Stalking the Kill Chain


Published on

This Solution Overview approaches the threat landscape from a holistic viewpoint and identifies strategies and techniques to establish a good defense. It discusses the concept of a "kill chain" and identifies key indictors for attack events with a focus on network analysis.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Stalking the Kill Chain

  1. 1. STALKING THE KILL CHAINRSA FirstWatchSM Research NoteWhite Paper
  2. 2. INTRODUCTIONShady Rat, Aurora, Poison Ivy, ZueS, Spyeye, Ice IX, Stuxnet and Flame. This strangecombination of terms may have no immediate relation to the layman, but for thoseinvolved in computer security and incident response, they speak of events that havesparked press coverage, executive interest and late nights.Admittedly, the information security threat landscape has drastically changed over thepast decade. What was once the realm of tricksters and troublemakers has become theoperational environment of professional hackers, nation-state sponsored teams,hacktivists and organized crime. Each threat group seeks to penetrate organizations ofinterest to accomplish targeted objectives, often with an intellectual approach andbacked with plenty of resources. Their overall objectives can be focused into fourprimary areas: - - Theft of Intellectual Property i - Theft of Financial Data ii - Denial of Service iii Technology-based influence causing physical results ivAmong these objectives, a vital and persistent theme is the use of malicious softwareand the leveraging of related network infrastructure to allow stealth remote manipulationand control of compromised systems anonymously without an onsite presence at thetarget location. This foothold is typically followed by “going quiet” with the attackerusing valid credentials and remote access systems to traverse through the network.In this whitepaper, we will approach the threat landscape from a holistic viewpoint andidentify strategies and techniques to establish a good defense. We will discuss theconcept of a “kill chain” and identify key indicators for attack events with a focus onnetwork analysis within the context of the RSA NetWitness framework.POSITION BEFORE SUBMISSIONIn Brazilian Jiu Jitsu (BJJ), a modern martial art focused on ground fighting, a commontheme among practitioners is the concept of “position before submission”. In otherwords, the fighter seeks to establish physical and positional dominance before endingthe fight with an attack resulting in submission. Embracing the concept allows thefighter to increase his chances of winning the confrontation by making sure he is incontrol of the situation prior to attempting a fight-ending attack. BJJ’s philosophicalapproach has direct relevance to cyber security as the same approach can be taken toestablish a more proactive defense based on threat intelligence and network-widevisibility. The notion of establishing an “active defense” can be approached using thefollowing guiding principles: - - Know your enemy - Know your network Know your peopleKnow Your EnemyAdvanced Persistent Threats (APTs) has been spoken of over the past few years as botha descriptive term for a class of attacker as well as an industry buzzword to describe theeffectiveness of a particular product (“Our insert device here stops APTs!”). While thisterm is most commonly applied to nation-states, the idea of an “Advanced Threat” canbe applied almost across the board in today’s threat landscape. Regardless of nation-state attackers, cybercriminals, and hacktivists, all use similar tactics to penetrate atarget organization. 2
  3. 3. Advanced – All modern threats use advanced, blended attacks. This may includetargeting specific individuals or organizations with directed email attacks (spearphishing), hacking websites to serve malware from a “known good” or at least “notknown bad” location, or using newly discovered zero-day attacks to increase the chancesof a successful exploitation. Once entrenched, the attacker may then use encryption orother obfuscation techniques to further mask their presence and intentions.Persistent – Threat actors understand that repeated and coordinated attacks are likelyto garner a penetration eventually. In the nation-state example, this may be repeatedlyattacking a “target list” with spear-phishing until someone “takes the bait”, but it couldalso refer to being watchful for defender activity during a penetration operation andchanging tactics as defenders respond, allowing continuous presence in the network. Onthe cybercrime side, this is increased to large-scale persistent modification ofinfrastructure, malware and domain names to allow continued operation among the ebband flow of defender activity.Threat – Ultimately, for an event to be considered a “threat” it must meet a set ofcriteria.Intent + Opportunity + Capability = ThreatLacking any one of these criteria negates the threat, for example:Attacker A wants to attack organization B with a PDF-based spear-phishing attackagainst an HR manager. The attacker is using a known and reliable PDF exploit in AdobeReader, has a “builder” that builds an attack PDF in a way that makes it undetectable byantivirus, and has the name of an HR manager that is responsible for hiring databasedevelopers. Organization B has a patching policy for Adobe Reader, and allorganizational workstations are up to the current patch level.In this scenario, the attacker has the intent to attack, the capability with his attack PDFto compromise a workstation, and a target for the attack via the HR manager. Hedoesn’t, however, have the opportunity in this case, because the target workstation ispatched and non-vulnerable to his attack. In this case, there is no threat because ofthe lack of opportunity provided by the patched PDF reader.While real-life scenarios are seldom this simple, it provides an example of things youmight want to know about how common attackers operate in order to intelligentlydefend your network - - What are the common threat vectors (e.g., spear-phishing)? What exploits are commonly used? (Exploit kits target A, B and C vulnerabilities, spear-phishing attacks are often launched using PDF and Microsoft Office exploits)Attacker groups, especially in the nation-state arena, commonly attack organizations byindustry vertical. It might be a good opportunity to establish relationships that mayhelp you identify tactics, techniques and procedures of groups targeting your vertical,including: - - Threat Research groups and vendors - Threat teams from competitors (the enemy of my enemy is my friend). Industry Working Groups – Is there an ISAC v that supports your vertical?Know Your NetworkWhen an RSA NetWitness system engineer gets a new NetWitness deployment up andrunning at a customer location, a common reaction when network traffic is first observedis the customer being overwhelmed by the volume of data now readily available foranalysis. The complexities and idiosyncrasies of a large network are very hard for ahuman being to visualize without additional framing, and NetWitness NextGen typicallybecomes that frame among customers. This framing typically leads to a number of “Idon’t expect to see that, why is it there?” events over the next few weeks as thecustomer becomes more intimately acquainted with their network. 3
  4. 4. The ability to pervasively know what your network looks like on a day-to-day basis isCRITICAL in helping to identify advanced attacks.If you’ve ever known a hunter that hunts a certain tract of land time and again, yearafter year, you will have an understanding of how this concept works. The hunter cantypically look across a large field into a tree line, maybe even farther than he can really“see” and pick out a deer with a glance. That same deer may be invisible to you and I atthat distance because the hunter is accustomed to his land, knows what it looks like on a“normal” day, and can quickly pick out the variance - the deer.The network hunter is similar. If I know what my network looks like on a day-to-daybasis, I can better pick out the anomalies. In NetWitness training courses, we modifythe “needle in the hay stack” analogy and refer to this concept as “removing hay untilonly needles remain”.This information may include: - - How is my network laid out? What are my allowed paths out of the network? Where are my likely weak points, either from a lack of visibility or business - needs that require a more relaxed security posture? Where is my data? If I have intellectual property, where is it stored and who has access to it?Know Your PeopleUltimately, the success of a modern attack often depends on the activities of the carbon-based unit between the keyboard and the chair. That is, the human being operating thecomputer and going about their daily business. While it is easy to get lost in theminutiae of the technical, the human operator is decisively the weakest point; as aresult, the initial target of most attacks. The strategic objective may be financial datarelated to the person, or information that the person has access to, or maybe even justa tactical compromise of the computer that belongs to the person.With this in mind, it’s important to understand a few concepts in the paradigm of yourenvironment. - Who in your environment has “enhanced access”, be it to critical information or - intellectual property, or critical systems or pivotal locations on the network? Does your enterprise have security policy that addresses common attack methodology? It could be as simple as an information security policy that is