Halting Cyber Delivery: Return to Sender!

This post is the fourth in a series of posts (Intro, Reconnaissance, Weaponization), aligning the 20 Critical Security Controls (CSC) from the Center for Internet Security (CIS) to the seven steps of the Lockheed Martin Cyber Kill Chain (CKC™). As I wrote in the intro post, I believe it is time to rethink the way we go about protecting our assets and building our cybersecurity practices. Mapping the CIS Critical Security Controls (CSC) against the CKC™ achieves a relatively short list of actions that dramatically reduces risk. Also, this approach aligns well with the NIST Cybersecurity Frameworkand the NIST Cybersecurity Framework Controls Factory Model (NCSF-CFM) that I wrote about previously.

At First Sight

Once weaponized, the malicious exploit delivery is usually via website downloads, email, and USB tokens. This step is one of the most interesting to me since it’s the first opportunity to actively stop the attack chain. Put another way, it’s the last chance for the organization to disrupt the attack, before a breach. NB, Delivery is also a step that leaves few traces in the logs, so prevention relies heavily on active scanning/IDS controls and excellent configuration hygiene.

At this stage, I see four primary defensive moves to identify malicious activity in time to disrupt the delivery of the malicious payload:

  1. Maintain browser security – Standardize on a browser and implement endpoint management solution to manage software inventory and control browser use. It is imperative that all non-supported script languages are disabled and that all browser patches are up to date
  2. Anti-virus and anti-malware, particularly inline versions. This only works if the AV/AM engines use real-time heuristics and threat intel feeds to identify potentially dangerous payloads
  3. Correct use of a Web Application Firewall (WAF)
  4. Use of secure web gateways – Secure web gateways can significantly reduce the possibility of end users unintentionally installing backdoor malware variants

Critical Security Controls (CSC)

In addition to CSC1-3, key CIS Critical Security Controls to disrupt the delivery step, include CSC6, CSC7, CSC8, CSC11, CSC13, and CSC17:

CSC6 – Maintenance, Monitoring of Audit Logs – Manual audit log management is impossible, even for small network infrastructures. Event volume is increasing exponentially and organizations need to keep much longer log history for Incident Response and detection of APTs. All organizations need SIEM functionality

CSC7 – Email and Web Browser Protection – As mentioned above, standard email and web browsers are step one. Step two is maintaining the apps to most current levels and patches. Step 3 is locking down the configs of the browsers to disable unsupported scripting languages. This also includes web proxies, URL filtering, blocking, whitelisting and email server hardening

CSC8- Malware Defenses – Having the detection capabilities to identify artifacts of weaponization in addition to identifying malware

CSC11 – Secure Configuration of Network Devices – This requires rigorous change management and control. This is executed in conjunction with CSC3 – Secure configuration of all devices. Organizations should develop a gold config for network devices

CSC13 – Data Protection

CSC17- Security Skills Assessment and Training – Though listed last, this could be the most important control against this step of the CKC. User awareness training can significantly reduce the effectiveness of phishing attacks and malicious attachments

A Holistic Approach

The below diagram highlights the relationship between the CKC Delivery Phase, The NIST Cyber Security Framework Core, and the CIS-20. It is critical to think of the kill chain as a continuous loop, as depicted in the drawing. For example, there may be multiple deliveries, based on recon and weaponization cycles.

Moving on Down the Chain

To make this as actionable and succinct as possible, I have done my best to distill best practices at each step while adding my insights. I base much of this analysis on a report from NTT/Dimension Data, but I also draw from excellent work done by multiple organizations, including the Australian Government’s Cyber Security Centre, CISLockheed MartinNISTOptivSANSTrend Micro, and Verizon.

I welcome feedback to help refine this series. With critical and constructive feedback, I believe these posts may become an outline any organization may use to efficiently and effectively reduce its risk.

First stop was Introduction. Second stop was Reconnaissance. Last stop was Weaponization.

Next stop is Exploitation, ETA 10/25/2017