Discover PerformanceHP Software's community for IT leaders // July 2013
5 stages of defense: Understanding the kill chain
If you’re putting all your efforts into keeping bad guys out, you’ve only covered one stage.
HP Enterprise Security has found that the typical organization spends 86 percent of its security budget on perimeter defense. Unfortunately, the growing sophistication of today’s adversaries makes this unbalanced resource distribution increasingly unwise.
"We are incredibly predictable to our adversary," said Art Gilliland, senior vice president of HP Enterprise Security during his 2013 RSA Conference keynote. Today’s cyber criminals are well versed in the security standards that enterprises comply with, as well as the operational patterns, budget cycles, technologies, and remediation techniques that define the enterprise security response, Gilliland explained. And that makes them very successful at circumventing perimeter defenses.
“It’s time to admit that sometimes we are going to fail at keeping adversaries out of the network,” says Jacob West, CTO of Enterprise Security Products at HP, and head of HP Security Research. “As a result, we have to ask ourselves what we can do to minimize a successful intruder’s ability to expand to other systems, to curtail the time they can remain undetected, and to prevent them from exporting the assets they’ve collected.”
The 5 attack stages
To improve their defensive success, organizations must be attentive to the entire, end-to-end progression of an attack, often called a “kill chain.” There are five stages of the kill chain, and each presents a different challenge for the security strategist.
- Research: Attackers are looking for a target that fits a certain profile, or they’re doing research to help them select the best tactic to infiltrate an established target.
- Infiltration: An attacker breaches the network perimeter, many times via an application or other software, which provides access to one or more systems.
- Discovery: An attacker is quietly mapping your entire IT environment looking for more or better opportunities to exploit your data and systems from the inside.
- Capture: Adversaries bring targeted assets under their control, while still operating within the confines of the corporate network. For example, they might run a query to a database to move all recent credit card transactions to a text file on a network server.
- Exfiltration: An attacker removes collected assets from the confines of the network, establishing physical control over them.
Most organizations are doing a good job at preventing infiltration, as this is where perimeter defense techniques play out. But thanks to solution and policy maturity, it’s possible to maintain the same level of success at preventing infiltration and still shift security spending to techniques that can detect adversarial activity that indicates an existing breach, and prevent adversaries from attempting an attack in the first place.
For those organizations ready to take a broader view of their defense strategy, West offers the following advice:
Use security intelligence more effectively.
- Understand what attackers are profiling and minimize vulnerabilities accordingly. For instance, incorporate more training on how to use social media with privacy as a key consideration.
- Acquire your security intelligence from sources well-suited to your needs, including the business sectors and geographic regions in which you operate. This can help minimize the amount of post-processing you have to do to make intelligence actionable.
- Collect more intelligence from your own systems and internal networks to augment what you get from third parties. If you’re trying to understand the threats you are facing, there’s no better intelligence than your own.
Assume you are breached and act accordingly.
- Create a baseline “safe” condition of the IT infrastructure and monitor the behavior of systems and users continuously so that anomalies can be identified.
- Accept that threats may be internal. Whether a malicious insider does damage through access as an employee or a compromised system acts on behalf of a malicious external actor, understand that your own staff and systems may be working against you.
Pay as much attention to outgoing data as you do to incoming data.
- Monitor changes in the volume or rate of data as it leaves; investigate anomalies without delay.
- Raise awareness among employees about how the actions they take—such as sharing files or data via social media or cloud tools—may aid an attacker’s social engineering ploy.
The stakes are high, Gilliland told the RSA audience, and organizations can’t focus exclusively on their initial lines of defense. They also have to consider how they’ll find and defeat adversaries once they’ve penetrated the organization.
“If we put all our money and all our chips in one category, in the blocking technology, [these cyber-criminals] are the best in the world and they only need to be right one time,” he noted. “And so finding them after they’ve gotten inside—but before they’ve stolen data—is important.”
Watch Art Gilliland’s full RSA keynote, “Criminal Education,” on the growing sophistication of security adversaries and the best strategies to combat them.