Outsider Threat Protection - Building a Kill Chain Defense

The frequency and sophistication of outsider attacks continue to outpace the capacity for companies to defend against them. The most dangerous and effective malware is often designed for a specific organization (“target”), combining stealth, precision, and social engineering to penetrate the target’s perimeter, compromise systems, and remain undetected for long periods of time. Targeted attacks occur across every industry where competitive and proprietary information is used, including manufacturing, technology, energy, financial, pharmaceutical, critical infrastructure, and, of course, military and government organizations. The attacks are not limited to the targeted organizations, but include supply chains and partners of these enterprises, regardless of size and location, in an effort to find a weak link in defense systems from which to begin the attack process.

FIGURE 1: STAGES OF AN OUTSIDER ATTACK

Image

Organizations often struggle to deal with this relatively new and growing threat, and multiple challenges are present. The attacks are very sophisticated. Over 1/3 of initial malware introductions are a new or a significantly different variant of a previous attack, making detection and prevention by signature-based solutions difficult. The tools available to attackers are growing; malware kits are widely available on the Internet. The attackers are well-financed and patient, with attacks taking months to execute and portions of malware hiding silently in a victim’s environment for even longer. Finally, the attacks are persistent. They probe defenses and try a second, third, fourth, or fifth time to infect the organization, while constantly looking for weak points.

Common weak points include mobile devices and laptops that connect to the Internet when not on the corporate network. Network systems cannot protect devices not connected to the network. Whether it is an employee’s company laptop, a BYOD machine, or a contractor’s computer, a system can be infected quickly and easily without the protection of a network’s defensive systems. When the device reconnects to the network, the infection expands and the attack begins. Attacks are also increasing along business supply and value chains. If a business partner needs confidential data and that partner has weak security, attackers will find and exploit those weaknesses.

Organizations often struggle to defend against these attacks because most security products are incomplete, or point solutions. Antivirus and other signature-based technologies are blind to any new attack. Many products have a forensics focus, and can only analyze the damage inflicted and identify which machines were infected. Most next generation technologies focus on the initial infection stage of the attack, yet studies show that even with these tools in place there are significant gaps in the malware infection stage of the attack. It is clear that a defensive focus is on a single layer of the perimeter or network is ineffective.

The challenge is not limited to inadequate technology. Spear phishing, whaling, and waterhole attacks fool unwitting employees into infecting their machines. If employees are made aware of threats and how to recognize them, they can be an additional and valuable line of defense.

Even the best security teams struggle to keep up with this constantly changing and continuously growing threat. Security teams must understand the methods and models of emerging attacks and manage the defensive point products. Then, they must correlate information to determine if an attack is real and the goal of the attack. Finally, they must determine what upgraded or additional defenses are needed to prevent the next attack.

The goal of a Kill Chain Defense is to collect and correlate attack intelligence, identify anomalies that signal malware, and challenge the malware’s adaptability and stealth in ways it was not designed to circumvent. This is accomplished by gathering and correlating data from all possible stages of an attack and deploying effective defensive controls to the stages where the attack is most vulnerable.

This model can be broken down into four defensive capacities:

1. Prevention
2. Detection
3. Containment
4. Investigation

As mentioned, an important assumption in the Kill Chain Defense is that an attack will defeat one or more individual technology layers and succeed in infecting one or more systems. The Kill Chain Defense relies on the ability to detect and defend across all stages of an attack and all layers of a network system.

Kill Chain technologies require autonomy; if one system becomes infected and compromised, it cannot degrade the ability of other systems to operate effectively. At the same time, the intelligence collected needs to be correlated so that attacks are quickly and accurately defined. Integration between products must exist, but in a manner that does not compromise the integrity of the Kill Chain strategy.

Another military term that can be effectively transferred to outsider threat defense is “force multiplier.” In military terms, this is a capability that, when added to a combat force, significantly increases the combat potential of that force and thus enhances the probability of successful mission. In the advanced threat world, that force multiplier is an integrated platform that can detect, correlate, and create actionable intelligence, and then quickly and effectively act on that intelligence with prevention and containment controls.

Digital Guardian provides a Kill Chain Defense platform, with the correlation and integration needed to act as a force multiplier. It can effectively detect and stop an attack, even if the code or methodology has not previously been seen “in the wild.” Digital Guardian’s kernel-level agents afford visibility to all data movement and use, and data-level access controls to provide early warning and blocking to stop outsider threats at any point of an attack.