SIEMphonic and the Cyber Kill Chain

Cyber Kill Chain by Lockheed Martin

The Cyber Kill Chain model by Lockheed Martin describes how attackers use the cycle of compromise, persistence and ex filtration against an organization. Defense strategies that focus exclusively on the perimeter and on prevention do not take into account the kill chain life cycle approach; this is a reason why attackers are continuing to be so successful. Defending against persistent and advanced threats requires methods that detect and deny threats at each stage of the kill chain.

Focusing on perimeter defenses gives the appearance of concentrating resources on the most exposed assets and attack vectors. This thinking means the attacker needs to be successful only once out of an unlimited number of attempts. Defenders, conversely, must be right every time. This is not only wrong but also untenable. Just because there has been a successful malware infection or SQL injection attack against your network, it does not follow that the attacker has won and you have lost. The kill chain highlights that this is clearly not the case, because the attacker wins only when all phases of the Cyber Kill Chain have been executed successfully. A successful attack is an end-to-end process and described as a “chain” because an interruption at any stage can interrupt the entire attack. This turns the burden on the attacker who must now succeed at each and every step whereas a defender must succeed at only on step.

The EventTracker SIEMphonic solution is a mix of technology, skilled experts and process discipline designed to address defense across the entire cyber kill chain. Here’s how SIEMphonic maps to the Cyber Kill Chain.

Recon  Defined as identification, target selection, organization details, information on technology choices. SIEMphonic detects attempts by receiving and analyzing Web server logs, performing vulnerability scan, external penetration testing, all integrated with local, global and community threat intelligence. Our new EventTracker Honeynet offering is designed to deceive attackers and expose them by their actions rather than by reputation (which is too often neutral).

Deliver  Transmission of the malware is initiated by either the target (users browse to a malicious Web presence, leading to the dropping of malware, or they open a malicious PDF file) or by the attacker (SQL injection or network service exploitation). SIEMphonic provides security analytics and network behavioral analysis integrated with threat intelligence to detect such attempts.

Exploit  After delivery to the user or endpoint, malware will gain a foothold by exploiting a known vulnerability. Sadly it is most likely that a patch has been available for months or years but not implemented. The SIEMphonic vulnerability assessment service provides a managed service to systematically discover vulnerabilities and make it easier to remediate them thereby reducing the attack surface.

Install  Usually this is a remote-access trojan (RAT), stealthy in its operation, allowing persistence or “dwell time” to be achieved. The attacker seeks to control this without alerting the defenders. SIEMphonic technology includes Endpoint Threat Detection features which catches threats that evade the signature based anti virus. The Change Audit (aka FIM) feature tracks file changes at endpoints and is a robust technique to detect unwanted installation.

C&C  Now that the attacker has control of assets inside the network, using methods such as DNS, Internet Control Message Protocol (ICMP), websites he tells the controlled “asset” what to do next and what information to gather. A staging host is identified to which all internal data is copied, and then compressed and/or encrypted and made ready for exfiltration. SIEMphonic can detect such activities by analysis of DNS activity, file integrity monitoring and network traffic analysis all integrated with IP reputation intelligence.

Exfiltrate – In this final phase the attacker exfiltrates data and maintains dwell time in the network and then takes measures to identify more targets, expand their footprint. After the compromise, subsequent attack activity is performed as internal user. SIEMphonic activity monitoring function performs continuous monitoring to identify out of ordinary user access to data, including frequency, times of day and from locations previously unseen. Network behavioral analysis highlight devices that are moving data around that is not part of its role (traffic to hosts that stand out), an exceedingly high volume of DNS traffic to an external DNS server that is not defined for external host name resolution, traffic protocols being actively used that are against policy or trusted user attempting clearly malicious activity such as an FTP session to an unexpected destination.

Defending a network in today’s threat landscape requires a blend of technology, expertise and process discipline. SIEMphonic can help at an attractive price point.