Brakeing Down Security had Sean Malone on to talk about a presentation he’d given at BlackHat called Using an Expanded Cyber Kill Chain Model To Increase Attack Resiliency (slides, episode). I think Sean is spot on. The Cyber Kill Chain (CKC) was both extremely useful and in need of updating. In 2011, the defenders focus was on inside vs outside, and defending the boundary. In 2016, the perimeter is largely gone in favor of bring your own device, VPNs, complex vendor relationship, etc. So whereas the original CKC focuses on how an adversary gets into a network and then just has a single step for “actions on objective”, Sean’s extended version expands that into an internal kill chain and then a target manipulation kill chain. This reflects the reality of computer network operations – for an attacker, getting access is only the first step. But given this reality, is Sean the first to really formalize this extended process description? Regardless, Sean’s approach seems very reasonable.
The Extended Cyber Kill Chain (ECKC) also points out that the CKC (or ECKC) could (should?) really be viewed as an OODA loop, which hold true for both blue and red. Bryan asks is that means that blue is always 3 steps behind, but that misses the point of the CKC – these are all the steps that an attacker must go through to successfully complete his/her/their objective. And the ECKC just shows that there is much more surface area there. The defender doesn’t start at the beginning of the chain. They observe across the entire chain, looking to identify activity. The attackers advantage has always been that they only have to find one vulnerability, while the defender has to close any hole. The defenders advantage is that they only have to find the attacker at one point in the chain, after which the engagement moves from one of monitoring to incident response, which is much more to the defender’s advantage on their home turf.
By growing out the CKC, Sean is highlighting the importance of understanding all the monitoring that can be done between when an attacker gains access to their first host in a network and when their goals are achieved. All of that work represents numerous opportunities for the defender to identify the activity. And that’s where defense in depth comes in. The more monitors and traps in place, the greater the opportunity to identify activity. And the higher cost an attacker must pay to succeed. If a defender can identify the assets that might be of value, they can double down on monitoring around those assets to increase their chances.
Seans had a few more excellent points on defense. As an attacker, blacklists are easy to avoid. A defender needs to understand baseline on their network, and then set up heuristic alerts based on activity that is out of the norm. That’s hard to do without false positives. In fact, it’s impossible to do without false positives. The goal should be to reduce false positives to a managable amount, and then create tickets to handle the rest. Admin just logged in from two different IPs within a ten minute period? Call the admin and ask. Don’t expect the tech will do it all. Sean did mention there were a lot of companies out there trying to figure out how to effectively do just this, and it seems like an area that will be vasty more mature in a few years.
“Every control will fail” – An adversary will acquire local admin. They will have your network diagrams. They will have access to the internal network. If that’s true, how would you design a network? Probably very differently than most do today. Obviously that can be taken to an extreme, but the point is something the almost every network owner can probably stand to think about.
The hosts ask Sean about how his model compares the ATT&CK framework in development at MITRE. While it’s brushed over in the interview, it seems that the hosts don’t quite understand the meta level of both ATT&CK and ECKC. Neither is a tool set. CKC and ECKC try to define the various stages in a cyber attack so that defenders have a lexicon to talk with and a framework to strategize against. ATT&CK is the next step down from this, using a form of a CKC as the top row on a table whereas then all the various methods of achieving those steps are listed below, and then links each of those techniques to defensive mitigations. I should add ATT&CK is relatively new to me, so if I’m missing something here, please leave a comment!
There’s also a discussion of honeypots. It seems like a non sequitur from the conversation, but I found it fascinating. I’ve been listening to people talk about things like Canary on several podcasts (including their sponsor interviews on Risky Business), and this is the first time I’ve really heard the downsides discussed – if you have 100,000 hosts on an network, and 20 Canaries, what are the odds the Canaries are even touched? I’d be really interested to hear about anyone’s first hand experiences with these things, or how Thinkst responds to the volume issue.