Big data takes on the kill chain

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Mark Seward
 

Connecting state and local government leaders

By Mark Seward

|

Big data systems can correlate structured and unstructured data to paint a complete picture about an agency’s overall IT health and offer insight into the sophisticated threats.

Advanced attacks come in many forms. They are often stealth, will stay within a system as long as possible and aim to collect high-value data, which can lead to disastrous consequences.

Agencies are beginning to rely on a new defense methodology to protect against such sophisticated threats – Lockheed Martin’s Cyber Kill-Chain approach. Originally a military term, kill chain described how the military would find, fix, track, engage and attack the enemy.

Today, the term also serves as a model for the stages of a cyberattack. The kill chain is a series of seven steps, or commonalities, that mark the typical process of a cyberthreat: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and acting on objectives (exfiltration).

Big data systems are uniquely suited for kill-chain analysis because they have the ability to examine all types of data and activity across networks, servers, applications, websites, mobile devices and sensors. Ultimately, the ability to recognize patterns of behavior typically associated with each step of the kill chain requires full visibility across an agency’s IT environment in real-time while baselining against normal behavior patterns. Big data systems can also correlate structured and unstructured data to paint a complete picture about an agency’s overall IT health and offer insight into the sophisticated threats of today.

The kill-chain is essentially a game plan to break down and analyze events and understand how to best halt attacks that are already in motion so that agencies can stop threats in their tracks. Agencies are vulnerable at any point within the kill chain, so it’s important to understand not only the warning signs in each stage but also how to address threats in the event of a compromise. Observing different phases of an attack provides visibility into where an organization should prohibit an attacker from meeting his objective.

Reconnaissance: Recognize the signs of trolling

Attackers can infiltrate IT systems and networks at any point in the kill chain, but most commonly they will start with the first phase – reconnaissance. An attacker wants to know as much as possible about the target, and this process often entails crawling social networks, organizational conferences and mailing lists for email addresses, social relationships or information on specific technologies to identify personal information that can be exploited.

For example, attackers might find a list of agency heads on a website and then crawl social networks to identify those individuals’ interests and hobbies. They are then equipped with information needed to make a phishing email look like it’s coming from a trusted source. If an agency employee clicks on a link within the email, he risks downloading malicious code that can scan the network and report back to the hackers where potential vulnerabilities lie.

To prevent these types of attacks, security teams must have access to Web analytics and social media data. Agencies should monitor traffic to their websites to uncover anomalous activity as well as have an understanding of clicks from unusual geographic locations. For example, Google Analytics visitor flow reports can show where visitors come from and how they browse and access a website.

Agencies should also monitor outgoing data, especially file sharing that may help an attacker with social engineering. And the should consider analysis of organizational sentiment and perform keyword searches on social media to understand whether a “storm is gathering” that may result in an attack.

Big data analysis tools are especially helpful in correlating social data with data center traffic and Web analytics data. This comprehensive view shows who is looking at an agency, and why, which helps IT managers know when and where it is appropriate to invest more resources into identifying threat characteristics.  

Weaponization and Delivery: Identify threat characteristics

Malicious code has become so democratized online that it’s easy for an attacker to purchase code off the shelf and then weaponize it. This creates one of the most challenging aspects of security in today’s constantly evolving threat landscape – the ability to know all types of malicious code packaging.

Typically attackers will couple a remote access Trojan with an exploit to create a weaponized deliverable that aims to infiltrate an agency. According to Lockheed Martin, we’re increasingly seeing application data files such as PDFs or Microsoft Office documents serve as these weaponized deliverables, but malware can also be delivered via email attachments, websites and USB removable media.

That’s why agencies must enlist a security approach that is mindful of the many types of malware and malicious code and watch for patterns associated with these across the agency. A large part of this comes down to educating all employees to spot something that might contain a malicious link. Common instances of these may be if an email with a link in which the URL doesn’t look quite right, for example, perhaps a brand name is spelled wrong or two letters in the URL are inverted.

Employee training and education coupled with big data analytics tools is key to building a foolproof plan of defense. Agencies are increasingly looking for tools that can identify when the domain of an email is from a legitimate business as well as monitor different types of email attachments and perform packet-level inspection to understand file attachment content.

Robust analytics tools can monitor for Trojans and backdoors as well as unusual communications between systems. A typical red flag is an email that has multiple subject lines sent to various people but with the same malicious link embedded in each one. Analytics tools will notice this and alert the security team so that it is aware of all relevant threat intelligence data. Agencies can rely on these analytics to halt a malicious delivery before their systems are infected.

Exploitation and Installation: Stop infections from spreading

Sometimes before it can be detected, an intruder will find a way to exploit a network or IT systems --  the exploitation phase of the kill chain. This leads to the installation phase, which is when a remote access Trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment. The key here is to stop the infection before the entire agency is compromised and sensitive data is stolen.

Agencies should make sure all of their systems are fully patched and up to date to prevent malware infection. They can also turn to malware behavior identification and detection tools, like Virus Total or Georgia Tech Research Institute’s Apiary, to identify malware actions and characteristics.

Big data analytics tools can monitor systems and services for infection characteristics not detected by AV engines, like malware Hash, communication IPs, ports and protocols, file or registry key changes, network connections and dynamic-link library changes. Correlating all of this data into a single view can help monitor for unusual traffic that could indicate a breach -- and eventually a hostile takeover.

Command and Control: Prevent remote takeover

Even if malware successfully infects an agency’s IT systems, not all is lost. The next step for the intruder is to establish command and control channels so that the target environment can be accessed remotely. At this point agencies can rely on technologies that allow for statistical analysis that point to lateral movement of data between systems that would indicate unusual connections.

Malware communication analytics technologies help agencies monitor Web traffic to known bad IPs and domains, identify self-signed certificates, recognize outbound encrypted traffic, uncover falsified HTTP headers and identify the use of remote windows shell or remote desktop. Web traffic can also be monitored for communications with domains set up in the last 24 hours, which is often evidence of a command and control site. These are all indicators of a potential infection in which the intruder is attempting to take control of an IT systemfrom a remote location. It is important to unearth these red flags before any sensitive data is lost or stolen.

Action on objectives: Keep intruders from stealing the jackpot

Typically the prime objective of most cyberattacks is data exfiltration, which involves collecting, encrypting and extracting information from the victim. Intruders may only seek access to a certain network or database to use as a jump-off point to compromise additional systems and move laterally inside the network or attack other partner organizations. This is why the final phase of the kill chain – the point at which a hacker acts on his objectives – represents the jackpot for attackers. This is the opportunity to secure data that can be sold on the open market, like personally identifiable information, credit card data and other types of sensitive information.

To prevent the exfiltration of sensitive assets, agencies must watch for unusual activity at the edge and inside the network. Examples of this can include large file transfers – particularly to third-party file sharing websites or via FTP or SFTP servers, unusual amounts of CPU consumption by particular systems or the movement of encrypted files to unusual locations.

Agencies must monitor for performance degradation of their IT systems and examine systems to see if an anti-virus system does not update, as these are key indicators of malware exfiltration activity. It is important to also categorize users based on their activities within the network.

Security teams should look at individuals’ use of administrative tools and commands and monitor for any activity that may be unusual for them. Although an intruder may have found a way into sensitive IT systems, there is still time to ensure the data assets housed in those systems do not leave the agency and end up in the hands of a malicious outsider.

NEXT STORY: Universities beef up cybersecurity, identity theft research

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.