Big data takes on the kill chain
- By Mark Seward
- Apr 17, 2014
Advanced attacks come in many forms. They are often stealth, will stay within a system as long as possible and aim to collect high-value data, which can lead to disastrous consequences.
Agencies are beginning to rely on a new defense methodology to protect against such sophisticated threats – Lockheed Martin’s Cyber Kill-Chain approach. Originally a military term, kill chain described how the military would find, fix, track, engage and attack the enemy.
Today, the term also serves as a model for the stages of a cyberattack. The kill chain is a series of seven steps, or commonalities, that mark the typical process of a cyberthreat: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and acting on objectives (exfiltration).
Big data systems are uniquely suited for kill-chain analysis because they have the ability to examine all types of data and activity across networks, servers, applications, websites, mobile devices and sensors. Ultimately, the ability to recognize patterns of behavior typically associated with each step of the kill chain requires full visibility across an agency’s IT environment in real-time while baselining against normal behavior patterns. Big data systems can also correlate structured and unstructured data to paint a complete picture about an agency’s overall IT health and offer insight into the sophisticated threats of today.
The kill-chain is essentially a game plan to break down and analyze events and understand how to best halt attacks that are already in motion so that agencies can stop threats in their tracks. Agencies are vulnerable at any point within the kill chain, so it’s important to understand not only the warning signs in each stage but also how to address threats in the event of a compromise. Observing different phases of an attack provides visibility into where an organization should prohibit an attacker from meeting his objective.
Reconnaissance: Recognize the signs of trolling
Attackers can infiltrate IT systems and networks at any point in the kill chain, but most commonly they will start with the first phase – reconnaissance. An attacker wants to know as much as possible about the target, and this process often entails crawling social networks, organizational conferences and mailing lists for email addresses, social relationships or information on specific technologies to identify personal information that can be exploited.
For example, attackers might find a list of agency heads on a website and then crawl social networks to identify those individuals’ interests and hobbies. They are then equipped with information needed to make a phishing email look like it’s coming from a trusted source. If an agency employee clicks on a link within the email, he risks downloading malicious code that can scan the network and report back to the hackers where potential vulnerabilities lie.
To prevent these types of attacks, security teams must have access to Web analytics and social media data. Agencies should monitor traffic to their websites to uncover anomalous activity as well as have an understanding of clicks from unusual geographic locations. For example, Google Analytics visitor flow reports can show where visitors come from and how they browse and access a website.
Agencies should also monitor outgoing data, especially file sharing that may help an attacker with social engineering. And the should consider analysis of organizational sentiment and perform keyword searches on social media to understand whether a “storm is gathering” that may result in an attack.
Big data analysis tools are especially helpful in correlating social data with data center traffic and Web analytics data. This comprehensive view shows who is looking at an agency, and why, which helps IT managers know when and where it is appropriate to invest more resources into identifying threat characteristics.
Weaponization and Delivery: Identify threat characteristics
Malicious code has become so democratized online that it’s easy for an attacker to purchase code off the shelf and then weaponize it. This creates one of the most challenging aspects of security in today’s constantly evolving threat landscape – the ability to know all types of malicious code packaging.
Typically attackers will couple a remote access Trojan with an exploit to create a weaponized deliverable that aims to infiltrate an agency. According to Lockheed Martin, we’re increasingly seeing application data files such as PDFs or Microsoft Office documents serve as these weaponized deliverables, but malware can also be delivered via email attachments, websites and USB removable media.
That’s why agencies must enlist a security approach that is mindful of the many types of malware and malicious code and watch for patterns associated with these across the agency. A large part of this comes down to educating all employees to spot something that might contain a malicious link. Common instances of these may be if an email with a link in which the URL doesn’t look quite right, for example, perhaps a brand name is spelled wrong or two letters in the URL are inverted.
Employee training and education coupled with big data analytics tools is key to building a foolproof plan of defense. Agencies are increasingly looking for tools that can identify when the domain of an email is from a legitimate business as well as monitor different types of email attachments and perform packet-level inspection to understand file attachment content.
Robust analytics tools can monitor for Trojans and backdoors as well as unusual communications between systems. A typical red flag is an email that has multiple subject lines sent to various people but with the same malicious link embedded in each one. Analytics tools will notice this and alert the security team so that it is aware of all relevant threat intelligence data. Agencies can rely on these analytics to halt a malicious delivery before their systems are infected.
Exploitation and Installation: Stop infections from spreading
Sometimes before it can be detected, an intruder will find a way to exploit a network or IT systems -- the exploitation phase of the kill chain. This leads to the installation phase, which is when a remote access Trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment. The key here is to stop the infection before the entire agency is compromised and sensitive data is stolen.
Agencies should make sure all of their systems are fully patched and up to date to prevent malware infection. They can also turn to malware behavior identification and detection tools, like Virus Total or Georgia Tech Research Institute’s Apiary, to identify malware actions and characteristics.
Big data analytics tools can monitor systems and services for infection characteristics not detected by AV engines, like malware Hash, communication IPs, ports and protocols, file or registry key changes, network connections and dynamic-link library changes. Correlating all of this data into a single view can help monitor for unusual traffic that could indicate a breach -- and eventually a hostile takeover.
Command and Control: Prevent remote takeover
Even if malware successfully infects an agency’s IT systems, not all is lost. The next step for the intruder is to establish command and control channels so that the target environment can be accessed remotely. At this point agencies can rely on technologies that allow for statistical analysis that point to lateral movement of data between systems that would indicate unusual connections.
Malware communication analytics technologies help agencies monitor Web traffic to known bad IPs and domains, identify self-signed certificates, recognize outbound encrypted traffic, uncover falsified HTTP headers and identify the use of remote windows shell or remote desktop. Web traffic can also be monitored for communications with domains set up in the last 24 hours, which is often evidence of a command and control site. These are all indicators of a potential infection in which the intruder is attempting to take control of an IT systemfrom a remote location. It is important to unearth these red flags before any sensitive data is lost or stolen.
Action on objectives: Keep intruders from stealing the jackpot
Typically the prime objective of most cyberattacks is data exfiltration, which involves collecting, encrypting and extracting information from the victim. Intruders may only seek access to a certain network or database to use as a jump-off point to compromise additional systems and move laterally inside the network or attack other partner organizations. This is why the final phase of the kill chain – the point at which a hacker acts on his objectives – represents the jackpot for attackers. This is the opportunity to secure data that can be sold on the open market, like personally identifiable information, credit card data and other types of sensitive information.
To prevent the exfiltration of sensitive assets, agencies must watch for unusual activity at the edge and inside the network. Examples of this can include large file transfers – particularly to third-party file sharing websites or via FTP or SFTP servers, unusual amounts of CPU consumption by particular systems or the movement of encrypted files to unusual locations.
Agencies must monitor for performance degradation of their IT systems and examine systems to see if an anti-virus system does not update, as these are key indicators of malware exfiltration activity. It is important to also categorize users based on their activities within the network.
Security teams should look at individuals’ use of administrative tools and commands and monitor for any activity that may be unusual for them. Although an intruder may have found a way into sensitive IT systems, there is still time to ensure the data assets housed in those systems do not leave the agency and end up in the hands of a malicious outsider.