SlideShare a Scribd company logo

Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL

M
Michael Bunn

Organizations must address the Cyber Kill Chain to defend against advanced threats. The Cyber Kill Chain describes the 7 stages of an attack - reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on targets. Traditionally, organizations focused on prevention at the perimeter, but attackers have bypassed these defenses. To improve security, organizations should detect, deny, disrupt, and recover at each stage of the Cyber Kill Chain rather than solely focusing on prevention. This involves technologies like network monitoring, endpoint protection, and threat intelligence across all phases of an attack.

1 of 11
Downloaded 40 times
1
2
3
4
5
6
7
8
9
10
11
Featuring research from Gartner Defending against Advanced Threats: Addressing the Cyber Kill Chain “We have known for a considerable period of time that the perimeter-centric security approach is not a panacea for all ills, but organizations should not move away from these controls because they provide a solid foundation. However, in order to allocate and prioritize resources, they should be extended with methods based on an understanding of the CKC. “ - Gartner Addressing the Cyber Kill Chain, Craig Lawson, 15 August 2014 The latest data breach reports on the daily news remind us of the rapidly changing state of enterprise security. No longer can the focus remain solely on a strong perimeter and end point protection; a new model and approach is required inclusive of the above but extending to deeper analysis and data protection as well. “The current pre- vention, prevention, prevention approach to dealing with the threat landscape has failed to address advanced and targeted attacks with enough efficacy.”1 More is required including updated thinking, a new course to address the challenge and next generation protection solutions. A traditional “castle moat and keep” defense mindset per- sists today as enterprises invest heavily in perimeter and endpoint protection solutions. While previously successful in protecting companies, these investments are no longer showing the same return. Attackers have innovated and exploited channels through these traditional defenses. 4 From the Gartner Files: Addressing the Cyber Kill Chain 11 About Proofpoint, Inc. In this report: Changing the conversation and focus to the mechanics of an advanced or targeted attack is key to disrupting mali- cious actions.
2 In 2011, researchers at Lockheed Martin devel- oped the Kill Chain modeled on evidence from network attacks.2 The Kill Chain is widely known, understood and quoted in security circles. How- ever, it is not generally applied to companies’ security infrastructure investments. Gartner re- search recommends organizations: “Understand the flow of the kill chain to better understand your adversaries and therefore adjust your defensive tactics to improve your security posture.”3 Align your defenses with reality. Augment existing defenses with best of breed solutions which deploy innovative techniques to detect, block and disrupt the attack before it occurs, shorten the response time and ultimately protect enterprise assets and data. Proofpoint Aligned to the Cyber Kill Chain Model A suite of products which maps to the reality of the kill chain is optimum. A large collection is listed in Table 1 of the attached Gartner report. Our focus is a subset. Proofpoint’s solution set maps to the Cyber Kill Chain model as detailed in the diagram below. About Proofpoint’s Superior Advanced Threat Protection Block, Detect, Respond, and Harden are the key pillars of the Proofpoint solution set. Proofpoint’s portfolio of industry-leading security solutions for blocking email-borne attacks, detecting new advanced threats, automating incident response, and reducing the impact of potential breaches ad- dress the reality of today’s advanced attacks and aligns security infrastructure with the Kill Chain. Email which continues to be a critical business service is the top route for attackers. The Proof- point security suite detects and manages ad- vanced email-borne threats, provides security for sensitive data, and accelerates the identification and containment of new threats. • Stopping more advanced threats: Delivered through the cloud-based Proofpoint Enterprise Protection Suite, organizations of all sizes have access to industry-leading inbound and outbound email security. This suite accurately classifies and blocks threats, while leveraging phishing detection, anti-spam and antivirus technologies. • Detecting advanced threats faster with actionable intelligence: Proofpoint Targeted Attack Protection detects phishing and web compromise attacks and provides organizations with actionable intelligence to quickly respond. Backed by continuous big data analysis of bil- lions of data points, Proofpoint provides detailed information around campaign type, targeted us- ers and potentially infected systems. Armed with this information, organizations can identify and manage new threats before they lead to data breaches and destructive compromises. 1 Addressing the Cyber Kill Chain (Gartner), p. 1 2 http://www.lockheedmartin.com/us/what-we-do/information-technology/cyber-security/cyber-kill-chain.html 3 Ibid. 1 Block Known Threats Enterprise Protection Detect Unknown Threats Targeted Attack Protection Respond to Incidents Threat Response Harden Against Loss Regulatory Compliance Encryption Content Control Recon Weaponise Deliver Exploit Install C2 Action Harden
3 • Automating incident response, accelera- ting threat remediation: Proofpoint Threat Re- sponse provides users with an open, extensible platform that automates incident response and the incident management lifecycle. Reduc- ing security alert response time from hours to seconds, Proofpoint Threat Response delivers consistent information to users and streamlines collaboration and workflow. Alerts are auto- matically integrated across multiple security so- lutions such as those from Proofpoint, FireEye, Palo Alto Networks and Splunk. This solution enables users to investigate, verify, prioritize and contain today’s advanced threats. • Reducing the impact of data breaches caused by advanced threats: The easy-to-deploy, user-friendly Proofpoint Content Control solution delivers enhanced visibility and control over sensitive con- tent. Through contextual data intelligence, privacy and security teams can effectively identify and manage information with PCI, HIPAA and FINRA regulated content and other high value information. Violations can be quarantined, copied or deleted to reduce the attack surface and potential impact of a data breach. Proofpoint’s security solutions align with the new security strategy required to address the cyber kill chain. For more information on Proofpoint secu- rity suite solutions, please visit www.proofpoint. com/us/solutions - and read Gartner’s research on Addressing the Cyber Kill Chain, available on the following pages. Source: Proofpoint
4 Addressing the Cyber Kill Chain From the Gartner Files: The Cyber Kill Chain model describes how at- tackers use the cycle of compromise, persistence and exfiltration against an organization. Once the kill chain is understood, CISOs can make prag- matic decisions to improve their security posture. Key Challenges • The current prevention, prevention, preven- tion approach to dealing with the threat landscape has failed to address advanced and targeted attacks with enough efficacy. • IT security organizations have historical investments in a protection model that is out of balance with today’s threat landscape. • IT security organizations have largely not taken into account the kill chain life cycle ap- proach to thinking about adversaries; this is a reason why attackers are continuing to be so successful. • While the kill chain is easy to comprehend, resourcing to address it in the face of com- petitive business realities and innovation from adversaries is a key challenge. • Common security architectures and compli- ance regimes are not prioritizing methods to address the kill chain. Recommendations • Understand the flow of the kill chain to better understand your adversaries and therefore adjust your defensive tactics to improve your security posture. • Move to an architecture and develop sup- porting processes that address the postb- reach and exfiltration stages of the kill chain. • Augment existing prevention methods with methods to detect, deny, disrupt and recover from the activity of threat actors. • Implement methods that detect and deny threats at each stage of the kill chain. This will significantly increase the defensibility of your environment, since attackers need to execute all phases of the kill chain to be considered successful. Strategic Planning Assumption By 2017, security strategies of lean forward orga- nizations will routinely include a mapping of their security architecture and/or their processes to the kill chain life cycle. Introduction Targeted attacks have escalated in scale and frequency, and the potential for financial and reputational damage resulting from a breach has increased as a consequence. The ease with which traditional security defenses were bypassed in some incidents has left many organizations feel- ing powerless to defend themselves against these types of threats. This issue has become a concern at the executive boardroom level. The leading operational archetype in information security practiced by a majority of organizations has a focus on the perimeter, organized accord- ing to defense-in-depth principles. While this gives the appearance of concentrating resources on the most exposed assets and attack vectors, it provides a false sense of security and represents a misallocation of resources. This model means adversary needs to be successful only once out of an unlimited number of attempts. Defenders, conversely, must be right every time. This has led to a perception that, because there has been a successful malware infection or SQL injection attack against your organization, the adversary has won. The kill chain highlights that this is clearly not the case, because the adversary is victorious only when all phases of the Cyber Kill Chain (CKC) have been executed successfully. Rather than thinking that someone wins when an organization is compromised, you need to move to a mindset of: “Did they achieve their goal of exfiltrating data?”
