cyber kill chain model for root cause analysis · cyber kill chain model for root cause analysis....

Cyber Kill Chain Model for Root Cause Analysis

Table of Contents

Review – Root Cause Analysis -1 .................................................................................................... 2

Review – Root Cause Analysis -2 .................................................................................................... 3

Kill Chain Concept ........................................................................................................................... 4

Lockheed Martin Cyber Kill Chain® -1 ............................................................................................. 6

Lockheed Martin Cyber Kill Chain® -2 ............................................................................................. 7

Lockheed Martin Cyber Kill Chain® -3 ........................................................................................... 10

Using the Kill Chain for Mitigating Incidents ................................................................................ 12

Kill Chain Model Considerations ................................................................................................... 14

Notices .......................................................................................................................................... 15

of 15

Review – Root Cause Analysis -1

4[Distribution Statement A] This material has been approved for public release and unlimited distribution.


Definitions• A root cause is an initiating or highest level cause of a problem.

(sources: - Wikipedia: https://en.wikipedia.org/wiki/Root_cause- ASQ: http://asq.org/learn-about-quality/root-cause-analysis/overview/overview.html)

• Root cause analysis is the understanding of the "design" or "implementation" flaw that allowed the attack.(source: FIRST “Security Incident Response Team (SIRT) Services Framework,”https://www.first.org/_assets/global/FIRST_SIRT_Services_Framework_Version1.0.pdf)

4

**004 So first let's do a quick review of what root cause analysis is. Basically root cause is the underlying or fundamental or initiating highest- level cause of a particular problem or issue. In this case we're looking at cybersecurity incidents. So root cause analysis is understanding what the flaw or the problem or issue is that allowed that particular incident or attack to occur.

of 15




Why do a root cause analysis?• can benefit other incident management processes, such as

prevention, detection, and responseWhen?

• usually during the detailed analysis steps of the incident response process, but can also occur with other analysis steps anywhere in the incident management lifecycle

How?• using a list of causes or threat vectors and a methodical

approach, and analyzing available information sources

5

**005 Why do we want to do root cause analysis? Well, it's going to benefit other types of incident management processes, and particularly the response process, in providing a more targeted, focused response to that particular problem or issue. It can also help with the prevention and detection of incidents from reoccurring on that same system or occurring on other systems, if you understand what truly allowed the incident to occur. It generally occurs during the analysis phase of the incident response processes, but it can also happen during the initial detection,

of 15

triage, or other analysis phase that happened anywhere during the incident management lifecycle. And how it is performed by having some kind of understanding, a list of causes or threat vectors, having an approach or a process for identifying those threat vectors, and having available information to analyze from various data sources that can be used in the root cause analysis.

Kill Chain Concept


Kill Chain Concept

Kill chain is a term originally used to define a military concept of “target identification, force dispatch to target, decision and order to attack the target, and the destruction of the target”(source: http://www.jargondatabase.com/Category/Military/Air-Force-Jargon/Kill-Chain)

In information security, “a kill chain is a systematic process to target and engage an adversary to create desired effects.”(source: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf)

Identifying and understanding the phases (kill chain) of a cyber attack can enable better defense and response to an incident.

6

**006 So Lockheed Martin has taken a concept called kill chain, which was a term originally used in the military. It's a concept for identifying a

of 15

particular target, dispatching a force to that particular target, deciding to attack the target, and then acting upon that target. So that's how "kill chain" is used in a military context. So Lockheed Martin took this same term and applied it to information security, and in an information security context, a kill chain is the systematic process to target and engage an adversary and create-- and their ability to create the desired effects. So in the case of a cybersecurity incident, we're trying to disrupt or deny the adversary or the attacker the ability to perform that particular incident, and by understanding the different phases of the kill chain that an attacker might use can then better identify where we can put in places to detect that activity, to mitigate, to prevent against it, and to put other defensive controls or mitigation actions in place.

of 15

Lockheed Martin Cyber Kill Chain® -1



Lockheed Martin (LM) expanded the kill chain concept to present a cyber intrusion kill chain model with seven phases:1. Reconnaissance2. Weaponization3. Delivery4. Exploitation5. Installation6. Command and control (C2)7. Actions on objectives

(source: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf)

7

**007 So looking at Lockheed Martin's Kill Chain Model, Cyber Kill Chain Model, they took the concept and they identified seven different phases that attacker will typically go through. Not for every incident but for many incidents, these are the phases. The first step is reconnaissance, where they're trying to identify information. We'll describe these in a little bit more detail in the next slide and show some examples. A second phase might be weaponizing or creating some way to actually attack the system. Delivering that attack mechanism is the third phase--

of 15

exploiting perhaps a vulnerability that might exist, installing some additional software or some future access, taking control of the system, and then performing what actions they intend to on the system they've taken control of.




The seven steps of the process provide visibility into an attack and an understanding of the adversary’s objectives.

