The document discusses the importance of the cyber kill chain and the need for prevention in cybersecurity rather than solely relying on detection and response. It emphasizes the urgency of improving incident discovery times and leveraging predictive analytics to anticipate adversary tactics. Additionally, it highlights the necessity of blocking adversary infrastructure to enhance overall security efficacy.

1. 1 CONFIDENTIAL
Dan Hubbard, CTO, OpenDNS
Rick Holland, Principal Analyst, Forrester
What Happens Before
the Kill Chain

2. 2 CONFIDENTIAL
Speakers
Dan Hubbard
CTO
OpenDNS
Rick Holland
Principle Analyst
Forrester

3. 3 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 3
Agenda
› The cyber kill chain
› Targeted Attack Hierarchy of Needs
› Making prevention work
@rickhholland

4. 4 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 4
STRESS

5. 5 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 5
Time to discover is pathetic

6. 6 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 6
asdf
205 days to discover

7. 7 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 7
Adversaries are on shopping sprees

8. 8 CONFIDENTIAL
With no time limits

9. 9 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 9
New Incident Response Metric: Mean Time Before CEO
Apologizes

10. 10 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 10
asdf
› asdf
We need
bright ideas

11. 11 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 11
Intelligence-Driven Computer Network Defense Informed by
Analysis of Adversary Campaigns and Intrusion Kill Chains

12. 12 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 12
Agenda
› The cyber kill chain
› Targeted Attack Hierarchy of Needs
› Making prevention work
@rickhholland

13. 13 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 13
Targeted attack hierarchy of needs
Source: May 15, 2014, “Introducing Forrester's Targeted-Attack Hierarchy Of Needs, Part 1 Of 2” Forrester report

14. 14 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 14
asdf
› asdf

15. 15 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 15
asdf
› asdf
Why should we
give up on
prevention?

16. 16 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 16
asdf
› asdf
Why should
you settle for
detection and
response?

17. 17 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 17
asdf
› asdf
Can you
imagine
incident volume
without
prevention?

18. 18 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 18
Prevention is dead?
› Be wary of anyone claiming that
prevention is dead
› Especially if all the sell are
detection tools or services
› You should lead with prevention
and fall back to detection and
response
Be suspicious

19. 19 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 19
Agenda
› The cyber kill chain
› Targeted Attack Hierarchy of Needs
› Making prevention work
@rickhholland

20. 20 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 20
Don’t wait for reconnaissance
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command &
Control
Action on
objectives
Source: http://cyber.lockheedmartin.com/cyber-kill-chain-lockheed-martin-poster

21. 21 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 21
asdf
› asdf
Napoleon: “An army
marches on its stomach”

22. 22 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 22
asdf
› asdf
Attacks against your org
rely upon infrastructure

23. 23 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 23
Block enemy infrastructure
› The best way to get time to containment
down is to reduce the overall number of
security incidents
› Free up your limited resources to focus
more on detection and response
› You can disrupt the adversary by
blocking its ability to target you
› The military puts the kill in the kill chain,
leave hack back to the government

24. 24 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 24
Source: http://www.threatconnect.com/files/uploaded_files/The_Diamond_Model_of_Intrusion_Analysis.pdf
The Diamond Model of Intrusion Analysis

25. 25 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 25
Infrastructure that the adversary could reuse
› Domain names
› IP addresses
› Command and Control structure
› Internet Service Providers
› Domain registrars
› Web-mail providers

26. 26 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 26
Lenny Zeltser: Report Template for Threat Intelligence and Incident
Response
Source: https://zeltser.com/cyber-threat-intel-and-ir-report-template/

27. 27 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 27
Domain registration OPSEC fail
› Careful observation of DNS registrant
contact information history has revealed
an OPSEC failure by the attackers in
one instance.
› For a brief period (possibly before the
server was operational), WHOIS privacy
was inactive, pointing at a real identity of
the registrant.
› This e-mail address leads to social
media accounts that show public and
clear affinity with Lebanese political
activism.

28. 28 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 28

29. 29 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 29
Forrester definition: Predictive analytics
› “Software and/or hardware solutions that
allow firms to discover, evaluate,
optimize, and deploy predictive models
by analyzing big data sources to
improve business performance or
mitigate risk.”