5 The CKC is a reference model representing the stages of an attack, mapped distinctively to activities that encompass current attack meth- odologies. It breaks an attack into seven distinct stages or phases, each allowing a breach to be prevented, discovered or successfully mitigated. The CKC reference model can show how your organization can detect, deny, disrupt and recover at each phase. By aligning enterprise defenses to the same success criteria as that of adversaries, you can right size the prevention centric approach that has dominated enterprise thinking and spending on IT security to date. Analysis The Phases of the Cyber Kill Chain The CKC is historically a well-understood concept in military circles that is now being ap- plied to cyber security. Originally developed by Lockheed Martin1 in 2011 as an intelligence- driven network defense process, it describes the phases that an adversary will take when targeting your environment, exfiltrating data and maintaining persistence in an organization. It is also similar to a majority of penetration testing methodologies and is often described as an at- tack chain. The two are closely related and can often be used interchangeably. This research will show that the adversary is only successful when all phases of the kill chain have been executed. So rather than thinking that if adversaries compromise an organization they win, organizations need to move away from this mindset to ask: “Did they achieve their goal of exfiltrating data?” Our version of defeat is often described and measured in terms that are differ- ent than the way adversaries define victory. The CKC has seven stages: 1 Reconnaissance — This is anything that can be defined as identification, target selec- tion, organization details, industry-vertical- legislative requirements, information on technology choices, social network activity or mailing lists. The adversary is essentially looking to answer the questions: “How many methods do we assume will work with the highest degree of success?” and of those, “Which are the easiest to execute in terms of our investment of resources?” 2 Weaponization or Packaging — This takes many forms: Web application exploitation, off-the-shelf or custom malware, compound document vulnerabilities (PDF, Office) or wa- tering hole attacks. These are prepared with general, opportunistic or very specific intel- ligence on a target. 3 Delivery — Transmission of the payload is either target-initiated (users browse to a mali- cious Web presence, leading to the dropping of malware, or they open a malicious PDF file) or attacker-initiated (SQL injection or network service exploitation). 4 Exploitation — After delivery to the user or server, the malicious payload will gain a foothold in the environment by compromising it, usually by exploiting a known vulnerability for which a patch has often been available for months or years. While zero-day exploitation does occur, in a majority of cases, it is often not necessary. 5 Installation — This often takes the form of a remote-access trojan (RAT). The application is usually stealthy in its operation, allowing persistence or “dwell time” to be achieved. The adversary can then control this without alerting the organization — a common outcome. 6 Command and Control — In this phase, adversaries have control of assets within your organization through methods of control such as DNS, Internet Control Message Proto- col (ICMP), websites and social networks or other methods of command and control. This channel is how the adversary tells the controlled “asset” what to do next and what information to gather. The methods used to gather data under command include screen captures, keystroke monitoring, password
6 cracking, gathering of sensitive content and documents, and network monitoring for credentials. Often a staging host is identified to which all internal data is copied, and then compressed and/or encrypted and made ready for exfiltration. 7 Actions on Targets — This final phase cov- ers how the adversary exfiltrates data and maintains dwell time in an organization and then takes measures to identify more targets, expand their footprint within an organization and — most critical of all — exfiltrate data. Why Attackers Are So Successful Adversaries will continue to achieve their objec- tive of successfully completing the CKC unless defenders implement an approach that takes into consideration how an attack is executed. This is difficult to achieve because most soft- ware has not been developed using a security development life cycle (SDL), applications have increased in complexity and people remain a weak link. We have known for a considerable period of time that the perimeter-centric security approach is not a panacea for all ills, but organizations should not move away from these controls be- cause they provide a solid foundation. However, in order to allocate and prioritize resources, they should be extended with methods based on an understanding of the CKC. Whether adversaries are motivated by geopolitical, activist or finan- cial motives, they seek to fulfill specific goals of obtaining an organization’s data. Although we tend to think of IT security in terms of network security, host security and identity security, an “adversary- centric” model is a better-suited and more effec- tive approach in today’s threat landscape. How Organizations Should Address the Cyber Kill Chain Instead of continuing to invest primarily in defend- ing an organization’s perimeter, a more pragmatic approach focuses on detecting, denying, disrupt- ing and recovering as it allows for identification capabilities after a breach. This places the focus on protecting enterprise data, instead of looking at this as a collection of technology point solutions. A success rate of 100% for prevention against all steps of the attack chain is not attainable. This is also not necessary, as attackers must complete all phases to achieve their goals. Therefore planning for the prevention of privilege escalation, detect- ing postcompromise activity, stopping exfiltration of sensitive data and denying the attacker persis- tence are key. At a high level, you must take the seven phases of the kill chain that are illustrated in Table 1 and then identify how you can detect, deny, disrupt and recover at each phase. Figure 2. Diagram of the Cyber Kill Chain Source: Gartner (August 2014)
7 Phase Detect Deny or Contain Disrupt, Eradi- cate or Deceive Recover Reconnaissance Web analytics, Internet scanning activity reports, vulnerability scan- ning, external penetration test- ing, SIEM, DAST/ SAST, threat intel- ligence, TIP firewall ACL, sys- tem and service hardening, net- work obfuscation, logical segmenta- tion honeypot SAST/DAST Weaponization sentiment analy- sis, vulnerability announcements, VA NIPS, NGFW, patch manage- ment, configura- tion hardening, application reme- diation SEG, SWG, Delivery user training, security analytics, network behav- ioral analysis, threat intelligence, NIPS, NGFW, WAF, DDoS, SSL inspection, TIP SWG, NGIPS, ATD, TIP EPP backup or EPP cleanup Exploitation EPP, NIPS, SIEM, WAF EPP, NGIPS, ATD, WAF NIPS, NGFW, EPP, ATD data restoration from backups Installation EPP, endpoint fo- rensics or ETDR, sandboxing, FIM EPP, MDM, IAM, endpoint con- tainerization/app wrapping EPP, HIPS, incident forensics tools incident response, ETDR Command and Control NIPS, NBA, net- work forensics, SIEM, DNS secu- rity, TIP IP/DNS reputation blocking, DLP, ATA DNS redirect, threat intelligence on DNS, egress filtering, NIPS incident response, system restore Action on Targets logging, SIEM, DLP, honeypot, TIP, DAP egress filtering, SWG, trust zones, DLP QoS, DNS, DLP, ATA incident response Source: Gartner (August 2014) Table 1. Technologies and Processes Applicable to Addressing the Kill Chain
