can only happen with a well-planned
Incident Response and Disaster Recovery plans.
Then, once there is some sense of normalcy, you will want to conduct a
detailed forensics exam to see how it all happened.
But apart from this, you also want to find the Cyberattacker
and/or their corresponding group that did this, and bring them to justice. But in order to do the latter, you need to
have all of the evidence you have in place first, and make sure that they are
all admissible in a court of law. Trying
to find out who the exact predator is also known as “Attribution”.
Throughout the years, there have been a number of Fortune
500 companies that have actually created models to get into the mindset of a
Cyberattacker. The ultimate goal of all
of this is see what the motivating factor was in launching the attack, and try
to trace where they could be in the world, in terms of physical location.
One such company that tried to do this is Lockheed Martin,
and what they came up with is known today as the “Cyber Kill Chain”. The key components of it are as follows:
1)
Reconnaissance:
This is where the Cyberattacker
basically targets you as a victim and from there, takes their own sweet time to
find out all of your weak spots and backdoors in which they could possibly
enter into. This can range from
launching Phishing emails to scoping out third party vendors to engaging in
Social Engineering tactics, and even studying the social media profiles of your
employees. The bottom line is that they
want to find that very critical week spot and move in. Heck, even after they move in, they still may
not do any damage. For example, they can stick around on the insides for a very
long time and move in a lateral fashion to see what more you have in your IT
and Network infrastructure.
2)
Weaponization & Deployment:
After gaining entry in, this is the
moment in time where the Cyberattacker decides to deploy their malicious
payload, which could range anywhere from being a worm, virus, piece of malware,
Trojan Horse, etc. The primary goal here
is to exploit as much as possible a vulnerability that was discovered.
3)
Exploitation:
This is where the malicious payload
actually detonates. There are numerous
ways that this can happen, such as an employee clicking on a phony link,
opening an infected attachment, or simply, the payload could be set to detonate
at a specific time and date. These are
technically known as “Logic Bombs”.
4)
Installation:
Remember, a malicious payload does
not always have to detonate. It could be
deployed in a victim’s wireless device in order for the Cyberattacker to gain
remote access to it. In this regard, the payload becomes technically a
“Dropper”.
5)
Command & Control:
If a Dropper has been installed,
the Cyberattacker will then use this to scope out the device of the victim, and
see what is worth targeting. Keep in
mind that they can be internal to your systems for a very long period of time,
very often going unnoticed. But once
they are known, they will leave immediately, and the damage will be done. In this instance, the Cyberattacker will be
involved in data exfiltration, and selling your datasets on the Dark Web.
6)
The Action Has Been Taken:
Once again, this is the specific
situation if a Dropper has been used.
The very second that the data exfiltration has occurred, this is the moment
that the “action has been taken”. Of
course, only a detailed forensics exam can reveal all of this detail, assuming
the needed evidence has been collected.
The Kill Chain Model can be seen below:
(SOURCE: https://www.darkreading.com/attacks-breaches/deconstructing-the-cyber-kill-chain)
My Thoughts On This:
While the Cyber Kill Chain may sound great in theory, the
realities of it are that it is probably outdated. To be honest, many Penetration Testing teams
are already taking the mindset of the Cyberattacker, and are engaging in the
ethical hacking tests that already follows the path of the Kill Chain. This
framework needs to be updated to take into account the Cyber Threat Landscape as
it exists today.
The modern Cyberattacker is now very sophisticated and
covert in nature, and will more than likely use a Dropper in order to get the
maximum for their bang. Second, the Kill
Chain model needs to now take into supply chain attacks, and using third
parties to leverage them. Once again,
this is best exemplified by the Solar Winds hack in which the perpetrators
deployed a Dropper onto a third-party tool.
From there, they then scoped a sampling of the intended
victims, and once they were then satisfied enough, the malicious payload was
then deployed, thus infecting thousands of victims in the end. What can be done to keep up with all of
this? Well, there is one way, and that
is making use of a tool called the Security Incident Event Manager, or SIEM for
short.
This will provide your IT Security with alerts and warnings
on a real time basis, so that they can be proactive even before Step #2 starts
to occur in the Kill Chain Model. These
tools are great for filtering out for false positives. But this takes human intervention. Many
companies complain that they simply do not have the manpower to keep up with
all of this. But once again, this all
goes back to the hiring problems that we are seeing today.
So the bottom line, has the Kill Chain Model reached its
useful years? More than likely,
yes. IMHO I think the Cyber industry has
more than enough frameworks and models, it is now time to take action
as well as automation.
No comments:
Post a Comment