Part 3: The Changing Nature of Incident Response
The Kill Chain – Modeling Persistent Attackers
Back in February, I started writing a three part blog post series on protecting computer networks from advanced threats. The first part involved defining the meaning of the term Advanced Persistent Threat and the second part discussed the changing role that incident response is playing in IT security.
I never got around to writing the third installment, because around the end of February the abstract concepts I had been blogging about became an immediate reality when Mandiant and a number of other organizations published a bunch of information about a threat actor called APT1.
The APT1 disclosures provided a perfect real world illustration of incident response in action against an advanced attacker. Numerous organizations disclosed indicators of compromise, including MD5 hashes of malware used by this attacker as well as domain names, IP addresses, and SSL certificates associated with this attack activity. These pieces of evidence were gained through incident response and forensic investigation of actual breaches.
In a Congressional hearing that followed in late March, Mandiant CSO Richard Bejtlich made the following comments, which really hit the nail on the head:
Every company in the Unites States that cares about security needs to be able to take a report like ours, digest the information in it and look for intruders in your company. If you look at this report, and you can't do that, you can't figure out how to find intruders in your company, that's probably job 1, you need to be able to do that.
And secondly, you need to be able to see over time how this affects you, we find too many companies don't treat this as a business process, they treat it as something that engineers and technicians need to deal with - you need to realize that dealing with intruders is a fact of life in the business world and it needs to be a continuous business process.
When these indicators were released, we became focused at StealthWatch Labs on identifying any additional indicators that we had access to that also related to APT1, and getting that information released on our blog. We also started working with customers who had identified these attacks on their networks using the indicator information that had been disclosed.
Of course, because all of this indicator information has been made public, we can assume that the attackers aren’t using the associated malware any more, so real time detection of these indicators on a network isn’t very useful. However, many of our customers have months or years of netflow records stored in their StealthWatch installations. This enabled them to look back through the history of transactions on their networks to identify activity at a time in the past when this malware was still active.
Finding evidence of historical APT1 activity is the beginning, not the end, of an investigation. If your network was compromised by this adversary at some point in the past, it is likely that you are still being targeted now. By investigating logs, netflow records, and the compromised hosts you can collect other intelligence, such as the time and method of the initial infection and what other local systems were accessed by the attacker, possibly leading to the discovery of new, active malware that is currently operating on those systems.
With certain pieces of intelligence in hand, such as the IP addresses of the attacker’s active command and control systems, it may be possible to identify future attacks early on in their lifecycle. This is exactly how incident response becomes the front line in advanced network defense – by collecting the intelligence needed to identify future attacks through the study of attacks that have happened in the past.
The Kill Chain
If you are going to study attacks methodologically, it helps to have a mental model of the various steps that an attacker is going through as they break into your network. If you have a complete understanding of all of the different things that an attacker is going to do, you can then ask yourself whether or not you have the visibility needed to detect each of those things. You can also relate the different pieces of intelligence that you’ve collected to your model of the attacker’s behavior. This can help you connect one attack to another, and anticipate what a particular attacker might do next, based on past behavior.
The kill chain is just such a mental model. The term “kill chain” comes from military jargon and refers to the set of steps that a solider has to proceed through to fire a weapon at a target, including target identification, clearance to fire, etc.. In the context of computer security, the “kill chain” refers to the set of steps that an attacker takes as he or she breaks into a network. This concept was first proposed by Lockheed Martin in a paper called “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.”
Lockheed’s perspective on the kill chain stages focuses on the pre-intrusion steps that the attacker takes:
- Reconnaissance – The first step in any task is to collect information. Reconnaissance is traditionally thought of as scanning the target network for security vulnerabilities, but this stage also includes developing profiles of who works for the organization, what their roles are, and what their interests are, so the attacker can launch effective social engineering attacks.
- Weaponization – The creation of an attack payload. For example, the attacker might take a PDF document that is relevant to a target’s job and embed within it an exploit that will obtain code execution on the target’s computer when the document is opened.
- Delivery – Delivering the attack payload to the victim. This might literally mean emailing the PDF document to the victim.
- Exploitation – The actual execution of the exploit to gain control of a target computer system.
- Installation – The installation of malicious software on the victim’s computer.
- Command and Control – The creation of a network communications channel that allows the attacker to control the malware on the victim’s computer.
