Breaking The Kill Chain: A Defensive Approach

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Very clear video, great for non-technical staff who may not appreciate the layers of security at a large organisation.

👍︎︎ 3 👤︎︎ u/Jaccident 📅︎︎ Feb 06 2019 🗫︎ replies

Great video, thanks

👍︎︎ 3 👤︎︎ u/Shujolnyc 📅︎︎ Feb 06 2019 🗫︎ replies

This is by far one of the best videos I've seen that breaks down the cyber kill chain in layman's terms. I have some engineers and PMs who will benefit from watching this video. Great job.

👍︎︎ 3 👤︎︎ u/doc_samson 📅︎︎ Feb 06 2019 🗫︎ replies

[removed]

👍︎︎ 1 👤︎︎ u/[deleted] 📅︎︎ Feb 06 2019 🗫︎ replies

[removed]

👍︎︎ 1 👤︎︎ u/[deleted] 📅︎︎ Feb 06 2019 🗫︎ replies

Captions

first developed by Lockheed Martin the cybersecurity kill chain is a model for describing the steps an attacker must complete to carry out a successful attack the model is made up of seven sequential steps including reconnaissance weaponization delivery exploitation installation command and control and finally actions on objectives to disrupt the attack one or more of these steps must be broken for the entire chain to fail and in order for us to do that we need to understand their playbook using the NIST cybersecurity framework as a reference well look at tools at every phase that will lead to a multi-layered security plan for our organization I'm Andy with the Cecil perspective and this video is called breaking the kill chain a defensive approach reconnaissance the first step of any cybersecurity attack is to gather information about the victim also known as reconnaissance the two different stages of reconnaissance are passive and active during the passive reconnaissance stage an attacker will use indirect methods to gather information from publicly available sources like who is Aaron registrations google show dan job listings and company websites once an attacker has collected as much public information as possible then move on to active reconnaissance this involves some level of interaction with your organization during this phase the attacker will actively probe your networker system looking for open ports and services this includes technical tools like an map for port scanning and banner grabbing and vulnerability scanners now vulnerability scanners are very loud and obvious so attackers will usually limit their scope or slow scan over a period of time to avoid being caught defending against passive reconnaissance means limiting the level of detail we expose publicly that means limiting the information we put on job postings training personnel and acceptable use of social media sites and removing specific error messages from public servers our first protective measure is ensure that unused ports and services are disabled this limits the number of entry points an attacker can use to get into your system honey pots are a great tool that can be used as a decoy against the would-be attacker not only do they divert attention away from real systems but it also reveals what they're after and who they are a firewall with IPS capabilities on the perimeter will provide filtering and segmentation while also monitoring for port scans and banner grabs most next-generation firewalls can block connections from tor networks and known proxy IP addresses which are commonly used during this phage to obfuscate the real IP from Anna hacker the entire goal the reconnaissance phase is to find a weakness that can be exploited once the attacker has found that weakness they can move on to the next step weaponization once an attacker has found a weakness their next step is to find or create an attack that will exploit that vulnerability the weapon of choice will depend on the information they collected from you during the reconnaissance step some commonly used weapons during this phase are tools like Metasploit or exploit DB these are repositories for known exploits the Beal framework which is commonly used to generate evasion code from malware social engineering toolkit if they decided they will deliver the malware through a social engineering campaign and of course many others since this stage is all about what the attacker uses as a weapon we need to have some of the basics covered and that includes things like patch management patch management continues to be one of the best defensive measures against the weaponization stage because you can't exploit a vulnerability if there's no vulnerability to exploit the vast majority of today's breaches are still due to unpatched servers office macros JavaScript browser plugins are all common avenues for an attacker to exploit so disabling these alone will greatly reduce your exposure as well some technical controls we can apply at the stage or things like antivirus on the endpoint and perimeter to protect against known malware an IPS has specifically tuned to look for exploit attempts and not just port scanning and banner grabbing like in the reconnaissance stage an email security that includes antivirus and anti-spyware features that we can enable during this phase the attacker is selecting which tool to use but they haven't actually delivered yet how they deliver the attack is as critical as what they choose for a weapon and that brings us to the third stage delivery by this point the attacker has selected the weapon based on their earlier reconnaissance now the delivery stage is where they try one or multiple avenues to deliver the weapon the delivery of the attack buries by the kind of attack but some common examples can include things like web sites malicious or clean an attacker can infect a legitimate web site they know your users frequent social media user input this means the attacker has some