Organizations need a broader vision of security to defend against today’s threats.
In an earlier blog post, I wrote about the balancing act CIOs face protecting the IT attack surface while advancing digital transformation.
I also wrote about defense strategies that organizations can use to protect their attack surface.
In this final blog post in the series, I cover how security teams can employ cyber kill chains to harden their network attack surface. The desired outcomes focus on identifying, reducing, or eliminating network soft spots by hardening attack surfaces through data or combined effects from multiple cyber capabilities.
This approach is intended to counter cyber kill chains used by adversaries. Recall that a kill chain is a sequence of inter-related activities necessary to achieve a desired outcome. Using the kill chain as a defensive planning tool involves looking at each cyber kill chain link to devise protection approaches that break the link. Network defenders need to be perfect every minute of every day, while malicious actors only need to find one attack vector to successfully prosecute one or more chain links within a cyber kill chain to compromise a network. Applying cyber kill chains defensively is an approach to identifying capability gaps or blind spots in your cybersecurity ecosystem.
The goal of this post is to apply cyber kill chain concepts to help CIOs and CISOs improve their cybersecurity posture and ultimately increase their cybersecurity readiness. Kill chains are useful in decomposing complex problems into smaller, more manageable problems. By focusing on each link within the cyber kill chain, network defenders can achieve synergistic outcomes that improve the effectiveness of security tools and the overall readiness and protection levels of their networks. Conversely, breaking a link in the kill chain blocks an attack. This analysis will focus on approaches to block each link in Lockheed Martin’s cyber-attack kill chain.
Defending against Reconnaissance
Reconnaissance is about gaining awareness of a target environment. In a physical sense, this involves identifying key terrain like hills that enable visibility or valleys that conceal movement. From the endpoint perspective, the network has key cyber terrain where adversaries can gain an advantage. Two categories of key cyber terrain would be services that advertise information about applications and application programming interfaces (API) that allow for remote access. Windows Management Instrumentation (WMI) is an example of key cyber terrain. Defending against reconnaissance from a cyber kill chain perspective would involve detecting new WMI subscriptions. Another example of key cyber terrain would be services like sendmail or SNMP mib information. Denying access to information from these applications has been a best practice for many years. Defending against reconnaissance involves identifying key cyber terrain, then employing detection, denial, or defensive techniques to hinder or halt adversary reconnaissance activity. The desired outcome is a combination of information denial and detection of reconnaissance activities.
Defending against Weaponization
The weaponization step within the cyber kill chain relies on input from the reconnaissance step and is constrained by the third cyber kill chain step (delivery). Weaponization can be the sequencing of actions to exploit a vulnerability, the development of software artifacts to corrupt a software supply chain, or the introduction of malicious software into the blue network. While the act or process of weaponization often takes place on red or gray networks, the activity is tailored to the targeted blue network. Defending against weaponization centers on attack surface management, specifically reducing and hardening the organization’s attack surface. In other words, this step in the cyber kill chain is about denying opportunity to adversaries. Removing the known known vulnerabilities from the game board will increase the cost to the adversary while reducing blue network risk. Almost 60% of successful data breaches take advantage of vulnerabilities in operating systems and applications that IT organizations knew about but didn’t patch in time. One of the best ways of defending against the weaponization step in the cyber kill chain is effective and efficient patching operations that enable a high state of cyber readiness through cyber hygiene.
Defending against Delivery
The recent Log4j vulnerability illustrates how remote code execution (RCE) can be delivered using a web interface to access a vulnerability. Nefarious actors have other tools they can employ to deliver malicious code or actions. Firewalls and network segmentation can help channel attackers, helping focus where network defenders employ tools to block and detect delivery actions for data in transit. Defending against the delivery of malicious code is an imperative that requires active involvement from end-users, computer security practitioners, and physical security professionals. From infected USB drives to malformed browser requests to inadvertently visiting a compromised website, defending against the delivery of malicious code is a team sport involving user education, threat-informed physical security practices, and management of risk and resilience.
