Organizations must address the Cyber Kill Chain to defend against advanced threats. The Cyber Kill Chain describes the 7 stages of an attack - reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on targets. Traditionally, organizations focused on prevention at the perimeter, but attackers have bypassed these defenses. To improve security, organizations should detect, deny, disrupt, and recover at each stage of the Cyber Kill Chain rather than solely focusing on prevention. This involves technologies like network monitoring, endpoint protection, and threat intelligence across all phases of an attack.
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
1. Featuring research from Gartner
Defending against Advanced Threats:
Addressing the Cyber Kill Chain
“We have known for a considerable period of time that the perimeter-centric security approach is not a panacea for all ills,
but organizations should not move away from these controls because they provide a solid foundation. However, in order
to allocate and prioritize resources, they should be extended with methods based on an understanding of the CKC. “
- Gartner Addressing the Cyber Kill Chain, Craig Lawson, 15 August 2014
The latest data breach reports on the daily news remind
us of the rapidly changing state of enterprise security. No
longer can the focus remain solely on a strong perimeter
and end point protection; a new model and approach is
required inclusive of the above but extending to deeper
analysis and data protection as well. “The current pre-
vention, prevention, prevention approach to dealing with
the threat landscape has failed to address advanced and
targeted attacks with enough efficacy.”1
More is required
including updated thinking, a new course to address the
challenge and next generation protection solutions.
A traditional “castle moat and keep” defense mindset per-
sists today as enterprises invest heavily in perimeter and
endpoint protection solutions. While previously successful
in protecting companies, these investments are no longer
showing the same return. Attackers have innovated and
exploited channels through these traditional defenses.
4
From the Gartner Files: Addressing the Cyber Kill Chain
11
About Proofpoint, Inc.
In this report:
Changing the conversation and focus to the mechanics of
an advanced or targeted attack is key to disrupting mali-
cious actions.
2. 2
In 2011, researchers at Lockheed Martin devel-
oped the Kill Chain modeled on evidence from
network attacks.2
The Kill Chain is widely known,
understood and quoted in security circles. How-
ever, it is not generally applied to companies’
security infrastructure investments. Gartner re-
search recommends organizations: “Understand
the flow of the kill chain to better understand your
adversaries and therefore adjust your defensive
tactics to improve your security posture.”3
Align
your defenses with reality. Augment existing
defenses with best of breed solutions which
deploy innovative techniques to detect, block and
disrupt the attack before it occurs, shorten the
response time and ultimately protect enterprise
assets and data.
Proofpoint Aligned to the Cyber Kill
Chain Model
A suite of products which maps to the reality of
the kill chain is optimum. A large collection is
listed in Table 1 of the attached Gartner report.
Our focus is a subset. Proofpoint’s solution set
maps to the Cyber Kill Chain model as detailed
in the diagram below.
About Proofpoint’s Superior Advanced
Threat Protection
Block, Detect, Respond, and Harden are the key
pillars of the Proofpoint solution set. Proofpoint’s
portfolio of industry-leading security solutions
for blocking email-borne attacks, detecting new
advanced threats, automating incident response,
and reducing the impact of potential breaches ad-
dress the reality of today’s advanced attacks and
aligns security infrastructure with the Kill Chain.
Email which continues to be a critical business
service is the top route for attackers. The Proof-
point security suite detects and manages ad-
vanced email-borne threats, provides security for
sensitive data, and accelerates the identification
and containment of new threats.
• Stopping more advanced threats: Delivered
through the cloud-based Proofpoint Enterprise
Protection Suite, organizations of all sizes
have access to industry-leading inbound and
outbound email security. This suite accurately
classifies and blocks threats, while leveraging
phishing detection, anti-spam and antivirus
technologies.
• Detecting advanced threats faster with
actionable intelligence: Proofpoint Targeted
Attack Protection detects phishing and web
compromise attacks and provides organizations
with actionable intelligence to quickly respond.
Backed by continuous big data analysis of bil-
lions of data points, Proofpoint provides detailed
information around campaign type, targeted us-
ers and potentially infected systems. Armed with
this information, organizations can identify and
manage new threats before they lead to data
breaches and destructive compromises.
