Evolving uses of the kill chain framework

…using threat lifecycle management to defeat insider threats and ransomware

author • Fran Howarth

he cyber kill chain® is a methodology developed by Lockheed Martin that enables organisations to better

understand the phases of an attack against their information technology systems. It builds on the concept of the kill chain used by the military. By understanding the phases, organisations are better able to follow the tracks of an attacker in order to understand the tools, techniques and procedures that they use in order to defeat them and ward off future attacks. They will be better able to defeat them at any stage in the chain, but the earlier the better. Faced with this, attackers must constantly change their tactics, making their exploits harder and more expensive to pull off.

In order to defeat attackers, automation is essential, especially given the worldwide shortage of skilled security personnel. As data volumes and networks have expanded, now encompassing mobile networks and cloud services, there is too much data to make sense of via manual methods.

Security information and event management (SIEM) technologies have been used for some years to improve threat and security event detection, but have proved to be cumbersome. Because of this, vendors have been building out capabilities to enable better incident detection in a more efficient, automated manner. They have now morphed into threat lifecycle management technology, which is ideal for hunting and defeating threats using the cyber kill chain model.

Organisations worldwide are looking to improve their security incident response capabilities and the number of enterprises building security operations centres is increasing dramatically. Threat lifecycle management technology has a core place in their strategies. This document discusses how security intelligence platforms are key to improving security, looking at two use cases: dealing with insider threats and ransomware.

Executive summaryFast facts• SIEM systems

are morphing into full-fledged threat lifecycle management technology.

• Advanced security analytics that incorporate machine learning and artificial intelligence are key to making sense of massive volumes of data generated by computer systems and security controls.

• User and entity behaviour analytics capabilities built into such a platform will enable organisations to vastly improve their ability to efficiently and effectively detect and respond to security incidents and threats. They also extend capabilities out to mobile devices and cloud applications and services.

The bottom lineThe use of a threat lifecycle management technology will provide organisations with the visibility that they need throughout all stages of the cyber kill chain. They will be able to spend less time threat hunting and will be provided with the evidence they need for better decision making. As use of the cyber kill chain model has expanded, it has evolved and can now better handle specific use cases, such as the insider threat and ransomware.

T

he cyber kill chain was developed by and is a registered trademark of Lockheed Martin. It builds on

a concept that was originally developed by the military to describe how an attack is structured and the phases that attackers go through.

The original military kill chain methodology defined these stages as find, fix, track, target, engage and assess. In the cyber kill chain, the stages are defined as reconnaissance, weaponisation, delivery, exploitation, installation, command & control, and actions on objective, as shown in Figure 1.

The cyber kill chain is a methodology that enables security professionals to look at security threats and incidents from the perspective of the attacker. Every security incident leaves traces that can reveal information about the methods being used by the perpetrator, including the tactics and techniques that are being used. This information is extremely useful in informing security teams so that they can better detect what is happening and can respond in a faster, more coordinated manner.

The cyber kill chain®

Figure 1: The cyber kill chain

WeaponisationAttack prepared, such

as an attacker injecting a deliverable payload into

a PDF or Word document or generating a malicious

URL, coupled with a backdoor or remote

access tool.

ReconnaissanceThis stage represents

human activity on the part of attackers as they research,

identify and select their victims with activities such as scan-ning social networking sites,

harvesting emails and looking for confidential

information.

ExploitationVulnerability is

exploited to deliver payload onto victim’s

system, such as by clicking on a link or opening a tainted

attachment.

DeliveryPrepared attack deliv-

ered to victim. Can be sent as a phishing email with a

URL or attachment, posted on a vulnerable website for a

wateringhole attack, posted as malvertising, planted on a USB

stick or other removable media, or as a social

media post reply.

InstallationA malicious payload

such as a Trojan, malware or spyware is installed in order to enable persistent

access by the attacker.

Command and Control

An external command and control server in the hands

of an attacker communicates with the installed malware to allow remote manipulation

of the victim to manage, maintain and evolve

the attack.

Actions on ObjectivesThe attacker looks

to achieve its objectives, such as exfiltration of data,

destruction of data or further intrusion into the network

to infect further systems.

T

The cyber kill chain can be used to defend against many types of attacks and threats, including sophisticated targeted attacks, insider threats, fraud, ransomware, social engineering, compliance violations and disruptions to IT services. As shown in Figure 2, the consequences of a security breach can be far-reaching.

Such evidence will also help an organisation to harden its defences against future attack by being better able to anticipate how criminals work based on knowledge gathered from previous incidents. They will also be able to better see where there are gaps in defences at all stages of the kill chain so that holes can be closed and future attacks that have previously been seen can be stopped.

By using the cyber kill chain methodology, the stakes are raised considerably for attackers. They will need to constantly switch to new tactics, increasing both the cost of and time taken to perpetrate their deeds. The end goal is to ensure that adversaries have no inherent advantage over their targets.

