Taking aim at stealthy attacks
By now you no doubt have heard about SandWorm, the cyberespionage campaign against NATO and other high-value targets, attributed by researchers at iSight Partners to Russian hackers.
The researchers have been monitoring activities of this hacker team since late 2013, but its origins date back as far as 2009. Using spearphishing with malicious attachments, they have successfully exploited a zero-day Windows vulnerability and other vulnerabilities to compromise military and other Western European government organizations, including energy companies, the Ukrainian government and U.S. academic organizations.
It seems to be a textbook example of an advanced, persistent threat. The attackers were motivated and well resourced; and the compromises were successful, stealthy and apparently long-lived.
“Though we have not observed details on what data was exfiltrated in this campaign, the use of this zero-day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree,” wrote iSight’s Stephen Ward.
How do agencies defend against such an threat? When the vulnerability is unknown and the malicious code is well hidden, IT managers have to look for active footprints. They have to keep an eye on the traffic that is entering and leaving their systems and watch what is happening inside those systems. No matter how stealthy the exploit, it has to activate inside the system, and that is where to spot it and stop it.
That’s the idea behind the Cyber Kill Chain.
The Cyber Kill Chain is based on the military concept of establishing a systematic process to target, engage and defeat an adversary. It relies on the assumption that an adversary will have to carry out specific steps to attack in a given environment.
The Cyber Kill Chain, introduced by Lockheed Martin in 2011, upends the traditional wisdom that an IT defender has to be successful 100 percent of the time, while an attacker has to succeed only once. Under this concept, the attacker has to successfully complete the entire seven-step process, while the defender can defeat him at any point in the chain.
The seven links in the Cyber Kill Chain are:
- Reconnaissance: Gathering intelligence to identify a target.
- Weaponization: Packaging an exploit in a deliverable payload.
- Delivery: Delivering the weapon to the victim, through email, malicious websites, removable media, etc.
- Exploitation: Executing the exploit on the victim’s system.
- Installation: Installing malware on the target.
- Command and control: Opening a channel for remote manipulation of the target system.
- Action on objectives: Gathering, exfiltrating or altering data, manipulating systems or other activity against the target.
Breaking an attack into incremental steps rather than looking at it as a binary action – compromised or not compromised – gives the defender many points at which the attack can be identified, targeted, and eliminated or mitigated.
But it also requires an intelligence-driven approach to defense. That means having visibility into the networks and systems being defended and the ability to analyze data so that anomalies or other patterns being displayed in the attack can be identified.
This is not necessarily easy to achieve, and defending systems against complex or sophisticated attacks will remain challenging.
But tools and services are available, and the government’s move toward continuous monitoring (or continuous diagnostics and mitigation) is a step toward enabling intelligence-driven defense. Attacks and breaches might be inevitable, but cyberdefense is not a game we have to lose.
Posted by William Jackson on Oct 17, 2014 at 10:27 AM