Reading "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" by Lockheed Martin Corporation.
The
article starts with saying what does mean APT.
This type of threat is becoming more and more serious. As we have developed
groups of methods and barriers for self-propagating viruses and other
"automatic threat" we are facing a problem when it comes for
Incident response for Advance Persistent
Threat.
"Advances in infrastructure management tools have enabled best practices of enterprise-wide patching and hardening, reducing the most easily accessible vulnerabilities in networked services. Yet APT actors continually demonstrate the capability to compromise systems by using advanced tools, customized malware, and “zero-day" exploits that anti-virus and patching cannot detect or mitigate. Responses to APT intrusions require an evolution in analysis, process, and technology; it is possible to anticipate and mitigate future intrusions based on knowledge of the threat."
Intrusion
Kill Chain or Intrusion Scenario is simply process that is deployed by
intruder. The article is presenting a lot of concepts and statements, how to
think about incident response process basing on case studies of attacks. Lockheed Martin is showing that we need to
know how the attack looks like to know how to defend against APT. This is obvious, but when we look at this approach… we will find out that there is a great knowledge behind
countless shortcuts and processes.
Really awesome article.
Basing
on fantastic work made by Richard Beitlich,
I am presenting one of intrusion scenario (simplified version):
To
sum up and describe the graph we are going through these stages :
1. Reconnaissance
: all activity of scanning, vulnerability scanning, checking connectivity, what
system are we talking with, versions, patches, infrastructure.
2. Exploitation
3. Reinforcement:
methods of leveraging our privileges on the owned machine, using methods
4. Verification
: checking if we have easy access to the attacked machine, are we brining any
alarms etc.
5. Cyber
crime : in this stage the attacker is performing his plan (theft, vandalism
.etc)
Another
scenario is presented by United States Department of Defense and called “Kill
chain”.
Quickly summarizing:
1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. C2
7. Actions
The second model is more detailed and “exploit” stage is divided
into more specialized levels. Nevertheless both approaches and models show how
does an attack looks like and what are the purposes of each stage. It is worth
mentioning, that during intrusion, the attacker may use several different IPs –
for example every stage with other source. At the same time, different protocols, tools
or even systems might be used. What I think is, that there are a variety of
methods and ways of prevention. Here discussing
the attack from a hacker point of view, we
are finding several stages where we can use different type of protection. On
the other hand – for investigator, there
are multitude places, factors that must be checked during intrusion detection
process. Sure, the human factor is always crucial in
attacking or preventing or even investigating the crime scene. This cannot be
still called cyber crime, but rather fight between “bad and good” guys and
their skills.
Brak komentarzy:
Prześlij komentarz