1
Addressing the Cyber Kill Chain (Gartner), p. 1
2
http://www.lockheedmartin.com/us/what-we-do/information-technology/cyber-security/cyber-kill-chain.html
3
Ibid. 1
Block
Known Threats
Enterprise
Protection
Detect Unknown
Threats
Targeted
Attack
Protection
Respond
to Incidents
Threat
Response
Harden
Against Loss
Regulatory
Compliance
Encryption
Content
Control
Recon Weaponise Deliver Exploit Install C2 Action Harden
3. 3
• Automating incident response, accelera-
ting threat remediation: Proofpoint Threat Re-
sponse provides users with an open, extensible
platform that automates incident response and
the incident management lifecycle. Reduc-
ing security alert response time from hours to
seconds, Proofpoint Threat Response delivers
consistent information to users and streamlines
collaboration and workflow. Alerts are auto-
matically integrated across multiple security so-
lutions such as those from Proofpoint, FireEye,
Palo Alto Networks and Splunk. This solution
enables users to investigate, verify, prioritize
and contain today’s advanced threats.
• Reducing the impact of data breaches
caused by advanced threats: The
easy-to-deploy, user-friendly Proofpoint
Content Control solution delivers enhanced
visibility and control over sensitive con-
tent. Through contextual data intelligence,
privacy and security teams can effectively
identify and manage information with PCI,
HIPAA and FINRA regulated content and
other high value information. Violations
can be quarantined, copied or deleted to
reduce the attack surface and potential
impact of a data breach.
Proofpoint’s security solutions align with the new
security strategy required to address the cyber kill
chain. For more information on Proofpoint secu-
rity suite solutions, please visit www.proofpoint.
com/us/solutions - and read Gartner’s research on
Addressing the Cyber Kill Chain, available on the
following pages.
Source: Proofpoint
4. 4
Addressing the Cyber Kill Chain
From the Gartner Files:
The Cyber Kill Chain model describes how at-
tackers use the cycle of compromise, persistence
and exfiltration against an organization. Once the
kill chain is understood, CISOs can make prag-
matic decisions to improve their security posture.
Key Challenges
• The current prevention, prevention, preven-
tion approach to dealing with the threat
landscape has failed to address advanced
and targeted attacks with enough efficacy.
• IT security organizations have historical
investments in a protection model that is out
of balance with today’s threat landscape.
• IT security organizations have largely not
taken into account the kill chain life cycle ap-
proach to thinking about adversaries; this is
a reason why attackers are continuing to be
so successful.
• While the kill chain is easy to comprehend,
resourcing to address it in the face of com-
petitive business realities and innovation
from adversaries is a key challenge.
• Common security architectures and compli-
ance regimes are not prioritizing methods to
address the kill chain.
Recommendations
• Understand the flow of the kill chain to better
understand your adversaries and therefore
adjust your defensive tactics to improve your
security posture.
• Move to an architecture and develop sup-
porting processes that address the postb-
reach and exfiltration stages of the kill chain.
• Augment existing prevention methods with
methods to detect, deny, disrupt and recover
from the activity of threat actors.
• Implement methods that detect and deny
threats at each stage of the kill chain. This
will significantly increase the defensibility
of your environment, since attackers need
to execute all phases of the kill chain to be
considered successful.
Strategic Planning Assumption
By 2017, security strategies of lean forward orga-
nizations will routinely include a mapping of their
security architecture and/or their processes to the
kill chain life cycle.
Introduction
Targeted attacks have escalated in scale and
frequency, and the potential for financial and
reputational damage resulting from a breach has
increased as a consequence. The ease with which
traditional security defenses were bypassed in
some incidents has left many organizations feel-
ing powerless to defend themselves against these
types of threats. This issue has become a concern
at the executive boardroom level.
The leading operational archetype in information
security practiced by a majority of organizations
has a focus on the perimeter, organized accord-
ing to defense-in-depth principles. While this gives
the appearance of concentrating resources on
the most exposed assets and attack vectors, it
provides a false sense of security and represents
a misallocation of resources. This model means
adversary needs to be successful only once out
of an unlimited number of attempts. Defenders,
conversely, must be right every time.
This has led to a perception that, because there
has been a successful malware infection or SQL
injection attack against your organization, the
adversary has won. The kill chain highlights that
this is clearly not the case, because the adversary
is victorious only when all phases of the Cyber Kill
Chain (CKC) have been executed successfully.
Rather than thinking that someone wins when an
organization is compromised, you need to move
to a mindset of: “Did they achieve their goal of
exfiltrating data?”