8

(source: http://www.lockheedmartin.com/us/what-we-do/information-technology/cybersecurity/tradecraft/cyber-kill-chain.html)

**008 So in this table we show examples of typical scenarios or types of incidents that might be a little bit more descriptive of the different phases or steps in an intruder's process. So under the reconnaissance phase, a typical example might be they're

of 15

doing some probing or scanning or they identify some weakness; in this case, they find a gap in the security of a particular social network. So identifying that gap or that target is the first phase. Phase two, the weaponization, in this case they might build or acquire or download or find another way to exploit that weakness by perhaps using some malicious software, a malicious attachment, that they can then upload or send to users of that particular social network. In the third phase, delivery, the attacker actually delivers that particular malicious attack on the social media, or perhaps an email message or some other-- luring them to a website that might look like something the user-- in this case, an employee of the organization-- might be able to use. And then the next phase, exploitation-- in this particular scenario, a user or an employee might open the particular malicious attachment and therefore cause a vulnerability to be exposed. The installation phase is where the malware does install itself on the client system that the user had access to. And then the sixth phase of the kill chain is what they call the command- and-control, the C2 phase, where the attacker actually takes control of that system through this particular malicious software that had been

of 15

downloaded. Perhaps it's set up some backdoors, some unauthorized accounts, opened ports or services on particular systems, whatever the way that the malicious code is designed. And then the final phase, actions on the objectives-- they can then therefore-- in this scenario the attacker can identify other systems, other critical information, other resources they might use on this controlled system they've been able to obtain access to, to perform follow- up actions. So this is just kind of a high-level overview of how the Lockheed Martin Kill Chain concept is applied in their root cause analysis model.

of 15




Intrusion reconstruction• Kill chain analysis can help analysts understand what

information is (or may be) available for defensive courses of action.- Late phase detection

- Earlier phase detection

9

(Source: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf)

**009 So how can we use this for root cause analysis? Well, understanding the different phases of the kill chain can then be used in identifying the courses of action that an incident responder may be able to use to try to put in defensive controls. In this slide we show two different examples, and typically if an incident is not detected until later phases of the process of the kill chain, generally the detection, the things that you'll have to analyze to track back all the different possible ways that the incident may have occurred, there's going to be more enumerated different possibilities and different controls that might need to

of 15

be put in place to identify and mitigate and defend against this particular type of attack. However, ideally, Lockheed Martin proposes the goal is to try to move the identification and detection to earlier phases in the kill chain, and if you can stop them from installing or exploiting the vulnerabilities then it's going to be easier, more effective, to control and put defensive measures in place. And then also synthesizing the information from the successful defenses that you put in place and the unsuccessful attacks can then feed back into the other processes in prevention and detection of other incidents.

of 15

Using the Kill Chain for Mitigating Incidents


Using the Kill Chain for Mitigating Incidents

Table 1: Courses of Action Matrix

10

(source: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf)

**010 So here's another example of looking at mapping the seven phases of the Lockheed Martin Kill Chain to six categories that the United States Department of Defense identify as part of their Information Operations Doctrine, and these information operations characteristics are detect, deny, disrupt, degrade, deceive or destroy. So they've mapped these DoD information operations to the various phases of the kill chain, the intruder's kill chain, and show how you might be able to implement different controls or methods to prevent an incident from happening.

of 15

So for example, in the previous scenario where we had exploitation, if you have host-based intrusion detection systems you might be able to quickly detect and perhaps prevent the attempted exploitation of this malicious code from being installed. If you have particular security patches installed in place to prevent that vulnerability from being exploited, this can deny the exploitation action from occurring. And if it gets past these two layers of defense, you might be able to disrupt the execution of that exploitation by having things such as data execution prevention tools or methods in place on that particular system. So this just shows an example of various types of defense-in-depth methods, approaches, techniques to identify and map, and knowing, understanding the different relationships between these can also help us focus on identifying, if we can, the underlying root causes and how we can map that to the response course of actions.

of 15

Kill Chain Model Considerations


Kill Chain Model Considerations

The LM Cyber Kill Chain model’s threat vectors are malware- and [external] intrusion-focused.

• How do you apply it to insider threats?• How do you apply it to attacks that did not exploit vulnerabilities

or install malware (e.g., social engineering)?Typically little is discoverable about the attacker’s activities in phases 1 and 2 (reconnaissance and weaponization) of the cyber kill chain, and such knowledge is not as “actionable” as the information identified in the later phases.

11

**011 Now, some of the things to keep in mind is that this kill chain model is focused primarily on intrusions and malware-focused, external types of incidents and attacks, and so it might apply to those better than, say, for example, if you had an insider incident, where you don't have malware being used or you don't have an unauthorized intrusion. And what happens if you have an incident that does not use social engineering-- or not exploiting vulnerabilities or installing malware, that it is taking advantage of impersonation or deceiving the users? This model is not quite as applicable as other types of approaches.

of 15

Another thing to keep in mind is that the earlier phases, as far as the reconnaissance and weaponization that occurs, often there's not a lot of discoverable information in those types of phases that can be actionable, so you'll have to focus on the later phases of the kill chain for actionable courses of your response.

Notices


Notices

Copyright 2016 Carnegie Mellon University

[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.

This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].

The U.S. Government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. Government purposes, the SEI recommends attendance to ensure proper understanding.

Carnegie Mellon®, CERT® and CERT Coordination Center® are registered marks of Carnegie Mellon University.

DM-0003588

of 15

cyber kill chain model for root cause analysis · cyber kill chain model for root cause analysis....

Documents