Cyber Situational Awareness and the Kill Chain
The concept of the cyber kill chain has done a lot to advance the general understanding of how attacks unfold and how to combat them. The steps – reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives – each have implications for how, as security professionals, we can strengthen our defenses. Initially these defenses concentrated on the network, and specifically the perimeter. But today, as attacks have increased in sophistication and frequency, it takes more to be a kill chain “killjoy.”
Recent ESG research (“Threat Intelligence as part of Cyber Situational Awareness”) indicates that in response to growing threats, many organizations are investing in threat intelligence programs in order to track “in-the-wild” hacker activities and malware threats. The report encourages CISOs to strive for cyber situational awareness for a better understanding of their entire digital footprint as well as the tactics, techniques, and procedures (TTPs) used by cyber-adversaries. In fact, cyber situational awareness can become a kill chain killjoy, serving as a valuable tool to gather intelligence about adversaries’ actions and our vulnerabilities and to thwart attacks.
Take for example, the first step in the kill chain – reconnaissance. An adversary surveys the target and seeks out weaknesses, potential vectors, and other information to assist with an attack. Organizations traditionally address this step in a number of ways, including firewall or proxy logs, honeypots and network-based intrusion detection systems (NIDS). But, unfortunately, these only aim to detect threats that directly target the perimeter network and fail to address other important threats, such as data that already found a way outside the organization through many different means, including:
• Stolen credentials available on sites, such as Pastebin
• Sensitive documents being openly shared on the web due to misconfigured, consumer-grade storage devices or public folders in cloud storage sites like Dropbox that might reveal sensitive internal information
• Proprietary source code and admin passwords that somehow find their way on code sharing sites, such as GitHub
• Social media platforms that can potentially provide a gold mine of information that threat actors could use to craft a spear phishing campaign
In conjunction with the increased attack surface, there is also the threat landscape to consider and the range of actors who are potentially discussing plans regarding attacks against an organization. Hacktivists often do this publically, but criminals and nation states are much more covert. Being able to understand who is being attacked and why can be valuable for an organization, as it assists with appreciating the wider threat and taking a more strategic outlook to their security. These are all insights which cyber situational awareness can provide.
Reconnaissance is followed by weaponization. Depending on the type of threat you are dealing with, this can be anything from an easily available and simple to use exploit, up to the crafting and deployment of a zero-day vulnerability. Honeypots, sandboxes and NIDS all help to this end but, again, they only attempt to deal with the threats as they hit directly the organization, sometimes too little too late. Cyber situation awareness helps to discover the TTPs being used across the threat landscape, or discussed and traded online, in order to prepare for and provide mitigations.
Once the attack is launched and inside the network – the delivery, exploitation, installation, command and control, and actions on objectives stages – there are many effective security controls that help. But these can and should be supplemented with information from outside the organization to assess their effectiveness. For example, in the case of a Data Loss Prevention (DLP) solution, proxy or firewall, you need to be able to look outside of the organization to determine if the data these tools are trying to protect has been breached. This practice can provide indications that sensitive data is being sold on criminal forums or leaked on paste sites. Similarly, it can offer assessments on the credibility of the actors making claims of responsibility.
From an attacker’s perspective, this is where the kill chain ends, but not for defenders. The kill chain can, and should, flow into a cycle, where an organization can learn lessons from an attack and ensure that future attempts at reconnaissance cannot use the same information, thereby reducing the attack surface.
Cyber situational awareness can truly be a kill chain killjoy. By viewing the kill chain through that lens, organizations can have the confidence that they understand their attack surface, they know which TTPs could be used against them and, should data find its way online, they can quickly discover it and mitigate the risks.