Monday, October 10, 2016

The Final Steps in the Cybersecurity Kill Chain

Are You Concerned About a Potential Backdoor?  

Better still…. Are You Ready to Do Something About It?

Take Action

This 7-Step Cybersecurity Kill-Chain Will Stop Your Enemy Cold!  (But Not Before Gathering the Highly Prized Intelligence they want)

Intelli-Flex partner US ProTech has Mastered the Cybersecurity Kill Chain framework 1st developed with the DOD and in preparation for the CyberSecurity Summit, we wanted to share this information.  It’s part of a process they have termed the “Intelligence Driven Defense model” for the identification and prevention of cybersecurity intrusion activity. The model identifies what 7-steps the adversaries must complete in order to achieve their objective and more importantly how and when to kill their presence.

We are going to run this in this series of 3 blog posts, that will provide you the critical info needed to take action against the greatest threat of our time – Hackers using APT’s. We've already covered steps one through four.

1. RECONNAISSANCE
a. Harvesting email addresses, conference information, etc.
b. The first step of any APT attack is to select a target.

2. WEAPONIZATION
a. Coupling exploit with backdoor into deliverable payload
b. Next, attackers will re-engineer some core malware to suit their purposes using sophisticated techniques.

3. DELIVERY 
a. The three most prevalent delivery vectors for weaponized payloads by APT actors, as observed by the US ProTech Computer Incident Response Team (USPT-CIRT) for the years 2005-215, are email attachments, websites, and removable media such as a USB stick.

4. EXPLOITATION
a. At this stage exploiting a vulnerability to execute code on victim’s system command channel for remote manipulation of victim is the objective.

Today, let’s discuss the final steps:

5. INSTALLATION  
a. At this stage the installation of a remote access Trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment. Installing malware on the asset requires end-user participation by unknowingly enabling the malicious code. Taking action at this point can be considered critical.  One method to effect this would be to deploy a HIPS (Host-Based Intrusion Prevention System) to alert or block on common installation paths, e.g. NSA Job, RECYCLER. It’s critical to understand if malware requires administrator privileges or only user to execute the objective.  Defenders must understand endpoint process auditing to discover abnormal file creations.  They need to be able to compile time of malware to determine if it is old or new.  Answers to the following questions should be consider mandatory:  How does it last, survive, etc.  Does it use Auto run key, etc.  Does Backdoor need to run to provide access.  Can you identify any certificates and extract any signed executables?

REAL LIFE EXAMPLE:
a. A Watering Hole Attack on Aerospace Firm
b. Exploits CVE-2015-5122 to Install IsSpace Backdoor
i. See: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5122
Case Study: http://bit.ly/cybersecuritycase

6. COMMAND AND CONTROL
This stage is the defender’s “last best chance” to block the operation: by blocking the Command and Control channel.  If adversaries can’t issue commands, defenders can prevent impact.   Typically, compromised hosts must beacon outbound to an Internet controller server to establish a Command & Control (aka C2) channel.  APT malware especially requires manual interaction rather than conduct activity automatically. Once the C2 channel establishes, intruders effectively have “hands on the keyboard" access inside the target environment.  Let’s remember that seldom is Malware automated, normally this command channel is manual.  The general practice of intruders is:  Email – in, Web = Out.  The trick for them is to have established the control over many work stations in an effort to “exfiltrate” data without setting off any anomalies or other monitoring applications based upon content, quantity, frequency, etc.  Hence, the reason it is essential to have the proper tools in place that can identify, track, observe, stop and destroy these campaigns within your arsenal of capabilities.

7. ACTIONS ON OBJECTIVES
The longer an adversary has this level of access, the greater the impact.  Defenders must detect this stage as quickly as possible and deploy tools which will enable them to collect forensic evidence.  One example would include network packet captures, for damage assessment.  Only now, after progressing through the first six phases, can intruders take actions to achieve their original objectives. Typically, the objective of data ex-filtration involves collecting, encrypting and extracting information from the victim(s) environment; violations of data integrity or availability are potential objectives as well. Alternatively, and most commonly, the intruder may only desire access to the initial victim box for use as a hop point to compromise additional systems and move laterally inside the network.  Once this stage is identified within an environment, the implementation of prepared reaction plans must be initiated.  At a minimum, the plan should include a comprehensive communication plan, detailed evidence must be elevated to the highest ranking official or governing Board, the deployment of end-point security tools to block data loss and preparation for briefing a CIRT Team.  Having these resources well established in advance is a “MUST” in today’s quickly evolving landscape of cybersecurity threats.

900,833,392+ Records Breached During 5,063 Reported Data Breaches**Explanation about this total

Coming Soon:
5. INSTALLATION  
6. Real-Life Example “IsSpace Backdoor”
7. COMMAND & CONTROL
8. ACTIONS ON OBJECTIVES 

CONTACT US for a demonstration

REGISTER TODAY for the Inland Southern California Cybersecurity Summit (#ISCCS)

ISCCS ARTICLE

Guest Blogger - Jonathan Goetsch, Speaker and Panelist at ISCCS

Jonathan Goetsch is the CEO of US ProTech, Inc., a highly recognized Cybersecurity services company that has been established since 1999 serving thousands of clients.  Based in Las Vegas, NV with operations in California, Texas and Belgium, US ProTech’s Cyber-Expertise serves mid-market to large enterprise business and Governmental agencies in six countries.  As an Offensive-Side Red-Team Cyber Penetration Testing Team, US ProTech specializes in cybersecurity processes that are approved by the U.S. Government, validated by the U.S. Department of Commerce to exceed US Military Standards under NIST (National Institute of Standards and Technology) and accommodates SCAP (Security Content Automation Protocol).  Jonathan’s work in the Cybersecurity community spans the past 20+ years and he’s regularly recognized by the media and his peers for exceptional industry insight, contributions to the community and has been named to The Top 20 List as Global Providers of Cyber Security Services each of the past two years.