level of interaction with a public server like a web site or a database email if the attacker has found a partner your company uses during the reconnaissance phase they can embed malware into an order form that your employees are more likely to open if they fish the email to make it look like a coming from a partner USB common attacks are believed infected USBs in public areas and around employees cars hoping the temptation for them to put it into their laptop is too much the single best security measure against the delivery of the attack is user awareness this includes security training and phishing campaigns that teaches personnel the basics of good security practices while all the protective measures we discuss in the weaponization stage still apply there's a few extra measures you can take to limit the delivery channels an attacker can use email security but specifically dkm and SPF DCAM an SPF our email authentication methods to detect spoofed emails SPF make sure that emails are coming from an authorized IP of the domain while DCAM uses digital signatures to verify authenticity both techniques help ensure the emails are coming from legitimate authorized channels web filtering can prevent a user from accessing questionable or known bad websites disabling USPS and not giving users admin rights also prevents a big portion on delivery mechanisms and malware's typically use DNS filtering while websites block web requests destined to malicious sites using a DNS security solution can block any DNS lookup attempt to prevent communications over any protocol I always use this in combination with web filtering remember SSL account for the majority of web and email traffic you see today so if you're not doing SSL inspection in all of your delivery channels you may be completely blind to what's passing through that encrypted tunnel exploitation during the exploitation stage the attacker has effectively delivered the weapon of choice to the victim and the attack has been executed this means we have failed to keep the weapon out of our environment and the only thing left for the attacker to do is pull the trigger the actual exploit could come in the form of a buffer overflow a sequel injection malware that was undetected by our antivirus solution a client-side exploit that was executed on an old version of JavaScript and of course many others protective measures are limited once an attacker has been able to execute the exploit but some do exist DEP or data execution prevention is a software and hardware feature which attempts to prevent execution of code in memory where it doesn't belong anti exploit is a feature on some antivirus solutions and monitor known applications for unusual calls to memory both of these techniques acts as a last line of defense against common exploit attempts the reality is when an attacker gets to this point you're relying on post and tools like a sandbox to detect exploits that have already been executed a sandbox has some preventive capabilities depending on the scenario but for most Network environments you have what's called patient zero patient zero refers to the first time an unknown file is seen on the network the first person to download the file would be infected because the malware analysis can take several minutes to complete however once sandbox determines that the file is malicious it can then block that file and protect all your other users it will alert you that the patient zero is infected and you can move on towards your mediation and recovery steps it's worth noting that an exploit takes advantage of some weakness in an application or operating system but it's not the finish line for the attack the goal of the exploit is to gain better access and that leads us to our next step installation the exploitation and the installation phase go hand-in-hand a successful exploit allows me to inject a payload that will give me a better level of access to accomplish my mission from an attackers perspective gaining better access allows me to control the victim at any point in the future even after a system has been patched or rebooted some common payload and techniques during the stage involve DLL hijacking injecting meterpreter or similar payload installing a remote access tool otherwise known as rat registry changes to make a program automatically startup or persistent and executing PowerShell in file this attacks once an attacker has gotten this far into the system very limited protective tools exist Linux based systems can use chroot jail as a way to isolate processes from the rest of system and in this way limiting the amount of data the malicious file has access to Windows based systems can disable PowerShell altogether on systems that don't require it fortunately we have really good post-infection tools we can use at this stage the monitor system files a registry for unusual activities a good UBA or EDR solution should flag any new unauthorized program that has been installed as well as detect any changes to registry and system processes the unauthorized changes to system processes and registries should cause a log and alert to go off and way before you get to this stage your team should already have an SOP or plan for this type of event this includes things like identifying if the device is mission-critical removing the device from the network changing all credentials for users that were logged in and so on once a system is determined to be infected you can then begin the process of restoring that system to a known State command-and-control at this stage the system has been completely compromised and in control of the attacker if they completed the previous steps correctly their access is persistent