the kill chain for the advanced persistent threat - … kill chain for the... · the kill chain for...
TRANSCRIPT
0000 10/12/2011 1
The Kill Chain for the
Advanced Persistent Threat
Intelligence-driven Computer Network Defense
Michael Cloppert
Eric Hutchins
Lockheed Martin Corp
as presented at
Wednesday, October 12, 2011
2
Introductions Presenters
– Eric Hutchins
– Michael Cloppert
LM-CIRT
– Established 2004 to focus on sophisticated threats
– Now responsible for CND against all threats facing LM
Intel-driven CND / Security Intelligence
– Symbiotic tools & methods such as Cyber Kill Chain
– Developed by presenters w/ support from team
– History
• Evolution of operational defenses, 2006-2008
• Documented, 2009
• Slight adjustments in 2010
• Formalized in refereed journal in March, 2011
Chief Analyst, LM-CIRT
Intel Fusion Lead, LM-CIRT
3
Our Adversaries
The 80/20 rule
Key top-tier adversary attributes
– Adaptable
– Persistent
• Access to targeted data
• Presence in environment
• Attempts to gain entry
– Perceptive
– Organized
Intel-based CND exploits persistent attributes
4
Our Requirements
Approach to detection & mitigation that is:
– Resilient to change
– Anticipates aspects of future intrusions
Means to understand CND capabilities
– What is available
– Relative efficacy
– Tradeoffs (intel gain/loss, etc.)
Ability to easily prioritize response based on risk
Framework for defining complete & proper analysis
Self-sustaining processes
5
Counterintelligence via
Adversary Modeling
Meet requirements by modeling adversary
Our method offers tools to model at various
levels
– Specific tools & techniques
• Indicator lifecycle, thread pulling
– An intrusion, or intrusion attempt
• Cyber Kill Chain
– Strategic access to protected data
• Campaign analysis
…and defender capabilities…
– Courses of Action Matrix
6
The Cyber Kill Chain (CKC)
Pre- Compromise
Intrusion
Recon Weaponize Deliver Exploit Install Act on
Intent
Establish
C2
Post- Compromise
7-Stage Pipeline Model
Adversary must reach end of the chain to be successful
Just one mitigation breaks the chain
Just one detection provides opportunity for response prior to
phase 7
7
Mitigated intrusion: Analysis and synthesis
Driving Completion
Recon Weaponize Deliver Exploit Install Act on Intent
Establish C2
Recon Weaponize Deliver Exploit Install Act on Intent
Establish C2
Detect
Detect
Analyze
Analyze Synthesize
Full intrusion: Analysis to complete the kill chain
Gather all intel across the kill chain, regardless of success
Pre- Compromise Post- Compromise
Pre- Compromise Post- Compromise
8
Resiliency via Courses of Action
Kill Chain Detect Deny Disrupt Degrade Deceive
Recon Web
analytics
Firewall
ACL
Weaponize NIDS NIPS
Delivery Vigilant
User
Proxy
filter Inline AV
Queuing
Exploit HIDS Vendor
Patch DEP
Installation HIDS “chroot”
jail AV
Command &
Control NIDS
Firewall
ACL NIPS Tarpit
DNS
redirect
Actions on
Objectives Audit log
Quality of
Service Honeypot
Intrusion
Incre
asin
g ris
k
Defensive Countermeasures
9
Indicator Life Cycle
1. Analysis and synthesis reveal indicators
2. Pivoting on indicators identifies detection
candidates
3. Future intrusions trip detections
4. GOTO 1
Intel sharing accelerates indicator lifecycle
Stable indicators drive consistent workflows
Repetitions, correlations may reveal new campaigns
10
Anticipating Intrusion Indicators
• Two ways to be proactive
– Implement durable defenses
for today and for tomorrow
– Anticipate before it happens
• Kill chain completion and
campaign trending are crucial
• Anticipation and true early
warning are heavily dependant
on adversary’s tactics
12
A Framework for Collaboration
• Kill Chain approach has been widely adopted
– Leveraged by DoD, DIB, energy, pharmaceutical
companies
– Spurring new international collaboration in UK,
Australia, and Canada
• Kill Chain Workshops to fuse collective reporting,
build more salient trends
• Developing and sharing tools that facilitate
intel-driven CND
– Vortex-IDS: Lockheed Martin open source
software
• http://sourceforge.net/projects/vortex-ids/
13
Conclusion
• Intelligence-driven CND techniques are vital to
mitigate sophisticated intrusions
• Cyber Kill Chain enables
– Consistency and completeness in analysis,
response
– Correlations between intrusions to identify and
analyze campaigns
– Resilient and anticipatory security posture
14
Thank You
Eric Hutchins
Michael Cloppert
Additional credit: Lockheed Martin Computer Incident Response Team members