Figure 2: What were the repercussions of the worst incident?

Source: PwC

Business disruptionOther

Cost to investigate and fix

Value of lost assets

Reputational damage

23%

15%

10%

10%

42%

Easy10%

Difficult29%

Veryeasy3%

Very Difficult 13%

Somewhat Difficult 45%

hilst the cyber kill chain is designed to be able to ward of attacks at any of the stages involved, the closer

to the beginning of the chain that an attack can be stopped, the better. If an attack is stopped near the beginning, cleaning up any attack will be less costly and time-consuming. However, that requires that an organisation has intelligence and visibility into what is happening on the network.

For this, automation is essential—not just for being able to more efficiently detect threats, but in overcoming the problems associated with shortages of skilled security practitioners worldwide, which looks only set to get worse. (See textbox Cybersecurity skills shortages).

Figures 3 and 4 indicate how the skills shortages are currently affecting organisations.

Automation is essential for providing the visibility that is needed for detecting threats at all stages of the cyber kill chain. However, recent research from the Ponemon Institute indicates that just 18% of organisations are very confident that they have this ability. Nearly two-thirds, at 62%, are only somewhat or not confident that they have visibility into user access across the enterprise. Part of the reason for this is that 55% do not correlate information from multiple sources, or are not sure if they do, with 60% of those respondents putting this down to a lack of resources.

A security information and event management (SIEM) system is useful for correlating information from sources throughout the network. SIEM systems have come a long way since they were first introduced around 2000, although the term was only coined some 10 years ago when the original security information and security event management technologies were co-joined.

Automation is essentialCybersecurity skills shortages

46% of organisations had a problematic shortage of cybersecurity skills in 2016, up from 28% in 2015

By 2022, there will be a shortage of skilled information security workers of around 1.8 million69% of organisations say that the shortage of cybersecurity skills has already had an impact on their organisation

Sources: ESG, Booz Allen Hamilton

Figure 3: Difficulty in recruiting cybersecurity professionals

Source: ESG

Figure 4: Time taken

to fill a cybersecurity

position

Source: ISACA

W

28%

26% 17%

8%

11%

9%

1%

know positions month Two months Three months

Six

mon

ths

Don’t fill open One

Cannot

Less than two weeks

SIEMs work by correlating log and event information from multiple sources such as firewalls, intrusion detection systems and operating systems to look for anomalies and detect security events. Originally, SIEMs were only able to take in feeds from systems residing in the data centre and most were rule-based, making them only really reliable for known threats. Today, organisations’ perimeters are increasingly porous, categorised by high usage of mobile devices and services based in the cloud. This, along with spiralling data volumes, has vastly increased the amount of data sources to be analysed. Attackers have also upped their game and now tend to use threats that have previously not been seen.

Early SIEMs were also criticised as being difficult to administer, requiring a lot of labour to customise rule sets and keep them up to date. They are notorious for the amount of false positives that they generate, which can overwhelm many security teams owing to the sheer volume of alerts that must be checked.

To counter problems with traditional SIEMs, vendors have expanded their offerings, building on top of the traditional capabilities to turn them into threat lifecycle management technologies. Security analytics capabilities that make use of machine learning capabilities are proving to be particularly popular, enabling security analysts to identify relationships among events and to discover anomalies and trends. They are able to take in and make sense of feeds from a wider variety of sources, including those originating outside of the network, as well as finding threats that are inside the network. With advanced analytics capabilities, security staff are better able to identify and prioritise threats for remediation. It makes it possible for analysts to sift through millions of events in a way that would be impossible using manual methods to find indicators of compromise and greatly reduces the problems of false positives. It also makes it possible for previously unknown threats to be identified by observing patterns and providing automated, continuous analysis and correlation of vast data sets to predict, detect and respond to threats seen.

Figure 5: How SIEM systems are used

Source: CyberEdge Group

Another capability that is being added on top of SIEMs that vastly improves detection and response capabilities is user and entity behaviour analytics. This looks to match user activity with credentials, analysing all event data related to users. It uses predictive analysis along with machine learning capabilities. User and entity behaviour analysis looks beyond the traditional perimeters of the network to analyse behaviour coming from mobile endpoints and cloud applications and services.

Through a combination of advanced SIEM capabilities, log management, network and endpoint monitoring, security analytics and user and entity behaviour analytics, threats can be traced at every stage of the cyber kill chain, providing visibility so that the time taken to detect and respond to threats can be drastically reduced. This means that security professionals spend less time on tasks associated with threat hunting. These capabilities provide proactive defences by continuously monitoring all systems on the network so that evidence can be gathered showing the tactics, techniques and processes being used by those trying to attack the system.