5. 5
The CKC is a reference model representing
the stages of an attack, mapped distinctively to
activities that encompass current attack meth-
odologies. It breaks an attack into seven distinct
stages or phases, each allowing a breach to be
prevented, discovered or successfully mitigated.
The CKC reference model can show how your
organization can detect, deny, disrupt and
recover at each phase. By aligning enterprise
defenses to the same success criteria as that of
adversaries, you can right size the prevention
centric approach that has dominated enterprise
thinking and spending on IT security to date.
Analysis
The Phases of the Cyber Kill Chain
The CKC is historically a well-understood
concept in military circles that is now being ap-
plied to cyber security. Originally developed by
Lockheed Martin1 in 2011 as an intelligence-
driven network defense process, it describes
the phases that an adversary will take when
targeting your environment, exfiltrating data and
maintaining persistence in an organization. It is
also similar to a majority of penetration testing
methodologies and is often described as an at-
tack chain. The two are closely related and can
often be used interchangeably.
This research will show that the adversary is
only successful when all phases of the kill chain
have been executed. So rather than thinking that
if adversaries compromise an organization they
win, organizations need to move away from this
mindset to ask: “Did they achieve their goal of
exfiltrating data?” Our version of defeat is often
described and measured in terms that are differ-
ent than the way adversaries define victory. The
CKC has seven stages:
1 Reconnaissance — This is anything that
can be defined as identification, target selec-
tion, organization details, industry-vertical-
legislative requirements, information on
technology choices, social network activity
or mailing lists. The adversary is essentially
looking to answer the questions: “How many
methods do we assume will work with the
highest degree of success?” and of those,
“Which are the easiest to execute in terms of
our investment of resources?”
2 Weaponization or Packaging — This takes
many forms: Web application exploitation,
off-the-shelf or custom malware, compound
document vulnerabilities (PDF, Office) or wa-
tering hole attacks. These are prepared with
general, opportunistic or very specific intel-
ligence on a target.
3 Delivery — Transmission of the payload is
either target-initiated (users browse to a mali-
cious Web presence, leading to the dropping
of malware, or they open a malicious PDF file)
or attacker-initiated (SQL injection or network
service exploitation).
4 Exploitation — After delivery to the user or
server, the malicious payload will gain a foothold
in the environment by compromising it, usually
by exploiting a known vulnerability for which a
patch has often been available for months or
years. While zero-day exploitation does occur, in
a majority of cases, it is often not necessary.
5 Installation — This often takes the form of a
remote-access trojan (RAT). The application
is usually stealthy in its operation, allowing
persistence or “dwell time” to be achieved. The
adversary can then control this without alerting
the organization — a common outcome.
6 Command and Control — In this phase,
adversaries have control of assets within your
organization through methods of control such
as DNS, Internet Control Message Proto-
col (ICMP), websites and social networks
or other methods of command and control.
This channel is how the adversary tells the
controlled “asset” what to do next and what
information to gather. The methods used to
gather data under command include screen
captures, keystroke monitoring, password
6. 6
cracking, gathering of sensitive content
and documents, and network monitoring for
credentials. Often a staging host is identified
to which all internal data is copied, and then
compressed and/or encrypted and made
ready for exfiltration.
7 Actions on Targets — This final phase cov-
ers how the adversary exfiltrates data and
maintains dwell time in an organization and
then takes measures to identify more targets,
expand their footprint within an organization
and — most critical of all — exfiltrate data.
Why Attackers Are So Successful
Adversaries will continue to achieve their objec-
tive of successfully completing the CKC unless
defenders implement an approach that takes
into consideration how an attack is executed.
This is difficult to achieve because most soft-
ware has not been developed using a security
development life cycle (SDL), applications have
increased in complexity and people remain a
weak link.
We have known for a considerable period of
time that the perimeter-centric security approach
is not a panacea for all ills, but organizations
should not move away from these controls be-
cause they provide a solid foundation. However,
in order to allocate and prioritize resources, they
should be extended with methods based on an
understanding of the CKC. Whether adversaries
are motivated by geopolitical, activist or finan-
cial motives, they seek to fulfill specific goals of
obtaining an organization’s data. Although we tend
to think of IT security in terms of network security,
host security and identity security, an “adversary-
centric” model is a better-suited and more effec-
tive approach in today’s threat landscape.
