Cyber Kill Chain (CKK) – APT Interception Methodologies and Advanced Malware Mitigati

[harlan4096]

Advanced Malware Mitigation Strategies

We are witnessing an epistemological shift in malware detection & mitigation methodologies. Spearheaded by Lockheed Martin, this initiative proposes a radically new approach – instead of dealing with a malicious attack in its aftermath & reinforcing the infrastructure after incursion has ceased, based computed IOTs and IOCs, LM aims for a circular and highly efficient early-detection and mitigation system that showcases the ever-growing need for an on-site Computer Security Incident Response Team (CSIRT).

The premise upon which Lockheed Martin’s Cyber Kill Chain (CKK) is built has to do with the power play between a potential attacker and the defender. Traditional detection, response, and mitigation models state that the defender has an inherent ‘hitch’ when faced with a potential adversary – the malicious thespian has the element of surprise and will always hold enough information to compromise the defender.

No doubt this statement is true to some degree, judging by how ‘surgical’ in nature Advanced Persistent Threats (APTs) are (and have become), however, this does not preclude the scenario of the defender gaining the upper hand!

Having emphasized the need for (actionable) intelligence and forensics, we have, metaphorically, put CKK on trial. Without a doubt, the outcome is not trivial nor without impact, considering that this army-spun concept may yet pave the way to a veritable threat-hunting Renaissance.

Cyber Kill Chain (CKK) Terminology

(as proposed by Eric M. Hutchins, Michael J. Cloppert, Roman M. Amin, Ph.D. et al)

1. Lockheed Martin Kill Chain – eight-phased, advanced detection, mitigation, and response plan based on US Military F2T2E2 (Intrusion Kill Chain) strategy (find, fix, track, target, engage, and assess). Lockheed Martin’s approach proposes the following links: reconnaissance, weaponization, delivery, exploitation, installation, Command & Control (C2, sometimes C&C), action on objective (and lateral movement), and data exfiltration.

2. Indicators of Threat (IOTs) and Indicators of Compromise (IOCs) – computed based on pre- and post-attack raw data. LM taxonomy observes atomic indicators (cannot be broken down into smaller parts and retain their meaning regardless of context), computed indicators (derived from data involved in an incursion), and behavioral (composite aggregate between atomic and computed data).

3. Delivery mechanisms – methods to deliver malicious payloads into the targeted networks and endpoints. Based on APT dynamic analysis, the most preferred method remains email attack (TME or targeted malicious email), followed by phishing websites, and altered USB removable media drives.

4. Action matrix – correlates appropriate counteractions with the kill chain phase.

5.- Pre- and post-detection counteractions:
Audit log;
NIDS+ HIDS+HIPS;
Firewall access control management;
‘Tarpit’;
DNS redirect;
AV sweep;
DEP (Data Execution Prevention);
Queuing;
Patching;
Proxy filter (Egress + Ingress)
Analytics;
Chroot ‘jail’.
QoS analysis.

6. Security controls – a set of actions undertaken by a CSIR team to prevent or stop an attack. Also called the five Ds of CKK: Detect, Deny, Disrupt, Degrade, and D

7. Tactical Intelligence – inferences made after discovering & mitigating past incursions. It can also refer to a ‘boots on the ground approach’ – threat & tactical intelligence uncovered through direct means (i.e. hearsay, interrogation, analysis of physical documents etc.). Tactical Intelligence is an inherent part of the CSIRT’s SOP (Standard Operating Procedure), and useful in drafting the department’s TTP (Tactics, Techniques, and Procedures) agenda.

Cyber Kill Chain (CKK) phase description – An in-depth analysis

Lockheed Martin’s approach to threat detection & mitigation incorporates elements from MITRE’s attack/response shell. As opposed to the rather theoretical framework proposed by MITRE, CKK has a more ‘hands-on’ approach, and can easily be integrated into the formulation of a cohesive and proactive cyber-defense strategy, regardless of entity (i.e. SMB, startup, enterprise, intelligence provider etc.).

In anticipation of showcasing the phases that make up the CKK, I want to raise a challenge: will the Cyber Kill Chain be the next paradigm in combating APTs or the computer science equivalent of phrenology? Remains to be seen.

According to LM, the Cyber Kill Chain is comprised of eight phases:

1. Reconnaissance;
2. Weaponization;
3. Delivery;
4. Exploitation;
5. Installation;
6. Command and Control;
7. Action-on-Object and Lateral movement;
8. Data exfiltration.
...

Continue Reading