reviewed yearly, to as complex as common ideas on how to identify a spear- phishing attack. Policy is often looked at as a simple “box-check” for compliance reasons, but the ability to educate the end-user is one more layer in - a defensive strategy. Who are my likely targets? Do I have employees that are commonly in the press, speak at conferences, or have a job that routinely entails receiving “cold” electronic correspondence from third-parties (e.g., HR, Marketing, Admin, etc). If I search for “” on Google, whose email addresses show - up? How about LinkedIn? Am I continuously tracking employees that have been targeted or compromised in the past? Repeat attacks are common and employee behavior that is risky is likely to reoccur.THE ATTACKER KILL CHAINIn 2009, incident responder Mike Cloppert with the Lockheed Martin CERT, published aseries of articles that discussed security intelligence and leveraging indicators. In thisseries, he introduced a concept known as the “attacker kill chain”. 4
  5. 5. This concept breaks attacker methodology into a series of sequential stages.Each stage represents a focus on a particular aspect of an attack, both from an attackerperspective, as well as a defender perspective.“We have found that the phases of an attack can be described by 6 sequential stages. Once againloosely borrowing vernacular, the phases of an operation can be described as a "kill chain." Theimportance here is not that this is a linear flow - some phases may occur in parallel, and the order ofearlier phases can be interchanged - but rather how far along an adversary has progressed in his orher attack, the corresponding damage, and investigation that must be performed.” viReconnaissanceWith the amount of publicly available information on the Internet, the ability for anattacker to do target reconnaissance in an unnoticed fashion is almost unlimited.Commonly used techniques include: - - Reading company websites for information on key initiatives and personnel Reading industry whitepapers to identify projects and personnel associated with - those projects. Searching Google for email addresses, contact points and other bits of - information. Identifying social network participation of likely targets, often providing attack vectors through trusted friends and associates.In the reconnaissance phase, the ability for the defender to take defensive actions islimited, as attacker reconnaissance is often done in a covert and hard to detect manner.Weaponization and DeliveryAt this point, the attacker has established a target or collection of targets, andweaponizes an attack payload and delivers it to the target. Let’s use a spear-phishingattack as an example scenario.In most APT-style spear-phishing attacks that NetWitness has observed a third partydocument is used as the delivery method for a malware payload. Typically, it will be atrojaned PDF or Office document. While 100% detection of this phase is difficult,information sharing and intelligence gathering on previous attacks helps to identifyrepeatable characteristics of attacker “playbooks” which can help identify recycledexploit document filenames, shellcode, PDF structure, etc.From a NetWitness perspective, the platform looks at the documents from a higher level,by analyzing for threatening characteristics in the sessions rather than specific malwareor exploit signatures.Example 1: Jim in HR receives a PDF via an email link for a job applicant. As Jimdownloads the PDF and it crosses from the Internet onto his workstation, theorganization’s NetWitness NextGen platform: 1. Identifies that the file is forensically a PDF. 2. Identifies that the PDF has a “Launch” action in it. 3. Identifies that the PDF has embedded javascript.While these three factors don’t mean that the file is absolutely malicious, they identifyenough threatening characteristics to warrant a second look, and to pull it from the likelyhigh volume of PDFs that appear on the network daily; thereby “removing the hay untilonly needles remain”. 5
  6. 6. ExploitationDiverging from Cloppert’s approach here, consider immediate post-compromise activitiesas secondary parts of the exploitation event. During the exploitation phase of theattack, the host machine is compromised by the attacker and the delivery mechanismtypically will take one of two actions: - - Install malware (a dropper) allowing attacker command execution. Install malware (a downloader) and download additional malware from the Internet, allowing attacker command execution.Once a foothold is established inside the network, the attacker will typically downloadadditional tools, attempt privilege escalation, extract password hashes, etc.At this point, defensive strategies have ultimately failed, and the attacker has control ofa resource. We would typically