This presentation discusses how adversaries carry out targeted attacks (the Kill Chain) and how organizations can defend themselves (the Defense Chain and Intel-Driven Operations).
Me Hunt Team Manager at FireEye. Focus areas include threat intelligence, analytics and workflow for incident detection and response. 15 years of detection & response experience in government, research, educational and corporate arenas. One of the founding members of a Fortune 5 CIRT. Spent 5 years helping to build a global detection & response capability. . This is only here so you can pick me out of a lineup.
NOT “WHAT” THERE’S A HUMAN AT A KEYBOARD HIGHLY TAILORED AND CUSTOMIZED ATTACKS TARGETED SPECIFICALLY AT YOU PROFESSIONAL, ORGANIZED AND WELL FUNDED NATION-STATE SPONSORED, PURE CYBERCRIME, OR BLENDED ESCALATE SOPHISTICATION OF TACTICS AS NEEDED RELENTLESSLY FOCUSED ON THEIR OBJECTIVE IF YOU KICK THEM OUT THEY WILL RETURN THEY HAVE SPECIFIC OBJECTIVES THEIR GOAL IS LONG-TERM OCCUPATION PERSISTENCE TOOLS ENSURE ONGOING ACCESS The Adversaries
Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives “[…] a systematic process to target and engage an adversary to create desired effects.” Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked August 2013)
Reconnaissance Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Before you attack, scope out the target! Identify • Who to attack • Where to attack • How to attack • Where they keep their stuff Victim organization may never even see any of this. There is a lot of info out there in Google’s cache or public databases. Adversaries will use this data to create a plan of attack.
Weaponization Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Take something harmless and make it evil. Could be a document, executable file or even a transaction (e.g., HTTP request). Bonus points if it’s something the target wants, like a conference they’re attending or a game! This is all hidden from your view.
Delivery Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Deliver the attack to the target! Many possible ways, depending on the type of attack they have planned. Common methods include:
Installation Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Once they’re in, they make sure they stay in! Typically involves some combination of: • A stage1 and/or stage2 backdoor • A persistence mechanism • Rootkit Usually the earliest stage involving changes to a victim’s IT environment.
Command & Control Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Once the malware is installed and running, it needs to “broadcast” back to it’s owner. This design circumvents firewalls with restrictive ingress policies but lax egress controls (i.e., every firewall). Example is from FIN4. It is plaintext HTTP, but it doesn’t have to be.
Actions on Objectives Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives The the attacker is ready to carry out the mission. This is where things start to get really interesting! It’s also where the KC model starts to break down. Almost always involves compromising additional hosts (“lateral movement”). Other frequent activities include: • Capture & use of user creds • Tool downloads • Internal reconnaissance • Direct exploitation • Data theft & exfiltration • <and pretty much anything else>
Kill Spiral! . . . . . . . . . . . . . > - s e v i t c e j b O n o t c A - l o r t n o C & d n a m m o C - n o i t a l l a t s n I - n o i t a t i o l p x E - y r e v i l e D - n o i t a z i n o p a e W - e c n a s s i a n n o c e R - s e v i t c e j b O n o t c A - l o r t n o C & d n a m m o C - n o i t a l l a t s n I - n o i t a t i o l p x E - y r e v i l e D - n o i t a z i n o p a e W - e c n a s s i a n n o c e R - s e v i t c e j b O n o t c A - l o r t n o C & d n a m m o C - n o i t a l l a t s n I - n o i t a t i o l p x E - y r e v i l e D - n o i t a z i n o p a e W - e c n a s s i a n n o c e R - s e v i t c e j b O n o t c A - l o r t n o C & d n a m m o C - n o i t a l l a t s n I - n o i t a t i o l p x E - y r e v i l e D - n o i t a z i n o p a e W - e c n a s s i a n n o c e R
Pyramid of Pain The Pyramid measures potential usefulness of your intel It also measures difficulty of obtaining that intel The higher you are, the more resources your adversaries have to expend. When you quickly detect, respond to and disrupt your adversaries’ activities, defense becomes offense.
David J. Bianco [email protected] @DavidJBianco detect-respond.blogspot.com I <3 Feedback! I’d really love to hear from you. Questions, comments, stories about how this worked for you, citations referencing my work are all appreciated!
davidjbianco
yokawasa
iidaxs
minorun365
rayuron
cybozuinsideout
shujisado
mitchan
nenonaninu
syoshie
fujisawaryohei
miichan
qt_luigi
maggiecrowley
soudai
eileencodes
lara
speakerdeck
samlambert
scottboms
jeffersonlam
cassininazir
sergeychernyshev
sonatard
