Gaining the Advantage Cyber Kill Chain

Telechargé par EL BARBORI Mohammed
GAINING THE ADVANTAGE
Applying Cyber Kill Chain® Methodology to Network Defense
THE MODERN DAY ATTACKER
Cyberaacks aren’t new, but the stakes at every level are higher than ever. Adversaries are more
sophiscated, well-resourced, trained, and adept at launching skillfully planned intrusion campaigns called
Advanced Persistent Threats (APT). Our naon’s security and prosperity depend on crical infrastructure.
Protecng these assets requires a clear understanding of our adversaries, their movaons and strategies.
Adversaries are intent on the compromise and extracon of data for economic, polical
and naonal security advancement. Even worse, adversaries have demonstrated
their willingness to conduct destrucve aacks. Their tools and techniques have the
ability to defeat most common computer network defense mechanisms.
SOPHISTICATED WELL-RESOURCED MOTIVATED
THE LOCKHEED MARTIN CYBER KILL CHAIN®
The Cyber Kill Chain® framework is part of the Intelligence Driven
Defense® model for the idencaon and prevenon of cyber
intrusions acvity. The model idenes what the adversaries
must complete in order to achieve their objecve.
Stopping adversaries at any stage breaks the chain of aack! Adversaries
must completely progress through all phases for success; this puts
the odds in our favor as we only need to block them at any given one
for success. Every intrusion is a chance to understand more about
our adversaries and use their persistence to our advantage.
The kill chain model is designed in seven steps:
fDefenders goal: understand the aggressors acons
fUnderstanding is Intelligence
fIntruder succeeds if, and only if, they can proceed through steps
1-6 and reach the nal stage of the Cyber Kill Chain®.
1
2
3
4
5
6
7
RECONNAISSANCE Idenfy the Targets
ADVERSARY
The adversaries are in the planning
phase of their operaon. They
conduct research to understand
which targets will enable them
to meet their objecves.
fHarvest email addresses
fIdenfy employees on
social media networks
fCollect press releases, contract
awards, conference aendee lists
fDiscover internet-facing servers
DEFENDER
Detecng reconnaissance as it
happens can be very dicult, but
when defenders discover recon – even
well aer the fact – it can reveal
the intent of the adversaries.
fCollect website visitor logs for
alerng and historical searching.
fCollaborate with web administrators to
ulize their exisng browser analycs.
fBuild detecons for browsing
behaviors unique to reconnaissance.
fPriorize defenses around
parcular technologies or people
based on recon acvity.
1
WEAPONIZATION Prepare the Operaon
ADVERSARY
The adversaries are in the preparaon
and staging phase of their operaon.
Malware generaon is likely not done
by hand – they use automated tools.
A “weaponizer” couples malware and
exploit into a deliverable payload.
fObtain a weaponizer, either
in-house or obtain through
public or private channels
fFor le-based exploits, select “decoy
document to present to the vicm.
fSelect backdoor implant and
appropriate command and control
infrastructure for operaon
fDesignate a specic “mission id”
and embed in the malware
fCompile the backdoor and
weaponize the payload
DEFENDER
This is an essenal phase for defenders
to understand. Though they cannot
detect weaponizaon as it happens,
they can infer by analyzing malware
arfacts. Detecons against
weaponizer arfacts are oen the
most durable & resilient defenses.
fConduct full malware analysis –
not just what payload it drops,
but how it was made.
fBuild detecons for weaponizers
– nd new campaigns and new
payloads only because they re-
used a weaponizer toolkit.
fAnalyze meline of when malware
was created relave to when it was
used. Old malware is “malware o
the shelf” but new malware might
mean acve, tailored operaons.
fCollect les and metadata
for future analysis.
fDetermine which weaponizer arfacts
are common to which APT campaigns.
Are they widely shared or closely held?
2
1 / 13 100%
La catégorie de ce document est-elle correcte?
Merci pour votre participation!

Faire une suggestion

Avez-vous trouvé des erreurs dans linterface ou les textes ? Ou savez-vous comment améliorer linterface utilisateur de StudyLib ? Nhésitez pas à envoyer vos suggestions. Cest très important pour nous !