Turning Cyber Reconnaissance Opaque

This post is the second in a series of posts, aligning the 20 Critical Security Controls (CSC) from the Center for Internet Security (CIS) to the seven steps of the Lockheed Martin Cyber Kill Chain (CKC™). As I wrote in the intro postit is time to rethink the way we go about protecting our assets and building our cybersecurity practices. Mapping the CIS Critical Security Controls (CSC) against the CKC™ achieves a relatively short list of actions that may dramatically reduce risk. Also, this approach aligns well with the NIST Cybersecurity Framework and the NIST Cybersecurity Framework Controls Factory Model (NCSF-CFM) that I wrote about previously.

Phase I: Reconnaissance

The first phase of the CKC™ is Reconnaissance. During this step, the adversary collects as much information as possible about the target, much of which does not require explicit interaction with the organization’s IT infrastructure (i.e., no log entries), but as discussed below there may be telltale traces in the logs, even during this step.

Key Moves

At this stage, I see five primary defensive moves to limit the reconnaissance surface area, thus reducing the attacker’s ability to discover potential targets and approaches:

  1. Implement controls to identify any possible interaction with the IT infrastructure, quickly. Typically, look for scans and probes. For example, there may be a burst of login attempts against Outlook Web Access (OWA) as the adversary attempts to determine the invalid login lockout setting. Web analytics is critical for identifying potential adversary activity
  2. Conduct in-depth scans to identify all live IP addresses and open ports. Scan across multiple protocols and scan the cloud environment (e.g., check for exposed EC2 Security Groups on AWS)
  3. Deploy honeypots to provide the adversary with “easy recon,” incenting them to move to weaponization, rather than spending more effort to uncover potential vulnerabilities
  4. Educate employees about best practices to limit exposure of potentially sensitive information
  5. Conduct external threat intel scans and social media tracking to identify the disclosure of potentially leverageable publicly available information (e.g., looking on Pastebin and the dark web for corporate and staff PII)

Key CIS-20 Controls

Please note that in my first post, I described CSC1, CSC2, CSC3, and CSC6 as fundamental to every step, including this one. Additional controls to detect and disrupt the recon step are CSC9, CSC11, CSC12, and CSC20:

  • CSC3 – Secure Configuration of Hardware and Software – Much recon activity is possible due to weak configurations and these poor, and misconfigured systems are an attractive target
  • CSC6 – Maintenance, Monitoring of Audit Logs – This is the only opportunity to catch scans and probes as an indicator of a potential attack vector. Of course, one must be recovering the right logs and retaining them long enough. A significant consideration is the attack velocity. Ideally, attacks are verbose and intense, but the attack could be low and slow (possibly an Advanced Persistent Threat (APT)). In the latter case, it is critical that the log retention times be very long, or even, forever
  • CSC9 – Limitation and Control of Network Ports, Protocols, and Services – The tighter the lockdown, the less leverageable the recon data
  • CSC11 – Secure Configuration of Network Devices – Routers and access points with default passwords are easy targets. Lock them down!
  • CSC12 – Boundary Defense – Recon will detect weak boundary defense which could increase the likelihood of tactics such as exfiltration of data by tunneling via non-standard protocols
  • CSC20 – Penetration Test and Red Team Exercises – Though listed last, this is one of an essential control because it gives a Red Team the ability to see what adversaries see as they conduct their recon efforts

What Goes Around Comes Around

The below diagram highlights the relationship between the CKC Reconnaissance Phase, The NIST Cyber Security Framework Core, and the CIS-20. It is critical to think of the kill chain as a continuous loop, as depicted in the drawing. For example, recon could initially be external, and once the adversary establishes a foothold (Install), they will launch recon internal to the Firewall.

Moving on Down the Chain

To make this as actionable and succinct as possible, I have done my best to distill best practices at each step while adding my insights. I base much of this analysis on a report from NTT/Dimension Data, but I also draw from excellent work done by multiple organizations, including the Australian Government’s Cyber Security Centre, CISLockheed MartinNISTOptivSANSTrend Micro, and Verizon.

I welcome feedback to help refine this series. With critical and constructive feedback, I believe these posts may become an outline any organization may use to efficiently and effectively reduce its risk.

Next stop is Weaponization, ETA 10/23/2017