move to a detective model here and focus on identifyingsecond-stage malware and toolsets being downloaded to the compromised workstationpost-exploitation. - Forensically identify executable download, both un-obfuscated and obfuscated.Obfuscation and encryption methods vary, in some cases custom algorithms or none atall in others. A few methods tend to be re-used: - - Single-Byte XOR - Base64 Custom Base64Command and ControlOnce the attacker has successfully exploited and taken control of a workstation, he willusually install malware that has a command and control mechanism. This allowspersistent connectivity for continued access to the environment as well as a detectivemeasure for defender activity.Command and control of a compromised resource is usually accomplished via a beaconover an allowed path out of the network.Beacons take many forms, but in most cases they tend to be: - - HTTP or HTTPS-based Made to look like benign traffic via falsified HTTP headersIn cases that use encrypted communication, beacons tend to use self-signed certificatesor use custom encryption over an allowed path (often TCP 443)Strategies for detection at this stage tend to revolve around: - - Identifying the use of self-signed certificates during encrypted communication. - Identifying falsified HTTP headers via anomaly detection strategies. Identifying recurring, consistent beacon activity to the same domain or IP - address over time. Identifying the use of non-standard or unapproved encryption over allowed paths.Keep in mind that immediate takedown of hosts that have identified beacon activity mayclue attackers into defender activity (loss of a known beacon), causing them to switch tosecondary (and potentially unknown) infrastructure. While incident response, as aprogram, is out of the scope of this whitepaper, this should be a consideration whenfaced with this type of discovery. 6
  7. 7. ExfiltrationThe final phase of the kill chain is exfiltration. In this phase, the attacker hassuccessfully entered the target network, taken control of a host and potentially: - - Downloaded and staged tools - Elevated privileges - Moved laterally onto other hosts Located and packaged informationAt this point, the final goal is to gather the packaged information, and deliver it to alocation under control by the attacker. These locations are typically hacked hosts thatare used as temporary holding areas for stolen data or hosts that reside in an area thatis under complete control of the attacker (bulletproof hosting).Exfiltration commonly takes the form of: - - Encrypted .rar or .zip files FTP’d or uploaded to a controlled hostHowever, in the case of malware such as ZeuS, SpyEye, etc., exfiltration and C2beacons often take place at the same time (the compromised host will export stolen dataon a repeated schedule, basically an information stealing beacon).Exfiltration marks the point that data loss has occurred. Detection at this phase leads todamage control activities for lost data, invoking an IR process, and a move backwardsthrough the kill chain to establish root cause.TYING IT ALL TOGETHER – STALKING THE KILLCHAINThe Single Event MentalityHistorically, security technologies tend to be focused in a single place, or at most, twoplaces on the kill chain, but lack the entire context behind an event that a completeanalysis system imparts. When using the phrase “stalking the kill chain”, we are focusingon the ability to use a structured approach to watching the network with the idea ofidentifying kill chain events in progress, across the entire kill chain.Anti-virus is focused on the delivery and exploitation phases, attempting to detect knownshellcode, previously identified malware, or heuristically interesting binariesIntrusion Detection is focused on detection of exploitation events or C2, based on knownsignatures or communication methods. 7
  8. 8. Content Filtering and proxy technologies are focused on blocking of known C2 or exploitsites or the categorization of sites for additional analysis.Tracking an Event Holistically in RSA NetWitnessUltimately, we seek to move our analysis techniques and ability from a single or dualstage approach, to a seamless approach that allows free flowing movement in anydirection along the kill chain during an investigation, with the goal of being able to gaugethe scope and magnitude of the intrusion quickly.If this is successful, the kill chain diagram would likely look like this:Using RSA NetWitness Live, a user is able to consume and leverage relatedcontent to help track events across the kill chain.While the detection of malware is important, a holistic approach to threat detection alsoneeds to focus on the detection of “quiet” activity after a foothold is established by theattacker.According to industry reports