Defending against Exploitation
Defending against exploitation centers on identifying malicious software, preventing malicious software from executing, and/or remediating vulnerabilities to limit the effect malicious software can have on the system. These concepts distill down to reputation services, application controls, and cyber hygiene. Cyber hygiene (patching, maintaining up-to-date software, and properly configuring software) is the best approach to prevent the known knowns within the attacker’s toolbox. CIOs and CISOs can govern cyber hygiene practices in their organization by monitoring the right metrics like mean-time-to-patch or patching cycle duration. Visibility and control of endpoints at scale with speed are foundational to timely, accurate, and truthful data characterizing cyber-hygiene. Leveraging reputation services and antivirus software complements effective cyber-hygiene. The ability to identify deviations from normal behaviors, at-risk events, and indicators of compromise. While the former (cyber-hygiene) is about maturity and optimizing performance, the latter (hash hunting & detecting IOCs) involves agility and adaptability.
Defending against Installation
Security teams need real-time visibility into software installations and configuration changes on all endpoints, in all locations. Defending against the installation step within the cyber kill chain centers on preventing remote code executions (RCE). Stopping all RCE attacks can be a lot like stopping all crime. The array of actions available to prevent or hinder the detection of RCE attacks spans the continuum of antivirus and malware detection tools that identify malicious software signatures and alert on anomalies that indicate risk of compromise. Applying the installation phase of kill chain attacks should focus on the unknown unknowns, which encompasses unknown malware (potentially polymorphic malware), unknown file attacks, or cyber blind spots (things we do not realize that we do not know). One area CIOs and CISOs can consider is the development of an approved software list that leverages native OS tools like Microsoft’s AppLocker. Additionally, reputation services can be used to aggressively identify malicious software. Combining technology with talent and techniques, CIOs and CISOs can leverage spiral development approaches to configure cybersecurity capabilities to detect, alert, or counter anomalies that indicate at-risk events or events that characterize compromise. Leveraging commercial or open-source intelligence sources to test, tailor, and tune alerts will generate an element of adaptability and agility within the organization’s efforts to defend against the installation stage of the cyber kill chain.
Defending against C2 Communications
Security teams have a variety of ways to detect and block command and control communications. Firewalls and network monitoring tools can detect suspicious network activity, such as communications with an unfamiliar DNS server or an unusual remote host. Security teams can block many of these communications proactively by deploying Zero Trust controls that block all unauthorized communications by default.
Defending against Actions on Objectives
Defending against actions on the objectives centers on limiting access and denying the opportunity for a malicious actor to achieve their desired outcomes. In simple terms, the goal here is to lock every door and make the malicious actor work hard for each incremental gain. There is an assumption that the more work an actor does, the greater the potential they will be detected. Alerting on anomalous activity can be a challenge if alerts are not threat-informed and intelligence-driven. Consider applying MITRE ATT&CK or CISA’s Shields Up as intelligence sources to guide security team meetings on developing relevant alerts. Endpoint security provides a final, critical defense against the kill chain.
To increase effectiveness, it’s a good idea to make sure all the security tools providing these defenses work together seamlessly. Tools that complement one another can be instrumental in countering one or more links in the cyber kill chain. Data is a key enabler to generating a decision advantage; a data-ready platform that complements other tools while enabling visibility and control at scale with speed will deliver insight, confidence, and trust.
The Tanium platform for defending against kill chain attacks
At Tanium, we offer a single endpoint security platform that delivers complete, accurate and real-time endpoint data regardless of scale and complexity. Our platform, available as a fast, flexible, and scalable cloud service, includes modules for:
- Asset discovery and inventory, helping IT teams find and track endpoints at all locations
- Risk and compliance management, including patch management
- Threat hunting, including tools for investigating and remediating threats before they disrupt operations
- Client management, including controls for managing and troubleshooting endpoints in real time
- Sensitive data monitoring, including auditing and automating access controls
Catch up on this entire series to learn more about protecting your organization’s IT attack surface here: