Advanced Persistent Threats (APTs) are trouble. And it can be difficult to figure out an appropriate response, one that is effective rather than just costly.
In pursuit of that goal, Lockheed Martin’s Computer Incident Response Team created what they describe as an intelligence-driven defense process they have called the Cyber Kill Chain®. It is a process that helps IT remediate and mitigate advanced threats in the future. The program grew out of a paper on Intelligence-Driven Computer Network Defense authored by Lockheed Martin intrusion analysts Eric Hutchins, Michael Cloppert and Dr. Rohan Amin. It was first published at the 6th Annual International Conference on Information Warfare and Security in March 2011.
Since then, others have been inspired by the approach and have sought to emulate it. For instance, in an interesting blog post, Ramon Krikken, Research VP for Technical Professionals Security and Risk Management Strategies at Gartner, discussed the company’s version, the Cyber Attack Chain Model, which adds a few wrinkles and, as Krikken candidly admits, doesn’t step on Lockheed Martin’s trademark. Krikken goes on to explain that the standard model for thinking about the attack chain helps delineate the type and sequence of attacks. However, he notes, in some cases, “The shortest path to successful attack may only be a single phase long.”
The rise of the attack chain approach is the result of a growing perception that traditional perimeter defense tools and solutions, which also tend to restrict users and hinder business processes, are not meeting the APT challenge. A recent blog post on business-cloud.com quotes Zoltán Györkő, CEO of BalaBit, a security product vendor. "Attackers are intelligent, well-funded and their attacks are increasingly complex and well targeted. The common theme of the recent, high-profile breaches is that they were carefully planned and went undetected for some time,” he explains.
Thus, at a minimum, there is a benefit from implementing deep log analyses and log correlation across multiple sources, ultimately as a way to improve the likelihood of spotting APT activities. A Security Information and Event Management (SIEM) tool can also correlate and analyze logs. SIEMs are not created equal and vary considerably in their capabilities and functions. Given the growing sophistication of malware, bells and whistles – at least if they “work” – they can be worth having. So, in short, shop thoughtfully.
Another concept that can help frustrate APTs is least privilege. This applies first and foremost to people. No one should have unfettered access to IT resources beyond what they need for their job. Exploiting the privileges individuals do have is a key strategy for APT attackers. The concept also extends to systems and software. Privileges can and should be set to ensure that one vulnerable spot doesn’t became a freeway by which key assets can be stolen and exfiltrated.