Disrupting the Kill Chain
Matt Tett
At the recent CSO Perspectives Security Roadshow, I had the privilege to moderate a roundtables on disrupting the kill chain—or attack chain. I was fortunate to be joined by an international expert on the subject, Tim Treat.
He is currently a cyber-security expert for Palo Alto Networks, but Tim approaches security largely from a defence background, believing counterattack is an important consideration for protection.
In previous roles with the Air Force, Tim led organisations performing engineering and installation, combat communications, network operations and security operations.
Tim now uses his experience to help organisations incorporate enterprise resilience, prevention and protection into their network operations and defence convergence strategies.
So what is the kill chain and how does it relate to information security?
Essentially terms like kill chain are used at a high level to describe the steps required for an attack to take place. These are: reconnaissance, weaponisation, delivery, exploitation, command/control, execution and maintainance.
Reconnaissance is the discovery of a target and its attributes, with the aim being to identify weak systems, procedures and people, to identify the most appropriate technique for access and avoiding detection. Depending on the sophistication of the attacker and the value of the target, this could take months or even years.
Weaponisation is building the tool(s), or developing the technique that will be deployed to achieve the goal. It will be contingent on the information discovered via reconnaissance.
Delivery is getting inside the organisation and deploying the weapon. It could be as simple as having someone in the organisation visit a website that contains a drive by download, or clicking on an e-mail attachment.
Exploitation is initiated at an appropriate time once the weapon has been deployed.
Control is then established over the weapon within the organisation.
Execution of the weapon takes place at the ideal time to take the target, essentially capturing the flag. This is either done with stealth, or a public display timed for the most embarrassment. Maintenance, may be undertaken to enable the attacker to keep hold of a persistent passive presence in the organisation for future use.
Essentially a framework, which can be modified or adapted, it still does not address the fact that it continues to be used again, and again and again.
Tim’s premise is that if we are lucky, we detect at the execution stage and from then on, we are either defending or (worse-case scenario) blind to the attack. Once they are in, they are in.
The military typically focus on detection and prevention, taking a proactive counterattack stance by aiming to detect threats when they are at the exploitation or even delivery stage (higher up the chain is better, but exponentially harder).
This is what we need to aim for in information security.
In fact, Tim has authored a paper which you can find here
The discussions across the roundtables revealed a lot of people resigned to detection and defence. The concept of counterattack is something we should work towards as an industry. There is no silver bullet, but we should be pushing back and taking an active stance.
The kill chain has been out there forever, it just hasn’t really been articulated, or understood that well. In the past, IT has been wagging the security dog. Port-based security and access control is traditional. Security has failed to keep up with IT innovation. IT, the business and security have different imperatives.
At present, we don’t still defend, we are reactive. We need to make prevention part of our tool set. Today we do post-mortem analysis of attacks (we are overwhelmed by describing crime scenes after the fight). We still don’t know all the assets we are trying to defend. We are good at compliance.
We still don’t really have good visibility (and therefore security control) of the technology and applications that users are bringing into the organisation.
Many of the problem we face are often with funding and articulation, with little or no ROI from security. There is a disparity between IT and security. Risk and reputation is key.
But, these are exciting times, there are a number of emerging concepts and technologies that start to address these issues.
In the future, these changes will help us bake prevention directly into IT, enabling much better working relationship between IT and Security.
These efficiencies will be leveraged to reduce attack surfaces. Intelligence, active monitoring and awareness will converge IT ops and Info Sec. Business need to be able to make decisions based on information.
Ultimately, it means cutting the kill chain at the exploitation stage. We’ll analyse the gap rather than research after an attack has been successful.
We will know everything that is occurring on our networks. We’ll be tracking users and applications rather than IP Addresses.
We should be encouraged to approaches like Tim’s gaining traction.