Cyber Situational Awareness and The Kill Chain
February 16, 2016
The concept of the cyber kill chain, in some form or another, has been around for ages. Some love it, and some hate it. But one thing that has always confused me about it is that – apart from the reconnaissance phase – it focuses very heavily on the attack itself. I guess this makes sense, as traditional security has concentrated on the network, and specifically the perimeter. But it got me thinking about how the kill chain intersects with cyber situational awareness.
The first step in the kill chain is reconnaissance, which basically entails surveying your target, seeking out weaknesses, potential vectors, and other information to assist with an attack. Organizations traditionally address this step in a number of ways, including firewall or proxy logs, honeypots and network based intrusion detection systems (NIDS). But, unfortunately, these only aim to detect threats that directly target the perimeter network and fail to address other important threats, such as data that already found a way outside the organization through many different means, including:
- Stolen credentials available on sites, such as Pastebin;
- Sensitive documents being openly shared on the web due to misconfigured consumer grade storage devices that might reveal sensitive internal information;
- Proprietary source code that somehow finds its way on code sharing sites, such as GitHub;
- Social media platforms that can potentially provide a gold mine of information that threat actors could use to craft a spear phishing campaign.
In conjunction with the increased attack surface, there is also the threat landscape to consider and the range of actors who are potentially discussing plans regarding attacks against an organization. Hacktivists often do this publically, but criminals and nation states are much more covert. Even an understanding of who is being attacked and why can be valuable for an organization, as it assists them in appreciating the wider threat and taking a more strategic outlook to their security. These are all things which cyber situational awareness can provide.
Reconnaissance is followed by weaponization. Depending on the type of threat you are dealing with, this can be anything from an easily available and simple to use exploit, up to the crafting and deployment of a zero-day vulnerability. Honeypots, sandboxes and NIDS all help to this end but, again, they only attempt to deal with the threats as they hit directly the organization, sometimes too little too late. It is very important to understand the tactics, techniques and procedures (TTPs) being used across the threat landscape, or discussed and traded online, in order to prepare for and provide mitigations for these.
At the delivery, exploitation, installation, command and control, and actions on objectives stages, there are many effective security controls that help. But these can and should be supplemented with information from outside the organization. For example, in order to assess the effectiveness of your Data Loss Prevention (DLP) solution, proxy or firewall, one must be looking for evidence – or lack thereof – of existence of the very data these tools are trying to protect outside the organization. This practice can provide indications that sensitive data is being sold on criminal forums or leaked on paste sites. Similarly, it can offer assessments on the credibility of the actors making claims of responsibility.
Is this the end of the kill chain? No. The kill chain can flow into a cycle, where an organization can learn lessons from an attack and ensure that future attempts at reconnaissance cannot use the same information, thereby reducing the attack surface. By subscribing to the concept of cyber situational awareness and viewing the kill chain through that lens, organizations can have the confidence that they understand their attack surface, they know which TTPs could be used against them and have the confidence that, should data find its way online, they can quickly discover it and mitigate the risks.