8 The section below expands on the table above, giving specific examples and guidance that orga- nizations can investigate. Adding more technology is often not required, but CISOs should take full advantage of improving the effectiveness of exist- ing tools and processes already at their disposal. Reconnaissance This phase is often executed without knowledge of your organization. Approaches for this phase are: • Perform regular external scanning and pene- tration testing to highlight what an adversary would find if and when your organization comes under scrutiny. This information can be used to remediate vulnerabilities, reduc- ing the attack surface area. • Use search engines to uncover cached content that can be used for exploits or that discloses information that would make it easier to target the environment. • Utilize sentiment analysis, a newer method for monitoring both public and underground Internet sites, to look for activity that is spe- cifically related to your organization. • Ensure that perimeter controls and Internet- facing services are aggressively enforcing the principle of least privilege, including service hardening. • Use analytics to detect indicators of unwant- ed activity against Internet-facing services like Web servicers, DNS servers, email and VPN gateways. • Use honeypots where adversary activity can be monitored for exploitation tactics. • Use software application security testing (SAST) and security development life cycle (SDL) to make sure that applications aren’t leaking sensitive details and are processing untrusted input correctly. Weaponization This phase is often performed with no specific knowledge of the organization being targeted. Organizations need to take proactive steps: • Keep abreast of newly disclosed vulnerabili- ties and have up-to-date data about which vulnerabilities have weaponized exploits avail- able for them. With this information, prioritize patching them or implementing mitigating controls like virtual patching through intrusion prevention systems (IPSs). • Investigate the use of threat intelligence pro- viders that can add value with threat forecast- ing and advanced notification of impending activity against your organization. An example would be notification of a phishing template becoming available for sale that is designed to look identical to your organization’s. • Investigate the use of threat intelligence plat- forms (TIPs) to add in threat and adversary tracking. Delivery An array of traditional controls can assist greatly in denying access to your environment: • Firewall or next-generation firewall to control traffic at the perimeter • Next-generation intrusion prevention to pro- vide visibility and prevention of compromise attempts
9 • Email and Web gateway security to enforce multiple methods of content inspection for malicious and unwanted activity • Distributed denial of service (DDoS) pre- vention to ensure the business can continue to transact under high volumes of traffic or other methods of application-specific DDoS activity • Web application firewall (WAF) to prevent the exploitation of e-commerce infrastructure • Network behavioral analysis (NBA) and security analytics, where network traffic pat- terns and content can be reviewed for indi- cators of compromise and suspicious activity • Payload inspection technology that uses techniques like CPU emulation and sand- boxing to provide a behavioral-centric method of malware detection • DNS security to give visibility and protection against the resolution of unwanted or mali- cious hosts Exploitation An array of network, host and server technolo- gies in conjunction with continuous monitoring can detect and deny access to the organization’s environment: • Security information and event management (SIEM) to correlate the events and logs from multiple security, infrastructure and identity elements to provide better visibility of mali- cious behavior • Prevention-focused security technologies like firewall, endpoint protection platform (EPP), network generation intrusion prevention sys- tem (NGIPS), email and Web security • Advanced targeted attack (ATA) or advanced persistent threat (APT) technologies that can provide enhanced detecting against new threats or variants of existing threats • Security analytics to review full session analy- sis detailing the exploitation and subsequent activity with a high level of details • Threat intelligence usage in SIEM and network security technologies to provide additional detec- tion and prevention opportunities Installation During this phase of the kill chain, host-specific methods are the primary method to detect the execution of malicious content: • EPP can deliver multiple methods of malware prevention, browser security and application whitelisting. • Mobile device management can control and deny unwanted applications to run on bring your own device (BYOD) devices. This can also deny user-installed applications from ac- cessing corporate-sensitive data via methods like per-application authentication VPN and containerization. • Identity and strong authentication methods can reduce the chance of installation and ac- cess to data. Once identified, recover from the situation by being able to: • Perform incident response • Recover compromised data from backups • Restore servers and end-user devices back to known good trusted states
10 • Potentially comply with law enforcement at- tempts to prosecute malicious actors • Report on details of the breach and other compliance mandates (such as reports to financial regulators, on any further impact expected by the company) Command and Control With this phase of the CKC, look for methods that detect the adversary’s attempts to control assets that have been previously compromised. If there are infected devices with remote-access trojans or rootkits, use methods such as: • IP and DNS reputation-filtering capabilities of network behavioral analysis (NBA) tools, network forensics tools, next-generation firewalls, intrusion prevention systems and security Web gateways • DNS security, where internal DNS servers themselves have threat intelligence capabilities to deny name resolution of malicious hosts • SIEMs with watchlists, threat intelligence and other policies configured to detect this type of out-of-character behavior Action on Targets During this phase, the adversary is trying to perform the most important part of its activity. This is to exfil- trate the data gathered in this and earlier phases of the kill chain. Methods to be addressed are: • After a compromise, all subsequent attack activity is performed as internal or trusted users. A SIEM, data loss prevention (DLP) or database activity monitoring and protection (DAP) function performing continuous moni- toring can assist with identifying trusted user access to data that is not specific to their role, access to data in volumes previously unseen, access to data at times of day that is out of character, and access to data from locations previously unseen. • Network behavioral analysis can highlight de- vices that are moving data around that is not part of its role (traffic to hosts that stand out), an exceedingly high volume of DNS traffic to an external DNS server that is not defined for external host name resolution, traffic protocols being actively used that are against policy. • Next-generation firewalls can identify a trust- ed user attempting clearly malicious activity such as an FTP session to an unexpected destination.
11 ACL access control list ATD advanced threat defense DAP database activity monitoring and protection DAST dynamic application security testing DBSM database security monitoring DLP data loss prevention EPP endpoint protection, including host- based features like firewall, anti-mal ware, whitelisting and disk encryption ETDR endpoint threat detection and response FIM file integrity monitoring HIPS host-based intrusion prevention system IAM identity and access management MDM master data management NGFW next-generation firewall NGIPS network generation intrusion preven- tion system NIPS network intrusion prevention system QoS quality of service SEG secure email gateway SIEM security information and event management SSL Secure Sockets Layer SWG secure Web gateway TIP threat intelligence platform VA vulnerability assessment Acronym Key and Glossary Terms Evidence “Mitre’s Cybersecurity Threat-Based Defense” 1 “Lockheed Martin’s Cyber Kill Chain” Source: Gartner Research, G00263765, Craig Lawson, 15 August 2014 About Proofpoint, Inc. Proofpoint Inc. (NASDAQ:PFPT) is a leading next-generation security and compliance company that provides cloud-based solutions for comprehensive threat protection, incident response, secure commu- nications, social media security, compliance, archiving and governance. Organizations around the world depend on Proofpoint’s expertise, patented technologies and on-demand delivery system. Proofpoint protects against phishing, malware and spam, while safeguarding privacy, encrypting sensitive infor- mation, and archiving and governing messages and critical enterprise information. More information is available at www.proofpoint.com. Defending against Advanced Threats: Addressing the Cyber Kill Chain is published by Proofpoint Editorial content supplied by Proofpoint is independent of Gartner analysis. All Gartner research is used with Gartner’s permission, and was originally published as part of Gartner’s syndicated research service available to all entitled Gartner clients. © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner’s endorsement of Proofpoint’s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner’s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced indepen- dently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp.

More Related Content

What's hot (20)

PDF
Understanding Cyber Kill Chain and OODA loop
David Sweigert
 
PDF
DTS Solution - Cyber Security Services Portfolio
Shah Sheikh
 
PDF
Security Incident Response Readiness Survey
Rahul Neel Mani
 
PPTX
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Positive Hack Days
 
PDF
Cyber Kill Chain Deck for General Audience
Tom K
 
PDF
The Cloud Crossover
Armor
 
PPTX
Cisco 2015 Midyear Security Report Slide Deck
Cisco Security
 
PDF
Pöyry ICS Cyber Security brochure (English)
Pöyry
 
PDF
Institucional proofpoint
voliverio
 
PDF
Marlabs cyber threat management
Rajendra Menon
 
PPTX
kill-chain-presentation-v3
Shawn Croswell
 
PDF
Secure Access – Anywhere by Prisma, PaloAlto
Prime Infoserv
 
PDF
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
FireEye, Inc.
 
PPTX
Cyber Security protection by MultiPoint Ltd.
Ricardo Resnik
 
PDF
Cyber Kill Chain vs. Cyber Criminals
David Sweigert
 
PDF
Report Gartner Magic Quadrant For Security Web Gateway 2011 En
RiccardoPelliccioli
 
PDF
The Evolution of and Need for Secure Network Access
Cisco Security
 
PDF
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Cisco Security
 
PPTX
APT Monitoring and Compliance
Marcus Clarke
 
PDF
Cybersecurity - Whose responsibility is it?
Armor
 
Understanding Cyber Kill Chain and OODA loop
David Sweigert
 
DTS Solution - Cyber Security Services Portfolio
Shah Sheikh
 
Security Incident Response Readiness Survey
Rahul Neel Mani
 
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Positive Hack Days
 
Cyber Kill Chain Deck for General Audience
Tom K
 
The Cloud Crossover
Armor
 
Cisco 2015 Midyear Security Report Slide Deck
Cisco Security
 
Pöyry ICS Cyber Security brochure (English)
Pöyry
 
Institucional proofpoint
voliverio
 
Marlabs cyber threat management
Rajendra Menon
 
kill-chain-presentation-v3
Shawn Croswell
 
Secure Access – Anywhere by Prisma, PaloAlto
Prime Infoserv
 
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
FireEye, Inc.
 
Cyber Security protection by MultiPoint Ltd.
Ricardo Resnik
 
Cyber Kill Chain vs. Cyber Criminals
David Sweigert
 
Report Gartner Magic Quadrant For Security Web Gateway 2011 En
RiccardoPelliccioli
 
The Evolution of and Need for Secure Network Access
Cisco Security
 
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Cisco Security
 
APT Monitoring and Compliance
Marcus Clarke
 
Cybersecurity - Whose responsibility is it?
Armor
 

Viewers also liked (17)

PDF
The Human Factor Report 2015
Michael Bunn
 
PDF
E-FILE_Proofpoint_Uberflip_120915_optimized
Lynn Feltner
 
PDF
Proofpoint Outbound/DLP Survey Results
shapetech
 
PDF
Compliant Practices for Social Media in Financial Services
LinkedIn Sales Solutions
 
PDF
Governança de Dados nas empresas - BI Summit 2017
BLRDATA
 
PPT
Customer Success and Security Technology
Gainsight
 
PDF
Tecnoset curitiba printing services
Fernando Misato
 
PPT
Webinar: Proofpoint, a pioneer in security-as-a-service protects people, info...
DataStax
 
PDF
Proofpoint: Fraud Detection and Security on Social Media
DataStax Academy
 
PPTX
Adapted from an ESG report - Seeing Is Securing - Protecting Against Advanced...
Proofpoint
 
