WyzGuys Tech Talk

Using Military Style Kill Chains on Networks to Combat Advanced Persistent Threats

It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle. – Sun Tzu in The Art of War

Back on May 1st, Michael Kassner wrote an article in TechRepublic that I have read a couple of times now, because it is a fascinating analysis of a paper by Lockheed Martin on what they are calling “Cyber Kill Chains.”   The article explains how to use this methodology to combat Advanced Persistent Threats or APTs on the network.

An Advanced Persistent Threat is a focused, long term, multi-year set of exploits targeted against a single network or resource in an all out attempt to successfully breach the network and gain privileged access to the resources and information of the network.  These attacks are not random in nature, but highly selective.  Targets are chosen.  Your network might be one. 

One of the truisms of the cyber security world is that, given enough time and resources, any system or set of defenses can be breached eventually.  This is the persistent part of the advanced persistent threat.  Once a target is chosen, the attack continues until the network is breached.  This, as we have seen from breaches such as the Target breach, is the current state of affairs on the Internet.  What the article and paper explain, is how to utilize military style kill-chain analysis in order to create an alerting system to warn the network administrators of an attack or of a new variation in an APT attack on their network.

The kill-chain approach looks very similar to the type of analysis that is undertaken by cyber-security specialists while undertaking a high level security sweep know as a penetration test.  A pen-test attempts to do what an attacker would do to gain access, in order to flush out weaknesses and discover vulnerabilities in the network defenses and the systems behind them.

In military usage a kill-chain is defined below:

A kill chain is a systematic process to target and engage an adversary to create desired effects. U.S.
military targeting doctrine defines the steps of this process as find, fix, track, target, engage, assess (F2T2EA): Find adversary targets suitable for engagement; fix their location; track and observe; target with suitable weapon or asset to create desired effects; engage adversary; assess effects (U.S. Department of Defense, 2007). This is an integrated, end-to-end process described as a “chain" because any one deficiency will interrupt the entire process.

In a cyber-security context, the kill chain looks more like this:

• Reconnaissance: Research, identification, and selection of targets: for example, crawling internet websites for email addresses, social relationships, or information on specific technologies.
• Weaponization: Creating a workable exploit by combining a Trojan (get past defenses) with a malware payload constructed to accomplish the attacker’s goals.
• Delivery: Transmission of the weapon to the target. Popular APT delivery vehicles are email attachments, websites, and USB removable media.
• Exploitation: When the malware weapon is delivered, the payload activates exploiting a vulnerable program or system.
• Installation: Installation of a backdoor on the victimized system allows the adversary to maintain contact.
• Command and Control: APTs typically require manual intervention to explore the victim’s network. This is accomplished by the malware contacting a remote command and control server.
• Actions on Objectives: If everything goes according to plan, the attackers now pursue the reason for the intrusion, possibly compromising additional servers or exfiltrating data.

The TechRepublic article and Lockheed Martin white paper then go on to explain how defending against the advanced persistent threats being mounted against your network will involve an iterative process of capturing and analyzing attack data from Intrusion Detection Systems (IDS) and other border and internal security devices, and traffic patterns on the network, to detect new exploits and breaches before they become a larger problem.

It is another truism that the weakest link in any cyber-security plan is the human operator.  Part of the solution that is often overlooked in network defense is the importance of training computer users how to recognize and avoid early exploits.  Exploits against your user group will attempt to gain their trust and breach your network through the use of spoofed emails, phishing and spearfishing attempts, and threats coming from both trusted or spoofed web sites.  Cyber-security training is actually a great starting point for any organization that is interested in toughening up their network defenses.

These articles are both a bit of a deep read, and perhaps of interest only to people like me who are engaged in the cyber-security profession, but I recommend them to anyone who is interested in protecting their network resources from the attackers that are mounted against them.

Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains by Eric M. Hutchins, Michael J. Clopperty, Rohan M. Amin, Ph.D. Lockheed Martin Corporation