- Actions on Objectives – Everything the attacker does once he or she has gotten control of a victim’s computer.
It’s easy to see how intelligence artifacts gained from forensic investigation of an incident can be mapped to these various stages. An investigation of an infected computer might turn up the particular malware that was installed. Studying that malware might reveal its command and control protocol. Looking for other systems on the network that access the same command and control system might reveal new infections as they occur.
A study of the infected system might also reveal how the exploit was weaponized and delivered. Knowing how the attacker delivered the exploit could enable the analyst to identify when future exploits are delivered from the same sources. It could also teach the analyst something about the kinds of reconnaissance the attacker performed. Knowing this information, it might be possible to identify other things that the attacker learned during the reconnaissance phase, which could turn up in future attacks.
When a new incident is analyzed, the evidence can be compared with past incidents. An attacker who is using the same command and control protocol that was used in a previous attack may have also used a similar exploit delivery process, so knowing one piece of information may point the analyst at the right place to look for other pieces of evidence.
Actions on Objectives
In Lockheed’s “kill chain” model all of the attacker’s actions post exploitation are summarized in a single stage called actions on objectives. In fact, this stage can be very complicated and can extend over long periods of time.
The word Persistent in Advanced Persistent Threat is used to denote the fact that these kinds of attackers may have a long term strategic interest in collecting information from a target network. This isn’t a fixed rule. Advanced attackers may only be interested in a single, valuable piece of information on a particular network, and once they obtain it, they are gone. In other cases, once they break into a network, they are there for the long haul. They may deploy multiple kinds of malware and other backdoors in order to ensure the resiliency of their ability to surveil the network even as administrators discover their infections and attempt to root them out.
Dealing with this kind of persistent adversary can become an ongoing chess match for an incident response team. Incidents may be discovered weeks or months after they have occurred. Therefore, it makes sense to include within our model of the attackers behavior the various kinds of actions that the attacker will take once the network has been penetrated. These actions include:
- Internal Pivoting – Once the attacker has a foothold within a network, he or she may search through the network for data of interest, attacking and infecting multiple machines through out the process.
- Creation of Backdoors – Attackers will often establish multiple means of regaining access to a network if their primary access method is discovered or disrupted. The collection and use of legitimate remote access credentials is typical.
- Data Staging – Data to be stolen is sometimes collected at a staging point prior to exfiltration.
- Exfiltration – The actual movement of stolen data out of the network.
These stages specifically relate to the way that espionage campaigns unfold. Different kinds of attacks, such as sabotage, involve different actions on objectives. However, in general, Advanced Persistent Threat has been associated with espionage.
Its also worth noting the self-similar nature of the Internal Pivoting stage, as that stage may involve additional rounds of internal network reconnaissance, weaponization, delivery, exploitation, command and control, and actions on objectives.
Mapping the Kill Chain to your control set
A critical question that organizations must ask about the Kill Chain is whether they have the ability to detect each stage of the attacker’s actions on their networks. Traditional security solutions focus on detecting particular parts of the Kill Chain. For example, Intrusion Detection Systems attempt to detect network reconnaissance activity and the delivery of exploits. Anti-virus software attempts to detect the installation of malicious software.
However, we know that these two detection technologies are often evaded by APT attackers. By taking a holistic view of the attacker’s behavior its possible to identify other opportunities for attack detection, particularly post compromise. It is possible to hunt for behaviors associated with command and control protocols, internal reconnaissance, the creation and use of backdoors, internal data staging, and exfiltration. Hunting for these behaviors can detect attacks that have evaded other defenses.
It is useful to detect and disrupt attacks post compromise for two reasons. The first is that these attacks are often ongoing and persistent, so disrupting the attacks limits future harm to the organization, even though some harm may already have occurred. The second is that when attacks are detected, they can be analyzed, and this analysis will produce intelligence that may help detect future attacks earlier on in their lifecycle.
Much of the action that occurs post compromise occurs inside your systems and networks. Although command and control channels as well as final data exfiltration does cross your network perimeter, there is a lot of activity that does not. Unfortunately, many organizations have a perimeter centric approach to network security. They don’t have a lot of visibility into what is going on inside their networks. They don’t have audit trails of internal network activity. Closing this internal network visibility gap can be a key ingredient in a comprehensive approach to protecting an organization from Advanced Persistent Threat.