To improve threat detection

To automate incident response

To aggregate security alerts

To maintain regulatory compliance

70%

43%

40%

26%

ccording to ENISA, the top threats seen in 2015 were physical damage or theft or loss of equipment, phishing, identity theft

and ransomware, all of which rose up the rankings during the year to become greater threats. Insider threats, which had previously been stable, jumped four places up the rankings to become the seventh top-rated threat. Ransomware, which was falling in importance in 2014, is now seen to be increasing, rising from 15th to 14th place.

Combating insider threats and ransomware provide two use cases of how organisations can use the cyber kill chain in their efforts to keep attackers and other criminals at bay.

Insider threatsInsider threats are particularly insidious as such users can have an intimate knowledge of security technologies and controls, as well as access to sensitive data. They are able to use legitimate credentials and entitlements that enable them to access or even alter sensitive materials. Perhaps they have been phished, causing credentials to be compromised in some cases, in which case an attacker can themselves become an insider. However, not all insider threats emanate from malicious individuals. Rather, many threats are from insiders who are acting in error.

In particular, the threat from users with privileged levels of access to sensitive information and systems is high. However, according to the Ponemon Institute, just 43% of organisations feel that they are able to adequately monitor privileged user activity. Nearly two-thirds, at 63%, feel that they do not have enough contextual information and 61% state that the tools that they have available yield too many false positives. The same survey found that 48% use a SIEM and 36% endpoint monitoring to determine if an action taken by an insider constitutes an actual threat.

Use cases

A

Figure 6: Challenges in establishing whether an event is an insider threat

Source: Ponemon Institute

EMPLOYEE

IDENTITY

63%69%

64%

2016

45%37%

28%

Not enoughinformation providedby the security tools

Security tools yield more data than can be reviewed in

a timely fashion

Behaviour involvedis consistent with an

individual’s roleand responsibilities

Security toolsyield too manyfalse positives

61%56%

2014

Many commentators have said that the cyber kill chain is only useful for protecting against external adversaries as it focuses on perimeter security and preventing malware from getting onto the network. However, advances in analytics and predictive modelling make it useful for defending against insider threats as well. In particular, the use of user and entity behaviour analytics can provide evidence related to any active threat at each stage of the kill chain, including insider threats.

User and entity behaviour analytics provides alerts when a user is doing something out of the ordinary by tracking and monitoring end user activities and correlating them with other behaviour in order to enable a more effective response. When specific types of anomalous behaviour are detected, proactive defensive rules can be generated so that alarms can be set for alerting to similar issues in the future. User and entity behaviour analytics can be used to detect threats at every stage of the cyber kill chain.

Yet, it is not just the tools that are lacking. As Figure 7 shows, lack of resources and in-house expertise is the biggest bugbear and will only get worse owing to the staff shortages if technology is not used to automate detection and remediation tasks in an effective manner. This is echoed by Figure 8.

Figure 7: Reasons for not correlating information on insider threats

Source: Ponemon Institute

Figure 8: Readiness to respond to

insider threats and breaches

Source: Dimensional Research

60%

47%

46%

33%

23%

Lack of resources

Lack of in-house expertise

Lack of technologies

Not a priority

Lack of executive-level support

Team lack the expertise to respond

10%

Team is highly skilled and can respond immediately

26%

Team is highly skilled but too overworked

64%

For defending against insider threats, the network is monitored to see behaviour such as privilege escalation and to show any lateral movement across the network, pinpointing any machines that are being targeted. Systems are monitored to show what files are being accessed on what parts of the network, as well as what information is being accessed. Systems that a targeted machine can access can be mapped to provide information about what sensitive and valuable information can be reached. This will then allow defenders to determine the best course of action to take based on the information gleaned during an incident in order to best defend the network.

As Figure 9 shows, most organisations feel that an automated response to insider threats would be beneficial.

At the Black Hat USA conference in 2013, the FBI presented a version of the insider threat cyber kill chain based on its own experience to show the steps of a malicious insider threat and the sort of user behaviour that organisations should be monitoring for through user behaviour analysis capabilities. It recognised that the steps taken by insiders are not the same as from external sources. This was later revised by ZoneFox in 2015. Table 1 combines information from the two sources.

Figure 9: Would automated response to insider threats be beneficial?

Source: Dimensional Research

Stage in insider threat cyber kill chain

Likely actions by insiders

Recruitment or tipping point

Employees can reach a tipping point where they are tempted or coerced by an external party to steal information, or where they hold a grudge against their employer. They are likely to look to hide communications with external parties. The insider threat can also come from those other than direct employees, such as contractors, service providers or business partners.

Search and reconnaissance

At this point, the insider will search for valuable information on their own systems or those to which they could gain access. If they are not knowledgeable they may use vague search terms but, the more knowledge they have, the less time this step will take.

Exploitation Once systems containing valuable data have been identified, the insider must gain access to that data. They may do this through use of their existing credentials and systems, or by gaining access to new systems, software, credentials or other means of accessing data.

