Since the publication of Lockheed Martin’s Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains at the 6th Annual International Conference on Information Warfare & Security in March 2011, kill chain analysis has become widely adopted as the analytic framework for Advance Persistent Threat (APT) defenses.
What is a Kill Chain? A kill chain is a common analytic methodology of kinetic warfare. Writing in Foreign Policy, Admiral Jonathan Greenert, Chief of Naval Operations, and General Mark Welsh, Chief of Staff of the Air Force, describe the concept of kill chain when describing the need for U.S. forces to maintain air and sea access:
… to attack our forces, an adversary must complete a sequence of actions, commonly referred to as a “kill chain.” …
[B]ecause each step must work, our forces can focus on the weakest links in the chain, not each and every one.
In applying kill chain analysis to APT, Lockheed Martin intrusion analysts Eric Hutchins, Michael Cloppert and Dr. Rohan Amin proposed the kill chain that appears on the right. They also describe the defensive strategies that apply at each step in the kill chain, which they summarize in this table (the acronyms can be found in Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains) :
It is important to observe that the earlier in the Kill Chain that the adversary’s actions are disrupted, the less damage will have been sustained by the victim.
“The Cyber Kill Chain”
The linear Cyber Kill Chain can be further refined by expanding upon the persistent nature of the attack. This circular kill chain from Dell SecureWorks highlights the adaptive nature of the APT attacker.
The attacker is constantly adapting to the victim’s responses so that the attacker can evade detection and exploit the foothold to mount on-going surgical hit and run attacks that can remain undetected for years.
The key factor in the success of APT infiltration is the failure of the vigilant user. Trend Micro estimates that over 90% of APT attacks install their exploit using spearphishing. In its 2013 Data Breach Investigations Report, Verizon estimated that 95% of state-affiliated cyberespionage used spearphishing to accomplish the initial compromise. This is not because users are careless, it is because email is ideally suited for deception. If a clever attacker was tasked to design a system to infiltrate cyber-defenses, that attacker would be hard-pressed to design a system better than email. Three attributes of email converge to create the perfect infiltration system.
1. Email standards are designed to deliver email — a design feature which is exploited by attackers.
2. Email is two-faced — a technical face that is visible to systems/cyber-defenses and a separate face that is displayed to users. The face that users see displays whatever the sender puts into the displayed fields.
3. People are not email detectives — they primarily respond to three factors that are easy for an attacker to manipulate – Urgency Clues, Perceived Relevance and Habits.
General Keith Alexander, NSA Director and Commanding Officer, US Cyber Command, in testimony before U.S. Senate Armed Services Committee on March 27, 2012, estimated that 80% of cyber attacks could be stopped by improved user vigilance. The quandary is that the factors that are needed for better user vigilance are under the control of the attacker. This is where SP Guard from Iconix comes into action. By providing users with clear indications of trustworthy emails, spearphishing attacks are stripped of their key strategic advantage — deception.
Your users shouldn’t be the unwitting agents of cyber-infiltrators. Take your users back from the attackers — arm your users with SP Guard.