Know, Detect, Disrupt and Eradicate Advanced Threat, Breaking Kill Chain

The Kill Chain is the high-level framework or workflow that threat actors employ in their efforts to compromise a target. Disrupting any part of the chain means that the attacker’s efforts are thwarted.

Know, Detect, Disrupt and Eradicate Advanced Threat, Breaking Kill Chain

To learn more, read on the article and infographic, Breaking the Kill Chain that discusses:

  • Breach sources and the increasing advanced threat problem
  • The steps an adversary follows as they progress through the kill chain
  • 4 keys to breaking the kill chain and the questions you should ask yourself

This infographic is accompanied by a summary document, sharing in greater detail the most relevant and important considerations as you try to Break the Kill Chain.

Content Summary

Intrusion tools and techniques
Keys to Breaking the Kill Chain
How an Adversary Progresses Through the Kill Chain
Ask Yourself
Thwart the Adversary

The further along the chain that a threat actor gets, the more difficult and expensive it is to defeat them. The key to breaking the kill chain is to hit it as early as possible, because costs begin to rise at a more pronounced rate as soon as the actor expands beyond the endpoint and into the environment.

How an Adversary Progresses Through the Kill Chain

Intrusion tools and techniques

Actors behind advanced threats have a toolbox of exploit techniques at their disposal. They often combine several intrusion tools and techniques in order to compromise and maintain access to their target. The key to disrupting is breaking the kill chain.

Reconnaissance: Reconnaissance defines how the Threat Group gathers information previous to and during the computer network operations they engage in. This may be through open source research, scanning, Web, the theft of intellectual property, or human sources.

Weaponization: Weaponization describes the “coupling of a remote access Trojan with an exploit into a deliverable payload.” This is often done via an automated tool commonly called a “weaponizer,” but sometimes referred to as a “builder.” These “weaponizer” frameworks are often detectable by artifacts left within the files.

Delivery: This step describes the transmission of the tools into the victim organization. The most common forms of delivery take the forms of Scan and Exploit, Credential-Access, Spearphish, Web-Delivery, or Physical delivery.

Exploitation: Exploitation describes the methods used to execute the malicious code. This step details whether the adversary use new 0-days, appears to acquire 0-days and exploits secondhand, or relies upon social engineering to trick users. It may be possible to describe this step in greater detail with specifics.

Installation: Installation describes the methods and artifacts left behind by the actor while implanting malicious code on compromised systems. These artifacts can include notable aspects of the installation, and unique installation tools.

Command and Control: Command and Control describes the methods used to interact with compromised resources left within the organization. This activity extends beyond communicating with implants to include hosts used to login with collected credentials, as exfiltration end points, and to interact with web shells. Additionally, hands-on-keyboard activity is often performed from different endpoints than the IP addresses used as call back addresses in RATs. Specific ports, domain names and IP addresses, traffic patterns, and custom protocols used in the interaction with those RATs are all indicators that are descriptive of this stage of the kill chain.

Actions on Objective: After gaining access to the compromised infrastructure the activity performed in successful intrusions takes place as Actions on Objective stages. This section describes the activity of the TG as they pursue actions to reach their Objective. Scheduled at jobs to collect information regarding implant, host, account, and access status would fall into this category as Actions on Objective to maintain persistence. The enumeration of host accounts, collection of NTLM hash credentials, collection of Payment Card Information (PCI), staging of files to be exfiltrated, removal (deletion) of files, or modifications to physical controls.

Keys to Breaking the Kill Chain

Know Your Adversaries

Organizations should look to deploy forward intelligence capabilities that provide actionable information on Threat actors and their operations.

  • Who are they and how do they operate?
  • What are their tactics, techniques and procedures?
  • What tradecraft do they use?
  • What indicators signal their attack, and at what stage?
  • How do you resist them effectively?
  • Determine your readiness to resist them.

Detect Threat Activity Earlier

Security teams must have full visibility into the operations and security of their systems, networks and assets. Organizations must evaluate their current security architecture and consider recalibrating security policies to ensure that the right information is being collected and correlated to give security professionals a view of the “big picture” across your networks, information and assets.

  • Are they already here?
  • Are we instrumented to detect advanced tradecraft?
  • Does telemetry extend across a full attack surface?
  • Can we see indicators at all phases of the kill chain?
  • How quickly can we determine if it is targeted?

Disrupt the Kill Chain

Security leaders must evaluate the capabilities of operations and personnel. Leaders must answer whether their operations are efficient and effective and if not, how they can be improved. This includes assessing the expertise and constraints on that expertise to monitor and address threats in real time.

  • Can we detect and block advanced tradecraft?
  • Can we limit lateral movement?
  • How easily can we adapt internal controls?
  • Can we anticipate the adversary’s next moves?
  • Do we know enough to engage the adversary?
  • How quickly can we marshal response forces?

Eradicate and Remove the Threat

Because there is no “silver bullet”, organizations must evaluate their capability to respond effectively to an incident. Security professionals should take an introspective look at their organization to determine if the organization is adequately prepared to respond effectively to a breach. It is critical your organization has a Computer Security Incident Response Plan (CIRP).

