cyber kill chain model for root cause analysis kill chain model for root cause analysis. table of...

Download Cyber Kill Chain Model for Root Cause Analysis Kill Chain Model for Root Cause Analysis. Table of Contents . Review ... FIRST “Security Incident Response Team (SIRT) ... “Intelligence-Driven

Post on 01-May-2018

215 views

Category:

Documents

3 download

Embed Size (px)

TRANSCRIPT

  • Cyber Kill Chain Model for Root Cause Analysis

    Table of Contents

    Review Root Cause Analysis -1 .................................................................................................... 2

    Review Root Cause Analysis -2 .................................................................................................... 3

    Kill Chain Concept ........................................................................................................................... 4

    Lockheed Martin Cyber Kill Chain -1 ............................................................................................. 6

    Lockheed Martin Cyber Kill Chain -2 ............................................................................................. 7

    Lockheed Martin Cyber Kill Chain -3 ........................................................................................... 10

    Using the Kill Chain for Mitigating Incidents ................................................................................ 12

    Kill Chain Model Considerations ................................................................................................... 14

    Notices .......................................................................................................................................... 15

    Page 1 of 15

  • Review Root Cause Analysis -1

    4[Distribution Statement A] This material has been approved for public release and unlimited distribution.

    Review Root Cause Analysis -1

    Definitions A root cause is an initiating or highest level cause of a problem.

    (sources: - Wikipedia: https://en.wikipedia.org/wiki/Root_cause- ASQ: http://asq.org/learn-about-quality/root-cause-analysis/overview/overview.html)

    Root cause analysis is the understanding of the "design" or "implementation" flaw that allowed the attack.(source: FIRST Security Incident Response Team (SIRT) Services Framework,https://www.first.org/_assets/global/FIRST_SIRT_Services_Framework_Version1.0.pdf)

    4

    **004 So first let's do a quick review of what root cause analysis is. Basically root cause is the underlying or fundamental or initiating highest- level cause of a particular problem or issue. In this case we're looking at cybersecurity incidents. So root cause analysis is understanding what the flaw or the problem or issue is that allowed that particular incident or attack to occur.

    Page 2 of 15

  • Review Root Cause Analysis -2

    5[Distribution Statement A] This material has been approved for public release and unlimited distribution.

    Review Root Cause Analysis -2

    Why do a root cause analysis? can benefit other incident management processes, such as

    prevention, detection, and responseWhen?

    usually during the detailed analysis steps of the incident response process, but can also occur with other analysis steps anywhere in the incident management lifecycle

    How? using a list of causes or threat vectors and a methodical

    approach, and analyzing available information sources

    5

    **005 Why do we want to do root cause analysis? Well, it's going to benefit other types of incident management processes, and particularly the response process, in providing a more targeted, focused response to that particular problem or issue. It can also help with the prevention and detection of incidents from reoccurring on that same system or occurring on other systems, if you understand what truly allowed the incident to occur. It generally occurs during the analysis phase of the incident response processes, but it can also happen during the initial detection,

    Page 3 of 15

  • triage, or other analysis phase that happened anywhere during the incident management lifecycle. And how it is performed by having some kind of understanding, a list of causes or threat vectors, having an approach or a process for identifying those threat vectors, and having available information to analyze from various data sources that can be used in the root cause analysis.

    Kill Chain Concept

    6[Distribution Statement A] This material has been approved for public release and unlimited distribution.

    Kill Chain Concept

    Kill chain is a term originally used to define a military concept of target identification, force dispatch to target, decision and order to attack the target, and the destruction of the target(source: http://www.jargondatabase.com/Category/Military/Air-Force-Jargon/Kill-Chain)

    In information security, a kill chain is a systematic process to target and engage an adversary to create desired effects.(source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf)

    Identifying and understanding the phases (kill chain) of a cyber attack can enable better defense and response to an incident.

    6

    **006 So Lockheed Martin has taken a concept called kill chain, which was a term originally used in the military. It's a concept for identifying a

    Page 4 of 15

  • particular target, dispatching a force to that particular target, deciding to attack the target, and then acting upon that target. So that's how "kill chain" is used in a military context. So Lockheed Martin took this same term and applied it to information security, and in an information security context, a kill chain is the systematic process to target and engage an adversary and create-- and their ability to create the desired effects. So in the case of a cybersecurity incident, we're trying to disrupt or deny the adversary or the attacker the ability to perform that particular incident, and by understanding the different phases of the kill chain that an attacker might use can then better identify where we can put in places to detect that activity, to mitigate, to prevent against it, and to put other defensive controls or mitigation actions in place.

    Page 5 of 15

  • Lockheed Martin Cyber Kill Chain -1

    7[Distribution Statement A] This material has been approved for public release and unlimited distribution.

    Lockheed Martin Cyber Kill Chain -1

    Lockheed Martin (LM) expanded the kill chain concept to present a cyber intrusion kill chain model with seven phases:1. Reconnaissance2. Weaponization3. Delivery4. Exploitation5. Installation6. Command and control (C2)7. Actions on objectives

    (source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chainshttp://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf)

    7

    **007 So looking at Lockheed Martin's Kill Chain Model, Cyber Kill Chain Model, they took the concept and they identified seven different phases that attacker will typically go through. Not for every incident but for many incidents, these are the phases. The first step is reconnaissance, where they're trying to identify information. We'll describe these in a little bit more detail in the next slide and show some examples. A second phase might be weaponizing or creating some way to actually attack the system. Delivering that attack mechanism is the third phase--

    Page 6 of 15

  • exploiting perhaps a vulnerability that might exist, installing some additional software or some future access, taking control of the system, and then performing what actions they intend to on the system they've taken control of.

    Lockheed Martin Cyber Kill Chain -2

    8[Distribution Statement A] This material has been approved for public release and unlimited distribution.

    Lockheed Martin Cyber Kill Chain -2

    The seven steps of the process provide visibility into an attack and an understanding of the adversarys objectives.

    8

    (source: http://www.lockheedmartin.com/us/what-we-do/information-technology/cybersecurity/tradecraft/cyber-kill-chain.html)

    **008 So in this table we show examples of typical scenarios or types of incidents that might be a little bit more descriptive of the different phases or steps in an intruder's process. So under the reconnaissance phase, a typical example might be they're

    Page 7 of 15

  • doing some probing or scanning or they identify some weakness; in this case, they find a gap in the security of a particular social network. So identifying that gap or that target is the first phase. Phase two, the weaponization, in this case they might build or acquire or download or find another way to exploit that weakness by perhaps using some malicious software, a malicious attachment, that they can then upload or send to users of that particular social network. In the third phase, delivery, the attacker actually delivers that particular malicious attack on the social media, or perhaps an email message or some other-- luring them to a website that might look like something the user-- in this case, an employee of the organization-- might be able to use. And then the next phase, exploitation-- in this particular scenario, a user or an employee might open the particular malicious attachment and therefore cause a vulnerability to be exposed. The installation phase is where the malware does install itself on the client system that the user had access to. And then the sixth phase of the kill chain is what they call the command- and-control, the C2 phase, where the attacker actually takes control of that system through this particular malicious software that had been

    Page 8 of 15

  • downloaded.