PDF
Slidecast final
bigbucks18
 
DOCX
bảng giá làm clip quảng cáo 3d
dean649
 
PDF
Certificates
Deon Craft
 
PDF
Intimate Partner Violence
amhall12609
 
PDF
Arco
jecipla
 
PPTX
The healthcare profession
Verna Eunice Chan
 
PDF
Web2Graphix
Deepak Madan
 
The Human Factor Report 2015
Michael Bunn
 
E-FILE_Proofpoint_Uberflip_120915_optimized
Lynn Feltner
 
Proofpoint Outbound/DLP Survey Results
shapetech
 
Compliant Practices for Social Media in Financial Services
LinkedIn Sales Solutions
 
Governança de Dados nas empresas - BI Summit 2017
BLRDATA
 
Customer Success and Security Technology
Gainsight
 
Tecnoset curitiba printing services
Fernando Misato
 
Webinar: Proofpoint, a pioneer in security-as-a-service protects people, info...
DataStax
 
Proofpoint: Fraud Detection and Security on Social Media
DataStax Academy
 
Adapted from an ESG report - Seeing Is Securing - Protecting Against Advanced...
Proofpoint
 
Slidecast final
bigbucks18
 
bảng giá làm clip quảng cáo 3d
dean649
 
Certificates
Deon Craft
 
Intimate Partner Violence
amhall12609
 
Arco
jecipla
 
The healthcare profession
Verna Eunice Chan
 
Web2Graphix
Deepak Madan
 
Ad

Similar to Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL (20)

PDF
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Kaspersky
 
PDF
CROs must be part of the cybersecurity solution by david x martin
David X Martin
 
DOCX
What are the key ingredients for an effective cybersecurity strategy.docx
Tradepass
 
PDF
What CIOs Need To Tell Their Boards About Cyber Security
Karyl Scott
 
PDF
How Does Vulnerability Assessment and Penetration Testing Strengthen Cybersec...
Ahad
 
PDF
Symantec cyber-resilience
Symantec
 
PDF
Proactive Security - Principled Aspiration or Marketing Buzzword?
nathan816428
 
PDF
Cybersecurity Incident Response Planning.pdf
Ciente
 
PDF
5 Essential Network Security Strategies to Defend Against Modern Cyberattacks...
clinilaunch250
 
PDF
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
infosecTrain
 
PDF
Security Operations Center scenario Interview based Questions
priyanshamadhwal2
 
PDF
Integrating-Cyber-Security-for-Increased-Effectiveness
Ayham Kochaji
 
PDF
Cyber-Security-Whitepaper.pdf
Anil
 
PDF
Cyber-Security-Whitepaper.pdf
Anil
 
PDF
Security_by_Design.pdf
AshuPatel64
 
PPTX
Security_by_Design.pptx
AshuPatel64
 
PDF
Exploration Draft Document- CEM Machine Learning & AI Project 2018
Leslie McFarlin
 
PDF
Fortifying Your Supply Chain_ A Cybersecurity Playbook by Ari Raptis.pdf
Ari Raptis
 
PDF
Incident Response
MichaelRodriguesdosS1
 
PDF
Defense In-Depth
Will Kelly
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Kaspersky
 
CROs must be part of the cybersecurity solution by david x martin
David X Martin
 
What are the key ingredients for an effective cybersecurity strategy.docx
Tradepass
 
What CIOs Need To Tell Their Boards About Cyber Security
Karyl Scott
 
How Does Vulnerability Assessment and Penetration Testing Strengthen Cybersec...
Ahad
 
Symantec cyber-resilience
Symantec
 
Proactive Security - Principled Aspiration or Marketing Buzzword?
nathan816428
 
Cybersecurity Incident Response Planning.pdf
Ciente
 
5 Essential Network Security Strategies to Defend Against Modern Cyberattacks...
clinilaunch250
 
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
infosecTrain
 
Security Operations Center scenario Interview based Questions
priyanshamadhwal2
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Ayham Kochaji
 
Cyber-Security-Whitepaper.pdf
Anil
 
Cyber-Security-Whitepaper.pdf
Anil
 
Security_by_Design.pdf
AshuPatel64
 
Security_by_Design.pptx
AshuPatel64
 
Exploration Draft Document- CEM Machine Learning & AI Project 2018
Leslie McFarlin
 
Fortifying Your Supply Chain_ A Cybersecurity Playbook by Ari Raptis.pdf
Ari Raptis
 