How Organizations Should Address
the Cyber Kill Chain
Instead of continuing to invest primarily in defend-
ing an organization’s perimeter, a more pragmatic
approach focuses on detecting, denying, disrupt-
ing and recovering as it allows for identification
capabilities after a breach. This places the focus
on protecting enterprise data, instead of looking at
this as a collection of technology point solutions.
A success rate of 100% for prevention against all
steps of the attack chain is not attainable. This is
also not necessary, as attackers must complete all
phases to achieve their goals. Therefore planning
for the prevention of privilege escalation, detect-
ing postcompromise activity, stopping exfiltration
of sensitive data and denying the attacker persis-
tence are key.
At a high level, you must take the seven phases
of the kill chain that are illustrated in Table 1 and
then identify how you can detect, deny, disrupt
and recover at each phase.
Figure 2. Diagram of the Cyber Kill Chain
Source: Gartner (August 2014)
7. 7
Phase Detect Deny or Contain Disrupt, Eradi-
cate or Deceive
Recover
Reconnaissance Web analytics,
Internet scanning
activity reports,
vulnerability scan-
ning, external
penetration test-
ing, SIEM, DAST/
SAST, threat intel-
ligence, TIP
firewall ACL, sys-
tem and service
hardening, net-
work obfuscation,
logical segmenta-
tion
honeypot SAST/DAST
Weaponization sentiment analy-
sis, vulnerability
announcements,
VA
NIPS, NGFW,
patch manage-
ment, configura-
tion hardening,
application reme-
diation
SEG, SWG,
Delivery user training,
security analytics,
network behav-
ioral analysis,
threat intelligence,
NIPS, NGFW,
WAF, DDoS, SSL
inspection, TIP
SWG, NGIPS,
ATD, TIP
EPP backup or EPP
cleanup
Exploitation EPP, NIPS, SIEM,
WAF
EPP, NGIPS, ATD,
WAF
NIPS, NGFW,
EPP, ATD
data restoration
from backups
Installation EPP, endpoint fo-
rensics or ETDR,
sandboxing, FIM
EPP, MDM, IAM,
endpoint con-
tainerization/app
wrapping
EPP, HIPS,
incident forensics
tools
incident response,
ETDR
Command and
Control
NIPS, NBA, net-
work forensics,
SIEM, DNS secu-
rity, TIP
IP/DNS reputation
blocking, DLP, ATA
DNS redirect,
threat intelligence
on DNS, egress
filtering, NIPS
incident response,
system restore
Action on Targets logging, SIEM,
DLP, honeypot,
TIP, DAP
egress filtering,
SWG, trust zones,
DLP
QoS, DNS, DLP,
ATA
incident response
Source: Gartner (August 2014)
Table 1. Technologies and Processes Applicable to Addressing the Kill Chain
8. 8
The section below expands on the table above,
giving specific examples and guidance that orga-
nizations can investigate. Adding more technology
is often not required, but CISOs should take full
advantage of improving the effectiveness of exist-
ing tools and processes already at their disposal.
Reconnaissance
This phase is often executed without knowledge of
your organization. Approaches for this phase are:
• Perform regular external scanning and pene-
tration testing to highlight what an adversary
would find if and when your organization
comes under scrutiny. This information can
be used to remediate vulnerabilities, reduc-
ing the attack surface area.
• Use search engines to uncover cached
content that can be used for exploits or that
discloses information that would make it
easier to target the environment.
• Utilize sentiment analysis, a newer method
for monitoring both public and underground
Internet sites, to look for activity that is spe-
cifically related to your organization.
• Ensure that perimeter controls and Internet-
facing services are aggressively enforcing
the principle of least privilege, including
service hardening.
• Use analytics to detect indicators of unwant-
ed activity against Internet-facing services
like Web servicers, DNS servers, email and
VPN gateways.
• Use honeypots where adversary activity can
be monitored for exploitation tactics.
• Use software application security testing
(SAST) and security development life cycle
(SDL) to make sure that applications aren’t
leaking sensitive details and are processing
untrusted input correctly.
Weaponization
This phase is often performed with no specific
knowledge of the organization being targeted.
Organizations need to take proactive steps:
• Keep abreast of newly disclosed vulnerabili-
ties and have up-to-date data about which
vulnerabilities have weaponized exploits avail-
able for them. With this information, prioritize
patching them or implementing mitigating
controls like virtual patching through intrusion
prevention systems (IPSs).