  • What is the full scope of attacker presence?
  • What tradecraft should we sweep for?
  • How will the adversary respond?
  • Is the CIRP plan tuned for targeted attacks?
  • Can we close all the doors at once?
  • Are we prepared to prevent re-entry?

Breach Sources

  • 60% say the severity of malware infections have increased significantly
  • 49% believe zero day attacks will be the most prevalent over the next three years
  • 65% of attacks evade existing preventative security control
  • 55% were unable to determine the location of the breach

How an Adversary Progresses Through the Kill Chain

Target Defined

Reconnaissance: How Threat Groups (TG) gathers info on target

  • Open source intel
  • Scanning
  • Web crawling
  • Internal records theft
  • Human resource

Development: TG infrastructure and tools development

  • Purchased tools
  • Compile times
  • Tailor made tools
  • Registered domain
  • Duration of use
  • Purchase hosts
  • Compromised hosts

Weaponization: Packaging of tools and exploit intro deliverable payload

  • Build process
  • Automated builder or “weaponizer”

Delivery: How TG delivers initial exploitation

  • Purchased tools
  • Compile times
  • Tailor made tools
  • Registered domain
  • Duration of use
  • Purchase hosts
  • Compromised hosts

Victim

Exploitation: TG Exploit method

  • New 0-Days
  • Acquired 0-Days
  • Social engineering
  • Copied exploit code
  • Tailor made exploit
  • Physical access

Installation: Installation tools on compromised systems

Command and Control: Backdoor tool communication to the C2 server

Actions on objective: TG activities as they pursue sections to reach their objective

  • Access to systems
  • Exfiltrate data
  • Corrupt data
  • Exhaust resources
  • Wipe systems

The Cost to Resist

Lateral Movement: Costs begin to rise at a more pronounced rate as soon as the actor expands beyond the endpoint into the environment.

Remedial Razor: Costs to remediate experience a step function and subsequent steeper cost curve once exfiltration occurs.

The Cost to Resist

There are core capabilities that must be present for any organization to effectively defend, resist and respond to threats.

IT and IT Security challenge is to disrupt the targeted attacker’s kill chain or lifecycle at the earlier point possible.

Ask Yourself

Addressing Key Questions in Each Part of the Kill Chain is the Key to Success

What does it take to know your adversaries?

  • Who are they and how do they operate?
  • What are their tactics, techniques and procedures?
  • What tradecraft do they use?
  • What indications signal their attack, and at what state?
  • How do we resist effectively?

Recommendation: Organizations should look to deploy forward intelligence capabilities that provide actionable information on threat actors and their operations

How can you detect a targeted threat as early as possible?

  • Are they already here?
  • Are we instrumented to detect advanced tradecraft?
  • Does telemetry extend across the full attack surface?
  • Can we see indications at all phases of the kill chain?
  • How quickly can we determine if it’s targeted?

Recommendation: Security teams must have full visibility into the operations and security of their systems, networks and assets. Organizations must evaluate their current security architecture and consider recalibrating security policies to ensure that the right information is being collected and correlated to give a view of the “big picture” across your networks, information and assets.

Once you find the attack, are you able to stop it?

  • Can we detect and block advanced tradecraft?
  • Can we limit lateral movement?
  • How easily can we adapt internal controls?
  • Can we anticipate the adversary’s next moves?
  • Do we know enough to engage the adversary?
  • How quickly can we marshal response forces?

Recommendation: Security leaders must evaluate the capabilities of operations and personnel. Leaders must answer whether their operations are efficient and effective and if not, how can they be improved. This includes assessing the expertise and constraints on that expertise to monitor and address threats in real time.

What does it take to completely eradicate and remove the threat?

  • What is the full scope of attacker presence?
  • What tradecraft should we sweep for?
  • How will the adversary respond?
  • Is the CIRP plan tuned for targeted attacks?
  • Can we close all doors at once?
  • Are we prepared to prevent re-entry?

Recommendation: Because their is no “silver bullet”, organizations must evaluate their capability to respond effectively to an incident. Security professionals should take and introspective look at their organization to determine if the organization is adequately prepared to respond effectively to a breach. It is critical your organization has a Computer Security Incident Response plan.

Thwart the Adversary

With the industry’s most comprehensive portfolio of services to address the risk posed by advance threats

1. Know your adversaries and their methods

  • Targeted Threat Intelligence
  • Red Team Testing

2. Detect threat activity earlier in the kill chain

3. Disrupt the kill chain and stop the attack

  • Advanced Endpoint Threat Detection
  • Enterprise iSensor
  • Advanced Malware Protection
  • Managed Security Awareness Program
  • Targeted Threat Hunting

4. Extract actor presence and remove the threat

  • Targeted Threat Response

Successful defense against advanced threats requires integrated threat intelligence, security operations and incident response capabilities. Secureworks Advance Threat Services elevate your defenses with key capabilities needed to effectively resist targeted threats. Fueled by the Secureworks Counter Threat UnitTM (CTU) intelligence, Advance Threat Services help you anticipate your attackers, detect their tradecraft, disrupt the kill chain and eradicate their presence in your environment.

Source: Secureworks