Collection and acquisition

The insider will then look to access the target data and to move or copy it to another location prior to its removal. Telltale signs include hording a lot of data, using cryptography or renaming file extensions.

Exfiltration and action

The final step is to exfiltrate the data that has been collected using egress points such as printers, DVDs/CDs, USB drives, network transfer and emails.

Table 1: The insider threat cyber kill chain

Notbeneficial

1%

Verybeneficial

63%

Somewhatbeneficial36%

Ransomware by the numbers

According to the FBI, the cost of ransomware globally in 2015 was $24 million, but will exceed $1 billion in 2016.

2016 survey by Malwarebytes:

• 40% of organisations globally the victim of a ransomware attack in the past year.

• 34% lost revenue owing to inability to access encrypted files.

• 20% were forced to stop business completely.

• 63% spent more than an entire day trying to fix endpoints.

• 37% paid the ransom demanded.

• Just 4% are very confident in their ability to stop ransomware.

Ransomware is a fast-growing problem (see textbox Ransomware by the numbers). According to the US Justice Department, on average there were more than 4,000 ransomware attacks per day in 2016, a 300% increase on the average of 1,000 per day seen in 2015. In its 2016 data breach investigations report, Verizon identified ransomware as one of the fastest growing exploits, accounting for nearly two-fifths of crimeware seen, up from just under 5% in the previous year’s report.

Whilst originally it was mainly individuals targeted, attacks have become more sophisticated and are being targeted at larger organisations. Accordingly, the ransoms being demanded are increasing as organisations have deeper pockets and cannot afford the downtime caused as the organisation cannot access valuable data because it has been encrypted. According to Intermedia, 60% of businesses hit by malware have more than 100 employees. In terms of downtime, 72% of employees were locked out of their files for at least two days and 32% for five days or more.

The cyber kill chain can help to understand and defend against ransomware. As with insider threats, the ransomware kill chain represents an evolution of the original cyber kill chain developed by Lockheed Martin. One version of the ransomware cyber kill chain is shown in Table 2.

There are many activities conducted throughout the ransomware kill chain that an organisation can detect from log files that are fed into a SIEM system. Ransomware threat lists can be used to identify known variants and IOCs can be fed into the system when new variants are uncovered. Such a system can look for suspicious process activity, which can be terminated automatically if the activity is determined to be abnormal.

However, a SIEM system by itself is not sufficient for defeating ransomware since it generally is cumbersome to create correlation rules to identify the early stages of ransomware, especially new variants, which are appearing all the time. This is because they generally do not provide the required context.

Stage in ransomware cyber kill chain

Likely actions by extortionists

Reconnaissance Similar to other types of attacks, criminals will research, identify and select their victims.

Delivery The most common delivery method is via phishing emails, although weaponised websites are also used.

Exploitation and infection

An executable with ransomware embedded is installed on the target system and persistence mechanisms are put into place to ensure the ransomware continues to run after a restart.

Key exchange and call home

Some ransomware variants need to retrieve the encryption key from a command & control server. Other variants skip this step as the encryption key is preloaded with the ransomware.

Encryption and scanning

The ransomware searches for files to encrypt on the target device and network resources that it can access, such as backups on file shares. It aims to find paths to spread laterally to other systems. Files discovered are encrypted.

Ransom and extortion

A ransom note is delivered along with instructions for payment.

Table 2: Ransomware cyber kill chain

Therefore, the use of user activity analysis is essential to model behaviour, tie it back to the specific user, and then determine whether that behaviour was normal or not in real time. Combined with the use of machine learning and artificial intelligence capabilities, it will help to map new behaviours seen and to understand the context of what behaviour is normal for specific users. Endpoint monitoring should also be used to alert on suspicious processes and behaviour associated with endpoints.

Newer variants of ransomware increasingly look to move laterally through the network, not just to find more files, but to infect further machines. Application blacklisting and whitelisting will help to prevent this by preventing the ransomware from spreading.

he cyber kill chain framework has proven to be a great tool for helping to defend against a wide range of threats, from

advanced targeted attacks to fraud. It is currently evolving to meet the needs of specific types of threats.

The insider threat kill chain and ransomware kill chain discussed here show how it can be used by organisations in a range of circumstances. In all circumstances, the use of threat lifecycle management technology, which has evolved from SIEM systems, will help organisations considerably in their fight against cyber criminals. It provides the automation that is essential for detecting and responding to threats in an efficient and effective manner. Combined with advanced capabilities that include artificial intelligence and machine learning, organisations of all sizes will be better placed to defend themselves.

Summary

T

20–22 Wenlock Road LONDON N1 7GU United Kingdom

Tel: +44 (0)207 043 9750 Web: www.BloorResearch.com

Email: info@BloorResearch.com