30. 30 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 30
Predictive security analytics
› Uses Big Data analysis techniques to
anticipate future attacker activity based
on historical activity
› Leverages machine learning, statistical
analysis, and visualization
› Unless you have a data science skills,
navigating vendor marketing can be
challenging
› Ask vendors to provide use cases

31. 31 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 31
asdf
› asdf

32. 32 CONFIDENTIAL
OpenDNS Research
Applied ResearchThought
Leadership
Response Customer / Prospect
Engagements

33. 33 CONFIDENTIAL
Requests
Per Day
70B Countries
160+
Daily Active
Users
65M Enterprise
Customers
10K
Our Perspective
Diverse Set of Data &
Global Internet Visibility

34. 34 CONFIDENTIAL
Our view of the Internetproviding visibility into global Internet activity (e.g. BGP, AS, DNS)

35. 35 CONFIDENTIAL
Apply
statistical models and
human intelligence
Identify
probable
malicious sites
Ingest
millions of data
points per second
How it works
.com
.cn
.ru
.net
.com

36. 36 CONFIDENTIAL
How we
develop our
statistical
models…
3D Visualization
Data MiningSecurity Research
Expertise

37. 37 CONFIDENTIAL
Single, correlated
source of information
Investigate
Types of threat information provided
WHOIS record data
ASN attribution
IP geolocation
IP reputation scores
Domain reputation scores
Domain co-occurrences
Anomaly detection (DGAs, FFNs)
DNS request patterns/geo. distribution
Passive DNS database

38. 38 CONFIDENTIAL
Predictive Intelligence
InferenceKnowledge Learning
Pre-Compromise
Compromise
Post-Compromise

39. 39 CONFIDENTIAL
Predictive Intelligence
InferenceKnowledge Learning
Reconnaissance
Exploitation
C & C
Weaponization Delivery
Installation
Actions &
Objectives

40. 40 CONFIDENTIAL
Before the Kill Chain
Reconnaissance Weaponization Delivery
Plan Build Test / Iterate

41. 41 CONFIDENTIAL
Predictive Intelligence
Plan Build Test / Iterate
• Where will we host the infrastructure?
• How will it be fault tolerant?
• What domain / IP / Networks will I utilize?
• How will the backend scale? Reporting? Uptime?
• Private and public announcement and advertising?
• Testing and iteration of the solution

42. 42 CONFIDENTIAL
We see where attacks are staged

43. 43 CONFIDENTIAL
Examples

44. 44 CONFIDENTIAL
Malaysia Airlines DNS Hijack
January 25, 2015

45. 45 CONFIDENTIAL
MALICIOUS
ASN/IP
IDENTIFIED
Owned
by
Lizard
Squad
who
hacked
PS3
and
Xbox
Networks
in
December
2014

46. 46 CONFIDENTIAL
OpenDNS recognized the domain
hijacking on Jan 25th and blocked
the DNS request, and hence any
subsequent attack

47. 47 CONFIDENTIAL
WHOIS: BEDEP Example

48. 48 CONFIDENTIAL
WHOIS: Visualization of Inferences

49. 49 CONFIDENTIAL
WHOIS: Visualization of Inferences

50. 50 CONFIDENTIAL
WHOIS
Registration
date after first
seen!

51. 51 CONFIDENTIAL
Anomaly Detection: Identify DGAs
Domain Generation Algorithms: technique for generating
malware domains on-the-fly
yfrscsddkkdl.com
qgmcgoqeasgommee.org
iyyxtyxdeypk.com
diiqngijkpop.ru
Does the probability
distribution of letters
appear random?
N-gram” analysis
Do letter pairings
match normal
language patterns?

52. 52 CONFIDENTIAL
DGA Example: Gameover
Min: May 30: Plan, Build, Test, Iterate

53. 53 CONFIDENTIAL
Conclusion
§ Do not give up on prevention and shift *all* resources to detection
§ Analyze your security posture for predictive elements
§ Utilize hunting and analytic tools to increase security efficacy
§ Explore security analytics to identify and map attacker infrastructure
before the kill chain

54. 54 CONFIDENTIAL
Start a 14-Day Trial
signup.opendns.com/freetrial

55. 55 CONFIDENTIAL
Questions?