on attack trends, attackers used malware in only 54percent of a compromise and secondary detection was only possible through holisticanalysis.Signs of Weaponization/Delivery/ExploitationFor detection of weaponization, delivery and exploitation events within NetWitness, thefollowing content can be consumed and utilized from NetWitness Live: FlexParsers – Malware PDF, Fingerprint office2007, Fingerprint office97-2003, Fingerprint pdf, Fingerprint jar, Exploit Web Pages, HTML Threat Analysis (Spectrum Subscribers), Encoded File Fingerprinting, XOR Executable (Spectrum Subscribers), Advanced Executable (Spectrum Subscribers)To further augment the security analysis specifically, the following custom drills inInvestigator should be employed:General PDF Identificationfiletype = pdffiletype = base64 encoded pdfAnomalous PDF Identificationrisk.warning begins pdf || risk.suspicious begins pdf || begins pdf 8
  9. 9. Office DocumentsGeneral Office Document Identification: filetype = office2007 || filetype = office97-2003filetype = base64 encoded officeSuspicious Web Pages (potential exploit or browser fingerprinting activity)Existence of Java Applets:filetype = jarExistence of suspicious HTML elements:risk.suspicious = js scan for adoberisk.suspicious = iframe src pdfrisk.suspicious = iframe src cgirisk.suspicious = iframe src htmrisk.suspicious = iframe src = embedded html = embedded html applet with = embedded html = embedded html objectrisk.suspicious = iframe embedded jsrisk.suspicious = iframe hidden valuesrisk.suspicious = iframe inside hidden divrisk.suspicious = iframe src phprisk.suspicious = pdf inside hidden divrisk.warning = iframe src pdfGeneral Executable Detectionfiletype = windows executablefiletype = base64 encoded exeAnomalous Executable begins exe || risk.suspicious begins exe || risk.warning begins exerisk.warning = potential binary from duqu grouprisk.warning = hex encoded executablerisk.warning = xor encoded executableSigns of Command and ControlFor detection of command and control events within NetWitness, the following contentcan be consumed and utilized from NetWitness Live:FlexParsers – Botnet Traffic Patterns, Htran, ShadyRat, HTML Header, Verbose DNS,Duqu Binary Detection, Windows Command ShellTo further augment the security analysis specifically, the following custom drills inInvestigator should be employed:Specific Malware C2 Behaviorrisk.warning ends “botnet activity”risk.suspicious = “htran redirector”risk.suspicious = “shadyrat encoded command” 9
  10. 10. Generic HTML and DNS Anomaly begins begins dnsRemote Windows Shellrisk.warning = windows command shellrisk.suspicious = windows cli admin commandRemote Desktop Connectionservice = 3389Signs of ExfiltrationFor detection of command and control events within NetWitness, the following contentcan be consumed and utilized from NetWitness Live. While this is not an exhaustive list,it provides a basic guideline for analysis of advanced threats across the kill chain.FlexParsers – Fingerprint RAR, Encoded Hashes, pkwareTo further augment the security analysis specifically, the following custom drills inInvestigator should be employed:Generic FTP Detectionservice = 21Generic Archive File Identificationfiletype = rarfiletype = zipfiletype = base64 encoded zipfiletype = base64 encoded rarPassword Hash Exfiltration or Movementrisk.warning begins plaintext pwdumprisk.warning begins xor encoded pwdumprisk.warning begins base64 encoded pwdump 10
  11. 11. CONCLUSION Given the prevalence and velocity of malware production incorporated with sophisticated attack strategies , it is common for advanced threats to successfully infiltrate organizations, despite defenders having “checked all of the blocks” for a robust security infrastructure. Only through a comprehensive understanding of the organization’s current capabilities to detect and respond along the kill chain, the use of pervasive visibility and threat intelligence combined with intelligent security analytics and intuition can a defending organization hope to level the playing field. Let this whitepaper serve as high-level guidance and a starting point for identifying and tracking attacks which may pose a threat to your organization – happy hunting! i ii iii _cybersecurity_bill iv v vi ABOUT RSA RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world’s leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. Combining business-critical controls in identity assurance, encryption & key management, SIEM, Data Loss Prevention and Fraud Protection with industry leading eGRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit and EMC2, EMC, RSA, NetWitness, FirstWatch and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. ©2012 EMC Corporation. All rights reserved. Published in the USA. 10/12 White Paper