CyberEye

Blog archive
Taking aim at stealthy attacks

Taking aim at stealthy attacks

By now you no doubt have heard about SandWorm, the cyberespionage campaign against NATO and other high-value targets, attributed by researchers at iSight Partners to Russian hackers.

The researchers have been monitoring activities of this hacker team since late 2013, but its origins date back as far as 2009. Using spearphishing with malicious attachments, they have successfully exploited a zero-day Windows vulnerability and other vulnerabilities to compromise military and other Western European government organizations, including energy companies, the Ukrainian government and U.S. academic organizations.

It seems to be a textbook example of an advanced, persistent threat. The attackers were motivated and well resourced; and the compromises were successful, stealthy and apparently long-lived.

“Though we have not observed details on what data was exfiltrated in this campaign, the use of this zero-day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree,” wrote iSight’s Stephen Ward.

How do agencies defend against such an threat? When the vulnerability is unknown and the malicious code is well hidden, IT managers have to look for active footprints. They have to keep an eye on the traffic that is entering and leaving their systems and watch what is happening inside those systems. No matter how stealthy the exploit, it has to activate inside the system, and that is where to spot it and stop it.

That’s the idea behind the Cyber Kill Chain.

The Cyber Kill Chain is based on the military concept of establishing a systematic process to target, engage and defeat an adversary. It relies on the assumption that an adversary will have to carry out specific steps to attack in a given environment.

The Cyber Kill Chain, introduced by Lockheed Martin in 2011, upends the traditional wisdom that an IT defender has to be successful 100 percent of the time, while an attacker has to succeed only once. Under this concept, the attacker has to successfully complete the entire seven-step process, while the defender can defeat him at any point in the chain.

The seven links in the Cyber Kill Chain are:

  1. Reconnaissance: Gathering intelligence to identify a target.
  2. Weaponization: Packaging an exploit in a deliverable payload.
  3. Delivery: Delivering the weapon to the victim, through email, malicious websites, removable media, etc.
  4. Exploitation: Executing the exploit on the victim’s system.
  5. Installation: Installing malware on the target.
  6. Command and control: Opening a channel for remote manipulation of the target system.
  7. Action on objectives: Gathering, exfiltrating or altering data, manipulating systems or other activity against the target.

Breaking an attack into incremental steps rather than looking at it as a binary action – compromised or not compromised – gives the defender many points at which the attack can be identified, targeted, and eliminated or mitigated.

But it also requires an intelligence-driven approach to defense. That means having visibility into the networks and systems being defended and the ability to analyze data so that anomalies or other patterns being displayed in the attack can be identified.

This is not necessarily easy to achieve, and defending systems against complex or sophisticated attacks will remain challenging.

But tools and services are available, and the government’s move toward continuous monitoring (or continuous diagnostics and mitigation) is a step toward enabling intelligence-driven defense. Attacks and breaches might be inevitable, but cyberdefense is not a game we have to lose.

Posted by William Jackson on Oct 17, 2014 at 10:27 AM


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.