The Incident Response Kill Chain

It Was a Friday...

It is a Friday like any other. With coffee in hand, you sit and check the results of your anti-virus security scans. Three alerts have been raised, two have been “quarantined” and the other “cleaned”. You dig in and find two malicious files, you delete them, and rescan. No alarms. It’s a good thing your anti-virus caught these threats early and the issue was contained…or was it?

Did your anti-virus catch it on the way in or on the way out? Was the malicious software actively harvesting data or was its job already done? Was it just lying dormant? Did it move laterally through your organization and what triggered your alert was only the tip of the iceberg?  

What is Incident Response? 

Anti-virus tools are just that, tools. True incident response is the ability to identify an intrusion, investigate, contain, and ultimately remediate it. Incident response teams will hopefully have extracted enough information to know how deep the intrusion goes, what is needed for recovery, and how it could be prevented in the future.  

Incident response means moving away from solely relying on tools or software to magically resolve incidents, and instead, focusing on using people, process, and technology to establish much-needed context. 

Establishing Context

Where do information security experts gain this context? We study our adversaries in a very methodical way. This dedication to understanding their adversarial tradecraft is the critical link that allows us to establish context. To disrupt or deny the adversary, we place ourselves in the mindset of these threat actors to understand what allows them to function as they do.  

The threat actor’s goal is to seek out valuable information that can be leveraged, harvested, sold, or even held for ransom. They follow certain processes and procedures; they invest their time and resources into opportunities that will yield them the greatest return on their efforts.

The Kill Chain®

The information security industry refers to the threat actor’s process as a Kill Chain®, a term coined by Lockheed Martin. The earlier the Kill Chain® can be disrupted, the less chance the threat actor has to execute on his objectives. Let’s take a look at the Kill Chain® and the process a threat actor goes through to access an organization.

The Kill Chain®

1. Reconnaissance: Understanding the Target

The threat actor begins with reconnaissance. The threat actor will often crawl websites gathering information such as email addresses, social media connections, or specific information on your organization’s technologies or processes.

The goal for the attacker is to gather any valuable information that will offer an access point to the target organization.

2. Weaponization: Arming the Payload

What exactly does this malicious threat actor use to gain access? The answer comes in the form of weaponization. Much like the military and camouflage, threat actors don’t want to be noticed.

They want to pair their malicious payload with something that appears normal and benign. A PDF attachment or a standard Word file can be used to camouflage malicious payloads, for example. 

3. Delivery: The Path Inside

The threat actor has his weaponized payload and now he needs to deliver it.  How is the payload delivered into your system when you are already taking security precautions?

Threat actors will pair their payloads with actions you take every day
, such as checking your email or visiting a website. Both of these normal processes can be a gateway for the threat actor.

4. Exploitation: Flipping the Switch

Exploitation is what flips the switch, making the threat active. This could be as simple as opening a macro-enabled Word document, which can execute embedded malicious code.

5. Installation: Building a Back Door
Malicious code is now running on the system.  The payload can begin installation of an implant, allowing access and the ability to maintain position within your environment.

This essentially acts as a “backdoor” allowing the threat actor to enter and exit your system whenever he pleases.

6. Command and Control: Taking the Wheel

The installed implant now needs to connect to an operator, or in this case, connect to a system that allows manual or programmatic control of the threat

Once the connection is made, access is granted. The threat actor now has the platform in place needed to begin executing  his objectives.

7. Actions on Objectives: Access Granted

The attacker can now begin executing his objective.  This may include using the primary access system to move laterally into other systems within your network.

The following is a look at how a threat actor could utilize this Kill Chain® to gain access to your organization. 

Kill Chain Process Example

So where in the Kill Chain® did your anti-virus alert your team?

Incident Response Kill Chain Timeline

You can quickly see the level of investigation the incident response team must be able to undertake. Each link of the chain must be identified. The point of detection (or Kill Chain link) will determine how incident responders should proceed to contain and remediate.

Anti-Virus may sound an alert, but knowing where the threat was found, how long it has been present, where it came from, its intent, and what it has accessed is imperative to successfully closing the loop.

Incident Response vs. Anti-Virus

Due to the automated nature of anti-virus systems, the ability to contextualize and root-cause threats is beyond the reach of anti-virus tools. Applying incident response to an alert requires understanding the paths threat actors travel and their intent. While a “quarantined” anti-virus alert may offer piece of mind, it is a false sense of security.  

Incident Response Final Perspective

Incident response is continuously evolving. When a threat actor attacks and our incident response team stops it, the actor has just provided us with another tool to use against him. The more attempts he makes, the more tools and information he is handing over to us. Our collective information gained, allows our incident response teams to keep client organizations safer while making breach attempts more costly for these threat actors.

To learn more about DigiTrust’s managed security and consulting services you can contact us using the form to the right or
call (310) 696-4500

The DigiTrust Group is a managed security services firm that focuses on using advanced people, processes, and technology to proactively provide the highest level of information security at our client organizations. We do this by actively identifying, blocking, and researching attackers hitting our client organizations. In short, we act as a security operations center (SOC) for organizations that either do not have a SOC or require augmented SOC functionality.