Threat Kill Chain
As a result of the many recent high profile insider incidents in the press, IT managers and CISO’s alike have come to know the insider threat chain, which can often be difficult to identify and deal with effectively. It has become a serious concern for many organizations; it is influenced by many factors such as culture, technical as well as behavioral issues. The only way to defend against such threats is by implementing strong policies and procedures, which need to be supported by the board and senior management. Companies should have a budget for the information assurance team to implement an effective insider threat mitigation program to defend against such threats from within. Due to the behavioral nature of the user it can still be difficult to catch these breaches before they happen. Inside hackers must go through critical stages to get the data they seek, this process is usually premeditated making it difficult to catch them in the act.
Cyber Kill Chain:
“ Cyber Kill Chain” is a term that was coined by Lockheed Martin to describe the sequence of events that take place in the majority of data breaches within companies. They state that all of the steps necessary in order for an attacker to successfully compromise an organizations data are as follows (we have provided a brief description of the seven steps).
Step 1: Reconnaissance. The attacker gathers information on the target before the actual attack starts. He can do it by looking for publicly available information on the Internet.
Step 2: Weaponization. The attacker uses an exploit and creates a malicious payload to send to the victim. This step happens at the attacker side, without contact with the victim.
Step 3: Delivery. The attacker sends the malicious payload to the victim by email or other means, which represents one of many intrusion methods the attacker can use.
Step 4: Exploitation. The actual execution of the exploit; this is relevant only when the attacker uses an exploit.
Step 5: Installation. Installing malware on the infected computer is relevant only if the attacker used malware as part of the attack, and even when there is malware involved, the installation is a point in time within a much more elaborate attack process that takes months to operate.
Step 6: Command and control. The attacker creates a command and control channel in order to continue to operate his internal assets remotely. This step is relatively generic and relevant throughout the attack, not only when malware is installed.
Step 7: Action on objectives. The attacker performs the steps to achieve his actual goals inside the victim’s network. This is the elaborate active attack process that takes months, and thousands of small steps, in order to achieve.
All of these steps must be taken by hacker to infiltrate data from an organization through a perimeter. Every step is necessary to successfully compromise the system. If only one of these steps in interrupted the entire chain is broken and the hacker will fail miserably. However, cyber criminals don’t give up that easily, this is why an organization must have strong policies and stand firm with those policies in order to have success in defending company data. In addition they should have a strong information assurance team implementing security software to prevent the Kill Chain.
The Kill Chain will only help you with external threats to cover the rest of the potential threats you must look at the inside of your network.
The “Insider Threat Kill Chain” is an entirely different entity to deal with and must be dealt with differently as human behavior is involved. In recent months the effects of internal threats have become all too real as the media continues to provide us with information on large corporations that have had their internal networks compromised and the frequency of these successful attacks increases.
The Insider Threat Kill Chain
Unlike the Kill Chain which focuses on external hackers the “Insider Threat Kill Chain” is purely focused on internal hackers or threats such as employees, contractors and believe it or not business partners. These people not only work and get paid from you but are also the ones you put trust in to perform the task at hand. It is difficult to believe that cyber threats could be coming from just a few feet from your office but unfortunately it is now becoming commonplace in offices around the world. Employees have access to your systems and data and yet they are often overlooked as a potential threat.
New discoveries show that the Insider Threat Kill Chain does not follow the traditional Kill Chain procedures.
The Insider Threat Kill Chain:
• Tipping Point or recruitment
• Search and Reconnaissance
• Data Acquisition
• Exfiltration of Data
Tipping Point or recruitment
The insider’s motives could have a few factors, one being that they were coerced by a third party to get data for monetary benefit or they might have some personal feelings about the company that they would like to expose, this would be the “ Tipping Point”. The insider threat could come from existing employees, contractors, etc.
Search and Reconnaissance
If an employee has reached a “ Tipping Point” they will begin to target sensitive company data on their own system or attempt to find a system or systems that can lead them to valuable data.
Exploitation
When the insider has located the data and they must then find a way to access it by using credentials and possibly other systems or gaining access to new software to use to infiltrate the data.
Acquisition
Once the insider has identified and accessed the company data they will now have to move the data to a single or multiple locations.
Exfiltration
The insider has now identified and accessed the data. They then remove this data to an unauthorized location. This can be carried out by remote transfer or by storing the data on removable hardware.
The majority of the time insider attacks doesn’t require the use of complex methods such as malware or cracking tools to gain access to sensitive company data.
As they are internal to your company they often only have to use their access or find an open or unprotected system. An organization should implement sufficient tools to alert and prevent the possibility of an insider attack.
If these are not implemented you run the risk of your critical, sensitive company data possibly walking out the door with the next hired and fired employee. This insider risk factor creates a new challenge for cyber security teams and it appears that these types of attacks are increasing and becoming more frequent than they were in the past year. Organizations need to enhance their security constantly in order to defend sensitive company data from insider attacks. Relying on old approaches will not protect your data, from the ever-changing world of cyber threats. You will need to implement, maintain and update a system that protects your data across the entire Kill Chain both external and internal. Companies should also have an in house reputable Information Assurance Team to achieve a safe data posture with a high-level skill set to achieve threat detection before it is conceived.
Sources: Lockheed Martin, Zonefox
For more information about Redport’s information assurance and cyber security services, visit www.redport-ia.com, email us at info@redport-ia.com, like us on Facebook, and follow us on Twitter@redport_ia.
Gaithersburg, MD, USA