• Investigate the use of threat intelligence pro-
viders that can add value with threat forecast-
ing and advanced notification of impending
activity against your organization. An example
would be notification of a phishing template
becoming available for sale that is designed
to look identical to your organization’s.
• Investigate the use of threat intelligence plat-
forms (TIPs) to add in threat and adversary
tracking.
Delivery
An array of traditional controls can assist greatly
in denying access to your environment:
• Firewall or next-generation firewall to control
traffic at the perimeter
• Next-generation intrusion prevention to pro-
vide visibility and prevention of compromise
attempts
9. 9
• Email and Web gateway security to enforce
multiple methods of content inspection for
malicious and unwanted activity
• Distributed denial of service (DDoS) pre-
vention to ensure the business can continue
to transact under high volumes of traffic or
other methods of application-specific DDoS
activity
• Web application firewall (WAF) to prevent
the exploitation of e-commerce infrastructure
• Network behavioral analysis (NBA) and
security analytics, where network traffic pat-
terns and content can be reviewed for indi-
cators of compromise and suspicious activity
• Payload inspection technology that uses
techniques like CPU emulation and sand-
boxing to provide a behavioral-centric
method of malware detection
• DNS security to give visibility and protection
against the resolution of unwanted or mali-
cious hosts
Exploitation
An array of network, host and server technolo-
gies in conjunction with continuous monitoring
can detect and deny access to the organization’s
environment:
• Security information and event management
(SIEM) to correlate the events and logs from
multiple security, infrastructure and identity
elements to provide better visibility of mali-
cious behavior
• Prevention-focused security technologies like
firewall, endpoint protection platform (EPP),
network generation intrusion prevention sys-
tem (NGIPS), email and Web security
• Advanced targeted attack (ATA) or advanced
persistent threat (APT) technologies that can
provide enhanced detecting against new
threats or variants of existing threats
• Security analytics to review full session analy-
sis detailing the exploitation and subsequent
activity with a high level of details
• Threat intelligence usage in SIEM and network
security technologies to provide additional detec-
tion and prevention opportunities
Installation
During this phase of the kill chain, host-specific
methods are the primary method to detect the
execution of malicious content:
• EPP can deliver multiple methods of malware
prevention, browser security and application
whitelisting.
• Mobile device management can control and
deny unwanted applications to run on bring
your own device (BYOD) devices. This can
also deny user-installed applications from ac-
cessing corporate-sensitive data via methods
like per-application authentication VPN and
containerization.
• Identity and strong authentication methods
can reduce the chance of installation and ac-
cess to data.
Once identified, recover from the situation by
being able to:
• Perform incident response
• Recover compromised data from backups
• Restore servers and end-user devices back to
known good trusted states
10. 10
• Potentially comply with law enforcement at-
tempts to prosecute malicious actors
• Report on details of the breach and other
compliance mandates (such as reports to
financial regulators, on any further impact
expected by the company)
Command and Control
With this phase of the CKC, look for methods
that detect the adversary’s attempts to control
assets that have been previously compromised.
If there are infected devices with remote-access
trojans or rootkits, use methods such as:
• IP and DNS reputation-filtering capabilities
of network behavioral analysis (NBA) tools,
network forensics tools, next-generation
firewalls, intrusion prevention systems and
security Web gateways
• DNS security, where internal DNS servers
themselves have threat intelligence capabilities
to deny name resolution of malicious hosts
• SIEMs with watchlists, threat intelligence and
other policies configured to detect this type
of out-of-character behavior
Action on Targets
During this phase, the adversary is trying to perform
the most important part of its activity. This is to exfil-
trate the data gathered in this and earlier phases of
the kill chain. Methods to be addressed are:
• After a compromise, all subsequent attack
activity is performed as internal or trusted
users. A SIEM, data loss prevention (DLP) or
database activity monitoring and protection
(DAP) function performing continuous moni-
toring can assist with identifying trusted user
access to data that is not specific to their role,
access to data in volumes previously unseen,
access to data at times of day that is out of
character, and access to data from locations
previously unseen.
• Network behavioral analysis can highlight de-
vices that are moving data around that is not
part of its role (traffic to hosts that stand out),
an exceedingly high volume of DNS traffic to
an external DNS server that is not defined for
external host name resolution, traffic protocols
being actively used that are against policy.
• Next-generation firewalls can identify a trust-
ed user attempting clearly malicious activity
such as an FTP session to an unexpected
destination.