Incident Response
MichaelRodriguesdosS1
 
Defense In-Depth
Will Kelly
 
Ad

Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL

  • 1. Featuring research from Gartner Defending against Advanced Threats: Addressing the Cyber Kill Chain “We have known for a considerable period of time that the perimeter-centric security approach is not a panacea for all ills, but organizations should not move away from these controls because they provide a solid foundation. However, in order to allocate and prioritize resources, they should be extended with methods based on an understanding of the CKC. “ - Gartner Addressing the Cyber Kill Chain, Craig Lawson, 15 August 2014 The latest data breach reports on the daily news remind us of the rapidly changing state of enterprise security. No longer can the focus remain solely on a strong perimeter and end point protection; a new model and approach is required inclusive of the above but extending to deeper analysis and data protection as well. “The current pre- vention, prevention, prevention approach to dealing with the threat landscape has failed to address advanced and targeted attacks with enough efficacy.”1 More is required including updated thinking, a new course to address the challenge and next generation protection solutions. A traditional “castle moat and keep” defense mindset per- sists today as enterprises invest heavily in perimeter and endpoint protection solutions. While previously successful in protecting companies, these investments are no longer showing the same return. Attackers have innovated and exploited channels through these traditional defenses. 4 From the Gartner Files: Addressing the Cyber Kill Chain 11 About Proofpoint, Inc. In this report: Changing the conversation and focus to the mechanics of an advanced or targeted attack is key to disrupting mali- cious actions.
  • 2. 2 In 2011, researchers at Lockheed Martin devel- oped the Kill Chain modeled on evidence from network attacks.2 The Kill Chain is widely known, understood and quoted in security circles. How- ever, it is not generally applied to companies’ security infrastructure investments. Gartner re- search recommends organizations: “Understand the flow of the kill chain to better understand your adversaries and therefore adjust your defensive tactics to improve your security posture.”3 Align your defenses with reality. Augment existing defenses with best of breed solutions which deploy innovative techniques to detect, block and disrupt the attack before it occurs, shorten the response time and ultimately protect enterprise assets and data. Proofpoint Aligned to the Cyber Kill Chain Model A suite of products which maps to the reality of the kill chain is optimum. A large collection is listed in Table 1 of the attached Gartner report. Our focus is a subset. Proofpoint’s solution set maps to the Cyber Kill Chain model as detailed in the diagram below. About Proofpoint’s Superior Advanced Threat Protection Block, Detect, Respond, and Harden are the key pillars of the Proofpoint solution set. Proofpoint’s portfolio of industry-leading security solutions for blocking email-borne attacks, detecting new advanced threats, automating incident response, and reducing the impact of potential breaches ad- dress the reality of today’s advanced attacks and aligns security infrastructure with the Kill Chain. Email which continues to be a critical business service is the top route for attackers. The Proof- point security suite detects and manages ad- vanced email-borne threats, provides security for sensitive data, and accelerates the identification and containment of new threats. • Stopping more advanced threats: Delivered through the cloud-based Proofpoint Enterprise Protection Suite, organizations of all sizes have access to industry-leading inbound and outbound email security. This suite accurately classifies and blocks threats, while leveraging phishing detection, anti-spam and antivirus technologies. • Detecting advanced threats faster with actionable intelligence: Proofpoint Targeted Attack Protection detects phishing and web compromise attacks and provides organizations with actionable intelligence to quickly respond. Backed by continuous big data analysis of bil- lions of data points, Proofpoint provides detailed information around campaign type, targeted us- ers and potentially infected systems. Armed with this information, organizations can identify and manage new threats before they lead to data breaches and destructive compromises. 1 Addressing the Cyber Kill Chain (Gartner), p. 1 2 http://www.lockheedmartin.com/us/what-we-do/information-technology/cyber-security/cyber-kill-chain.html 3 Ibid. 1 Block Known Threats Enterprise Protection Detect Unknown Threats Targeted Attack Protection Respond to Incidents Threat Response Harden Against Loss Regulatory Compliance Encryption Content Control Recon Weaponise Deliver Exploit Install C2 Action Harden
  • 3. 3 • Automating incident response, accelera- ting threat remediation: Proofpoint Threat Re- sponse provides users with an open, extensible platform that automates incident response and the incident management lifecycle. Reduc- ing security alert response time from hours to seconds, Proofpoint Threat Response delivers consistent information to users and streamlines collaboration and workflow. Alerts are auto- matically integrated across multiple security so- lutions such as those from Proofpoint, FireEye, Palo Alto Networks and Splunk. This solution enables users to investigate, verify, prioritize and contain today’s advanced threats. • Reducing the impact of data breaches caused by advanced threats: The easy-to-deploy, user-friendly Proofpoint Content Control solution delivers enhanced visibility and control over sensitive con- tent. Through contextual data intelligence, privacy and security teams can effectively identify and manage information with PCI, HIPAA and FINRA regulated content and other high value information. Violations can be quarantined, copied or deleted to reduce the attack surface and potential impact of a data breach. Proofpoint’s security solutions align with the new security strategy required to address the cyber kill chain. For more information on Proofpoint secu- rity suite solutions, please visit www.proofpoint. com/us/solutions - and read Gartner’s research on Addressing the Cyber Kill Chain, available on the following pages. Source: Proofpoint
  • 4. 4 Addressing the Cyber Kill Chain From the Gartner Files: The Cyber Kill Chain model describes how at- tackers use the cycle of compromise, persistence and exfiltration against an organization. Once the kill chain is understood, CISOs can make prag- matic decisions to improve their security posture. Key Challenges • The current prevention, prevention, preven- tion approach to dealing with the threat landscape has failed to address advanced and targeted attacks with enough efficacy. • IT security organizations have historical investments in a protection model that is out of balance with today’s threat landscape. • IT security organizations have largely not taken into account the kill chain life cycle ap- proach to thinking about adversaries; this is a reason why attackers are continuing to be so successful. • While the kill chain is easy to comprehend, resourcing to address it in the face of com- petitive business realities and innovation from adversaries is a key challenge. • Common security architectures and compli- ance regimes are not prioritizing methods to address the kill chain. Recommendations • Understand the flow of the kill chain to better understand your adversaries and therefore adjust your defensive tactics to improve your security posture. • Move to an architecture and develop sup- porting processes that address the postb- reach and exfiltration stages of the kill chain. • Augment existing prevention methods with methods to detect, deny, disrupt and recover from the activity of threat actors. • Implement methods that detect and deny threats at each stage of the kill chain. This will significantly increase the defensibility of your environment, since attackers need to execute all phases of the kill chain to be considered successful. Strategic Planning Assumption By 2017, security strategies of lean forward orga- nizations will routinely include a mapping of their security architecture and/or their processes to the kill chain life cycle. Introduction Targeted attacks have escalated in scale and frequency, and the potential for financial and reputational damage resulting from a breach has increased as a consequence. The ease with which traditional security defenses were bypassed in some incidents has left many organizations feel- ing powerless to defend themselves against these types of threats. This issue has become a concern at the executive boardroom level. The leading operational archetype in information security practiced by a majority of organizations has a focus on the perimeter, organized accord- ing to defense-in-depth principles. While this gives the appearance of concentrating resources on the most exposed assets and attack vectors, it provides a false sense of security and represents a misallocation of resources. This model means adversary needs to be successful only once out of an unlimited number of attempts. Defenders, conversely, must be right every time. This has led to a perception that, because there has been a successful malware infection or SQL injection attack against your organization, the adversary has won. The kill chain highlights that this is clearly not the case, because the adversary is victorious only when all phases of the Cyber Kill Chain (CKC) have been executed successfully. Rather than thinking that someone wins when an organization is compromised, you need to move to a mindset of: “Did they achieve their goal of exfiltrating data?”