even if you reboot or passive vulnerability the infected device could immediately be used to carry out the mission or it could sit back and wait for further instructions from its command and control server or defended tactics are going to be around limiting what they can control and detecting unusual activity limiting the damage of a breach starts with segmentation segmentation will make it harder for the attacker to move laterally and easier to detect using audit logs if you have the ability to do micro segmentation through a zero trust security model even better this would essentially leave the infected user completely isolated on a port until they can verify the machine is clean and have been authenticated as for technical controls most next-generation firewalls have a database of known command and control servers enabling this feature will help lock remote access from known bad actors there are also many free and paid DNS servers that offer botnet and command control protection at the DNS level attackers will often use evasion techniques such as DBA or fast flux to generate a large number of domains that are used as rendevouz blocking access to recently observed domains will stop connections to these common hubs well on the topic of next-generation firewalls make sure you're using layer 7 application control to block commonly known remote access tools like telnet SSH netcat PowerShell RDP and various other protocols you really have no business leaving your network if you do have business case for using these tools try to lock it down to specific IP addresses an attacker will almost always use encrypted connections to avoid being caught so if you're not doing full SSL deep packet inspection you're completely blind to any communication attempts going through that tunnel for detection indicators of compromised or I OCS are excellent post detective tools as well an IOC is an observed behavior by a user server that are indicative of a breach io sees can be observed and collected on the endpoint or could be collected by a syn device with an IO C feed actions on objective with the machine now infected and the attacker in full control they can now execute the action to achieve their objective the action is predicated by the motivation of the attacker so understanding the type of attacker that could be targeting your organization is critical attackers could be motivated by financial reasons little nation-state malicious insiders are simply wanting to move laterally to go after a more important system on the network if the goal is data exfiltration we can look into tools that prevent data from moving off of the endpoint or server on endpoint tools like DLP or UVA solutions have complementary features to detect and prevent specific files from moving off the network the problem is if an attacker has already gained access to your system doing something as simple as a screen shot on a protected document would not be detected by most of these tools lateral movement is a common step for an attacker to take once it being access into a system at which point they begin their reconnaissance stage all over again to gain information about the internal network this is why network segmentation between different clearance levels is so important to a network design the zero truss security model is built around the idea that eventually we're all gonna fall victim to this stage of the kill chain by removing the idea of trust on your inside network you can treat all users as untrusted until proven otherwise well we won't go into detail the zero trust security model this model is very effective at detecting infected machines and limiting the damage that can be done by the attacker once a compromised machine is identified you can begin your incident response planning and eventually reimage the system before putting it back on your network the seaso perspective the kill chain is more than just a model for how an attack is executed it's also a blueprint for building a good cybersecurity program by using multiple layers of security throughout each phase we make it more more challenging for the attack to be successful and that by itself may be a victory because so many attacks are just opportunistic in nature the challenge I always give my clients is to rate their security posture from 1 to 10 at each phase of the chain how would your organization deal with an attack who got all the way through to the installation phase do you have the processes in place I could detect that if so how long would the attacker sit in that phase before it's remediated minutes hours days dwell time is the length of time an attackers active inside the network before being detected for C cells and security directors this is a critical metric to follow according to a report by the Ponte Motta Institute and IBM the average dwell time is a hundred and ninety-one days now in the video on that scary statistic and I hope you found all of this informative please comment hit like subscribe to stay on top of all of our latest releases here at the seaso perspective

Info

Channel: The CISO Perspective

Views: 57,975

Rating: 4.9590678 out of 5

Keywords: Next-gen firewall, ngfw, Palo Alto, Fortinet, checkpoint, firepower, firewall, sizing, cybersecurity, firewall sizing, netsec, network security, versa, Cisco, Pan, juniper, advanced threat protection, fortigate, incident response, Zero day, 0 day, malware, virus, nss, intrusion prevention, ciso, information security, kill chain, exploit, kali, metasploit, meterpreter, remote access tool, zero trust, NIST, cybersecurity framework, gartner

Id: II91fiUax2g

Channel Id: undefined

Length: 13min 18sec (798 seconds)

Published: Tue Feb 05 2019