The Kill Chain for the Advanced Persistent Threat

Transcription

1 The Kill Chain for the Advanced Persistent Threat Intelligence-driven Computer Network Defense as presented at Michael Cloppert Eric Hutchins Lockheed Martin Corp Wednesday, October 12, /12/2011 1

2 Introductions Presenters Eric Hutchins Michael Cloppert Chief Analyst, LM-CIRT Intel Fusion Lead, LM-CIRT LM-CIRT Established 2004 to focus on sophisticated threats Now responsible for CND against all threats facing LM Intel-driven CND / Security Intelligence Symbiotic tools & methods such as Cyber Kill Chain Developed by presenters w/ support from team History Evolution of operational defenses, Documented, 2009 Slight adjustments in 2010 Formalized in refereed journal in March,

3 Our Adversaries The 80/20 rule Key top-tier adversary attributes Adaptable Persistent Access to targeted data Presence in environment Attempts to gain entry Perceptive Organized Intel-based CND exploits persistent attributes 3

4 Our Requirements Approach to detection & mitigation that is: Resilient to change Anticipates aspects of future intrusions Means to understand CND capabilities What is available Relative efficacy Tradeoffs (intel gain/loss, etc.) Ability to easily prioritize response based on risk Framework for defining complete & proper analysis Self-sustaining processes 4

5 Counterintelligence via Adversary Modeling Meet requirements by modeling adversary Our method offers tools to model at various levels Specific tools & techniques Indicator lifecycle, thread pulling An intrusion, or intrusion attempt Cyber Kill Chain Strategic access to protected data Campaign analysis and defender capabilities Courses of Action Matrix 5

6 The Cyber Kill Chain (CKC) 7-Stage Pipeline Model Adversary must reach end of the chain to be successful Just one mitigation breaks the chain Just one detection provides opportunity for response prior to phase 7 Pre- Compromise Recon Weaponize Deliver Exploit Install Post- Compromise Establish C2 Act on Intent Intrusion 6

7 Driving Completion Full intrusion: Analysis to complete the kill chain Recon Weaponize Deliver Exploit Install Pre- Compromise Analyze Establish C2 Post- Compromise Detect Act on Intent Mitigated intrusion: Analysis and synthesis Analyze Detect Synthesize Recon Weaponize Deliver Exploit Install Establish C2 Act on Intent Pre- Compromise Post- Compromise Gather all intel across the kill chain, regardless of success 7

8 Resiliency via Courses of Action Defensive Countermeasures Kill Chain Detect Deny Disrupt Degrade Deceive Recon Web analytics Firewall ACL Weaponize NIDS NIPS Intrusion Delivery Exploit Installation Increasing risk Vigilant User HIDS HIDS Proxy filter Vendor Patch chroot jail Inline AV DEP AV Queuing Command & Control NIDS Firewall ACL NIPS Tarpit DNS redirect Actions on Objectives Audit log Quality of Service Honeypot 8

9 Indicator Life Cycle 1. Analysis and synthesis reveal indicators 2. Pivoting on indicators identifies detection candidates 3. Future intrusions trip detections 4. GOTO 1 Intel sharing accelerates indicator lifecycle Stable indicators drive consistent workflows Repetitions, correlations may reveal new campaigns 9

10 Anticipating Intrusion Indicators Two ways to be proactive Implement durable defenses for today and for tomorrow Anticipate before it happens Kill chain completion and campaign trending are crucial Anticipation and true early warning are heavily dependant on adversary s tactics 10

11 Campaign Trending * using fictitious data 11

12 A Framework for Collaboration Kill Chain approach has been widely adopted Leveraged by DoD, DIB, energy, pharmaceutical companies Spurring new international collaboration in UK, Australia, and Canada Kill Chain Workshops to fuse collective reporting, build more salient trends Developing and sharing tools that facilitate intel-driven CND Vortex-IDS: Lockheed Martin open source software 12

13 Conclusion Intelligence-driven CND techniques are vital to mitigate sophisticated intrusions Cyber Kill Chain enables Consistency and completeness in analysis, response Correlations between intrusions to identify and analyze campaigns Resilient and anticipatory security posture 13

14 Thank You Eric Hutchins Michael Cloppert Additional credit: Lockheed Martin Computer Incident Response Team members 14