  • 5. 5 The CKC is a reference model representing the stages of an attack, mapped distinctively to activities that encompass current attack meth- odologies. It breaks an attack into seven distinct stages or phases, each allowing a breach to be prevented, discovered or successfully mitigated. The CKC reference model can show how your organization can detect, deny, disrupt and recover at each phase. By aligning enterprise defenses to the same success criteria as that of adversaries, you can right size the prevention centric approach that has dominated enterprise thinking and spending on IT security to date. Analysis The Phases of the Cyber Kill Chain The CKC is historically a well-understood concept in military circles that is now being ap- plied to cyber security. Originally developed by Lockheed Martin1 in 2011 as an intelligence- driven network defense process, it describes the phases that an adversary will take when targeting your environment, exfiltrating data and maintaining persistence in an organization. It is also similar to a majority of penetration testing methodologies and is often described as an at- tack chain. The two are closely related and can often be used interchangeably. This research will show that the adversary is only successful when all phases of the kill chain have been executed. So rather than thinking that if adversaries compromise an organization they win, organizations need to move away from this mindset to ask: “Did they achieve their goal of exfiltrating data?” Our version of defeat is often described and measured in terms that are differ- ent than the way adversaries define victory. The CKC has seven stages: 1 Reconnaissance — This is anything that can be defined as identification, target selec- tion, organization details, industry-vertical- legislative requirements, information on technology choices, social network activity or mailing lists. The adversary is essentially looking to answer the questions: “How many methods do we assume will work with the highest degree of success?” and of those, “Which are the easiest to execute in terms of our investment of resources?” 2 Weaponization or Packaging — This takes many forms: Web application exploitation, off-the-shelf or custom malware, compound document vulnerabilities (PDF, Office) or wa- tering hole attacks. These are prepared with general, opportunistic or very specific intel- ligence on a target. 3 Delivery — Transmission of the payload is either target-initiated (users browse to a mali- cious Web presence, leading to the dropping of malware, or they open a malicious PDF file) or attacker-initiated (SQL injection or network service exploitation). 4 Exploitation — After delivery to the user or server, the malicious payload will gain a foothold in the environment by compromising it, usually by exploiting a known vulnerability for which a patch has often been available for months or years. While zero-day exploitation does occur, in a majority of cases, it is often not necessary. 5 Installation — This often takes the form of a remote-access trojan (RAT). The application is usually stealthy in its operation, allowing persistence or “dwell time” to be achieved. The adversary can then control this without alerting the organization — a common outcome. 6 Command and Control — In this phase, adversaries have control of assets within your organization through methods of control such as DNS, Internet Control Message Proto- col (ICMP), websites and social networks or other methods of command and control. This channel is how the adversary tells the controlled “asset” what to do next and what information to gather. The methods used to gather data under command include screen captures, keystroke monitoring, password
  • 6. 6 cracking, gathering of sensitive content and documents, and network monitoring for credentials. Often a staging host is identified to which all internal data is copied, and then compressed and/or encrypted and made ready for exfiltration. 7 Actions on Targets — This final phase cov- ers how the adversary exfiltrates data and maintains dwell time in an organization and then takes measures to identify more targets, expand their footprint within an organization and — most critical of all — exfiltrate data. Why Attackers Are So Successful Adversaries will continue to achieve their objec- tive of successfully completing the CKC unless defenders implement an approach that takes into consideration how an attack is executed. This is difficult to achieve because most soft- ware has not been developed using a security development life cycle (SDL), applications have increased in complexity and people remain a weak link. We have known for a considerable period of time that the perimeter-centric security approach is not a panacea for all ills, but organizations should not move away from these controls be- cause they provide a solid foundation. However, in order to allocate and prioritize resources, they should be extended with methods based on an understanding of the CKC. Whether adversaries are motivated by geopolitical, activist or finan- cial motives, they seek to fulfill specific goals of obtaining an organization’s data. Although we tend to think of IT security in terms of network security, host security and identity security, an “adversary- centric” model is a better-suited and more effec- tive approach in today’s threat landscape. How Organizations Should Address the Cyber Kill Chain Instead of continuing to invest primarily in defend- ing an organization’s perimeter, a more pragmatic approach focuses on detecting, denying, disrupt- ing and recovering as it allows for identification capabilities after a breach. This places the focus on protecting enterprise data, instead of looking at this as a collection of technology point solutions. A success rate of 100% for prevention against all steps of the attack chain is not attainable. This is also not necessary, as attackers must complete all phases to achieve their goals. Therefore planning for the prevention of privilege escalation, detect- ing postcompromise activity, stopping exfiltration of sensitive data and denying the attacker persis- tence are key. At a high level, you must take the seven phases of the kill chain that are illustrated in Table 1 and then identify how you can detect, deny, disrupt and recover at each phase. Figure 2. Diagram of the Cyber Kill Chain Source: Gartner (August 2014)
  • 7. 7 Phase Detect Deny or Contain Disrupt, Eradi- cate or Deceive Recover Reconnaissance Web analytics, Internet scanning activity reports, vulnerability scan- ning, external penetration test- ing, SIEM, DAST/ SAST, threat intel- ligence, TIP firewall ACL, sys- tem and service hardening, net- work obfuscation, logical segmenta- tion honeypot SAST/DAST Weaponization sentiment analy- sis, vulnerability announcements, VA NIPS, NGFW, patch manage- ment, configura- tion hardening, application reme- diation SEG, SWG, Delivery user training, security analytics, network behav- ioral analysis, threat intelligence, NIPS, NGFW, WAF, DDoS, SSL inspection, TIP SWG, NGIPS, ATD, TIP EPP backup or EPP cleanup Exploitation EPP, NIPS, SIEM, WAF EPP, NGIPS, ATD, WAF NIPS, NGFW, EPP, ATD data restoration from backups Installation EPP, endpoint fo- rensics or ETDR, sandboxing, FIM EPP, MDM, IAM, endpoint con- tainerization/app wrapping EPP, HIPS, incident forensics tools incident response, ETDR Command and Control NIPS, NBA, net- work forensics, SIEM, DNS secu- rity, TIP IP/DNS reputation blocking, DLP, ATA DNS redirect, threat intelligence on DNS, egress filtering, NIPS incident response, system restore Action on Targets logging, SIEM, DLP, honeypot, TIP, DAP egress filtering, SWG, trust zones, DLP QoS, DNS, DLP, ATA incident response Source: Gartner (August 2014) Table 1. Technologies and Processes Applicable to Addressing the Kill Chain
