The Incident Response Kill Chain
It Was a Friday...
It is a Friday like any other. With coffee in hand, you sit and check the results of your anti-virus security scans. Three alerts have been raised, two have been “quarantined” and the other “cleaned”. You dig in and find two malicious files, you delete them, and rescan. No alarms.
It’s a good thing your anti-virus caught these threats early and the issue was contained…or was it?
Did your anti-virus catch it on the way in or on the way out? Was the malicious software actively harvesting data or was its job already done? Was it just lying dormant? Did it move laterally through your organization and what triggered your alert was only the tip of the iceberg?
What is Incident Response?
Anti-virus tools are just that, tools.
Incident response means moving away from solely relying on tools or software to magically resolve incidents, and instead, focusing on using people, process, and technology to establish much-needed context.
Where do information security experts gain this
context? We study our adversaries in a very methodical way. This
dedication to understanding their adversarial tradecraft is the critical
link that allows us to establish context. To disrupt or deny the
adversary, we place ourselves in the mindset of these threat actors to
understand what allows them to function as they do.
The threat actor’s goal is to seek out valuable information that can be leveraged, harvested, sold, or even held for ransom. They follow certain processes and procedures; they invest their time and resources into opportunities that will yield them the greatest return on their efforts.
The Kill Chain®
The information security industry refers to the threat actor’s process as a Kill Chain®, a term coined by Lockheed Martin. The earlier the Kill Chain® can be disrupted, the less chance the threat actor has to execute on his objectives. Let’s take a look at the Kill Chain® and the process a threat actor goes through to access an organization.
The Kill Chain®
1. Reconnaissance: Understanding the Target
The threat actor begins with reconnaissance. The threat actor will often crawl websites gathering information such as email addresses, social media connections, or specific information on your organization’s technologies or processes.
The goal for the attacker is to gather any valuable information that will offer an access point to the target organization.
2. Weaponization: Arming the Payload
What exactly does this malicious threat actor use to gain access? The answer comes in the form of weaponization. Much like the military and camouflage, threat actors don’t want to be noticed.
They want to pair their malicious payload with something that appears normal and benign. A PDF attachment or a standard Word file can be used to camouflage malicious payloads, for example.
3. Delivery: The Path Inside
The threat actor has his weaponized payload and now he needs to deliver it. How is the payload delivered into your system when you are already taking security precautions?
Threat actors will pair their payloads with actions you take every day, such as checking your email or visiting a website. Both of these normal processes can be a gateway for the threat actor.
4. Exploitation: Flipping the Switch
Exploitation is what flips the switch, making the threat active. This could be as simple as opening a macro-enabled Word document, which can execute embedded malicious code.
5. Installation: Building a Back Door
Malicious code is now running on the system. The payload can begin installation of an implant, allowing access and the ability to maintain position within your environment.
This essentially acts as a “backdoor” allowing the threat actor to enter and exit your system whenever he pleases.
6. Command and Control: Taking the Wheel
The installed implant now needs to connect to an operator, or in this case, connect to a system that allows manual or programmatic control of the threat.
Once the connection is made, access is granted. The threat actor now has the platform in place needed to begin executing his objectives.
7. Actions on Objectives: Access Granted
The attacker can now begin executing his objective. This may include using the primary access system to move laterally into other systems within your network.
The following is a look at how a threat actor could utilize this Kill Chain® to gain access to your organization.
So where in the Kill Chain® did your anti-virus alert your team?
You can quickly see the level of investigation the incident response team must be able to undertake. Each link of the chain must be identified. The point of detection (or Kill Chain link) will determine how incident responders should proceed to contain and remediate.
Anti-Virus may sound an alert, but knowing where the threat was found, how long it has been present, where it came from, its intent, and what it has accessed is imperative to successfully closing the loop.
Incident Response vs. Anti-Virus
Due to the automated nature of anti-virus systems, the ability to contextualize and root-cause threats is beyond the reach of anti-virus tools. Applying incident response to an alert requires understanding the paths threat actors travel and their intent. While a “quarantined” anti-virus alert may offer
Incident Response Final Perspective
To learn more about DigiTrust’s managed security and consulting services you can contact us using the form to the right or
call (310) 696-4500
The DigiTrust Group is a managed security services firm that focuses on using advanced people, processes, and technology to proactively provide the highest level of information security at our client organizations. We do this by actively identifying, blocking, and researching attackers hitting our client organizations. In short, we act as a security operations center (SOC) for organizations that either do not have a SOC or require augmented SOC functionality.