  • 8. 8 The section below expands on the table above, giving specific examples and guidance that orga- nizations can investigate. Adding more technology is often not required, but CISOs should take full advantage of improving the effectiveness of exist- ing tools and processes already at their disposal. Reconnaissance This phase is often executed without knowledge of your organization. Approaches for this phase are: • Perform regular external scanning and pene- tration testing to highlight what an adversary would find if and when your organization comes under scrutiny. This information can be used to remediate vulnerabilities, reduc- ing the attack surface area. • Use search engines to uncover cached content that can be used for exploits or that discloses information that would make it easier to target the environment. • Utilize sentiment analysis, a newer method for monitoring both public and underground Internet sites, to look for activity that is spe- cifically related to your organization. • Ensure that perimeter controls and Internet- facing services are aggressively enforcing the principle of least privilege, including service hardening. • Use analytics to detect indicators of unwant- ed activity against Internet-facing services like Web servicers, DNS servers, email and VPN gateways. • Use honeypots where adversary activity can be monitored for exploitation tactics. • Use software application security testing (SAST) and security development life cycle (SDL) to make sure that applications aren’t leaking sensitive details and are processing untrusted input correctly. Weaponization This phase is often performed with no specific knowledge of the organization being targeted. Organizations need to take proactive steps: • Keep abreast of newly disclosed vulnerabili- ties and have up-to-date data about which vulnerabilities have weaponized exploits avail- able for them. With this information, prioritize patching them or implementing mitigating controls like virtual patching through intrusion prevention systems (IPSs). • Investigate the use of threat intelligence pro- viders that can add value with threat forecast- ing and advanced notification of impending activity against your organization. An example would be notification of a phishing template becoming available for sale that is designed to look identical to your organization’s. • Investigate the use of threat intelligence plat- forms (TIPs) to add in threat and adversary tracking. Delivery An array of traditional controls can assist greatly in denying access to your environment: • Firewall or next-generation firewall to control traffic at the perimeter • Next-generation intrusion prevention to pro- vide visibility and prevention of compromise attempts
  • 9. 9 • Email and Web gateway security to enforce multiple methods of content inspection for malicious and unwanted activity • Distributed denial of service (DDoS) pre- vention to ensure the business can continue to transact under high volumes of traffic or other methods of application-specific DDoS activity • Web application firewall (WAF) to prevent the exploitation of e-commerce infrastructure • Network behavioral analysis (NBA) and security analytics, where network traffic pat- terns and content can be reviewed for indi- cators of compromise and suspicious activity • Payload inspection technology that uses techniques like CPU emulation and sand- boxing to provide a behavioral-centric method of malware detection • DNS security to give visibility and protection against the resolution of unwanted or mali- cious hosts Exploitation An array of network, host and server technolo- gies in conjunction with continuous monitoring can detect and deny access to the organization’s environment: • Security information and event management (SIEM) to correlate the events and logs from multiple security, infrastructure and identity elements to provide better visibility of mali- cious behavior • Prevention-focused security technologies like firewall, endpoint protection platform (EPP), network generation intrusion prevention sys- tem (NGIPS), email and Web security • Advanced targeted attack (ATA) or advanced persistent threat (APT) technologies that can provide enhanced detecting against new threats or variants of existing threats • Security analytics to review full session analy- sis detailing the exploitation and subsequent activity with a high level of details • Threat intelligence usage in SIEM and network security technologies to provide additional detec- tion and prevention opportunities Installation During this phase of the kill chain, host-specific methods are the primary method to detect the execution of malicious content: • EPP can deliver multiple methods of malware prevention, browser security and application whitelisting. • Mobile device management can control and deny unwanted applications to run on bring your own device (BYOD) devices. This can also deny user-installed applications from ac- cessing corporate-sensitive data via methods like per-application authentication VPN and containerization. • Identity and strong authentication methods can reduce the chance of installation and ac- cess to data. Once identified, recover from the situation by being able to: • Perform incident response • Recover compromised data from backups • Restore servers and end-user devices back to known good trusted states
  • 10. 10 • Potentially comply with law enforcement at- tempts to prosecute malicious actors • Report on details of the breach and other compliance mandates (such as reports to financial regulators, on any further impact expected by the company) Command and Control With this phase of the CKC, look for methods that detect the adversary’s attempts to control assets that have been previously compromised. If there are infected devices with remote-access trojans or rootkits, use methods such as: • IP and DNS reputation-filtering capabilities of network behavioral analysis (NBA) tools, network forensics tools, next-generation firewalls, intrusion prevention systems and security Web gateways • DNS security, where internal DNS servers themselves have threat intelligence capabilities to deny name resolution of malicious hosts • SIEMs with watchlists, threat intelligence and other policies configured to detect this type of out-of-character behavior Action on Targets During this phase, the adversary is trying to perform the most important part of its activity. This is to exfil- trate the data gathered in this and earlier phases of the kill chain. Methods to be addressed are: • After a compromise, all subsequent attack activity is performed as internal or trusted users. A SIEM, data loss prevention (DLP) or database activity monitoring and protection (DAP) function performing continuous moni- toring can assist with identifying trusted user access to data that is not specific to their role, access to data in volumes previously unseen, access to data at times of day that is out of character, and access to data from locations previously unseen. • Network behavioral analysis can highlight de- vices that are moving data around that is not part of its role (traffic to hosts that stand out), an exceedingly high volume of DNS traffic to an external DNS server that is not defined for external host name resolution, traffic protocols being actively used that are against policy. • Next-generation firewalls can identify a trust- ed user attempting clearly malicious activity such as an FTP session to an unexpected destination.
  • 11. 11 ACL access control list ATD advanced threat defense DAP database activity monitoring and protection DAST dynamic application security testing DBSM database security monitoring DLP data loss prevention EPP endpoint protection, including host- based features like firewall, anti-mal ware, whitelisting and disk encryption ETDR endpoint threat detection and response FIM file integrity monitoring HIPS host-based intrusion prevention system IAM identity and access management MDM master data management NGFW next-generation firewall NGIPS network generation intrusion preven- tion system NIPS network intrusion prevention system QoS quality of service SEG secure email gateway SIEM security information and event management SSL Secure Sockets Layer SWG secure Web gateway TIP threat intelligence platform VA vulnerability assessment Acronym Key and Glossary Terms Evidence “Mitre’s Cybersecurity Threat-Based Defense” 1 “Lockheed Martin’s Cyber Kill Chain” Source: Gartner Research, G00263765, Craig Lawson, 15 August 2014 About Proofpoint, Inc. Proofpoint Inc. (NASDAQ:PFPT) is a leading next-generation security and compliance company that provides cloud-based solutions for comprehensive threat protection, incident response, secure commu- nications, social media security, compliance, archiving and governance. Organizations around the world depend on Proofpoint’s expertise, patented technologies and on-demand delivery system. Proofpoint protects against phishing, malware and spam, while safeguarding privacy, encrypting sensitive infor- mation, and archiving and governing messages and critical enterprise information. More information is available at www.proofpoint.com. Defending against Advanced Threats: Addressing the Cyber Kill Chain is published by Proofpoint Editorial content supplied by Proofpoint is independent of Gartner analysis. All Gartner research is used with Gartner’s permission, and was originally published as part of Gartner’s syndicated research service available to all entitled Gartner clients. © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner’s endorsement of Proofpoint’s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner’s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced indepen- dently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp.