This post is the third in a series of posts (Intro, Reconnaissance), aligning the 20 Critical Security Controls (CSC) from the Center for Internet Security (CIS) to the seven steps of the Lockheed Martin Cyber Kill Chain (CKC™). As I wrote in the intro post, I believe it is time to rethink the way we go about protecting our assets and building our cybersecurity practices. Mapping the CIS Critical Security Controls (CSC) against the CKC™ achieves a relatively short list of actions that dramatically reduces risk. Also, this approach aligns well with the NIST Cybersecurity Framework and the NIST Cybersecurity Framework Controls Factory Model (NCSF-CFM) that I wrote about previously.
Stopping the attack at this point is extremely difficult since it is occurring offline, from the perspective of corporate IT. If the organization picks up on the recon activity, then it could block weaponization. For example, if we see SQL scans then potentially the target is SQL Injection weaknesses. Or, if the scans are looking at Apache rev/patch levels, it could be indicative of a potential exploit such as a Struts vulnerability.
At this stage, I see three primary defensive moves to deter potential weaponization:
- Actively pursue threat intelligence to track current weaponization techniques
- Deploy honeypots as a means to drive the adversary to invest in a delivery mechanism against a vulnerability resident in the honeypot
- Deploy tools and training to detect elements of recon as early indicators of potential delivery vectors. Also, prepare the Incident Response team to identify possible attack vectors based on recon artifacts
Key CIS Critical Security Controls to implement to disrupt the weaponization step, include CSC9, CSC17, and CSC19 (also CSC1, CSC2, CSC3, and CSC6):
- CSC9 – Limitation and Control of Network Ports, Protocols, and Services – This includes layered perimeter defense with network segmentation and extensive use of IDS/IPS on these segments. This lockdown has to occur in both physical and virtual environments along with vulnerability scanners properly configured to scan all ports and protocols for potential vulnerability
- CSC17- Security Skills Assessment and Training – The more aware staff are to their role in an attack, the less likely weaponization will succeed. For example, if the staff is trained to always “hover before clicking” the likelihood of a drive-by download is significantly reduced
- CSC19 –Incident Response and Management – It’s critical that IR has the tools and knowledge to detect artifacts of weaponization as a means to better understand the intent, scope, and target of the attack
What Goes Around Comes Around
The below diagram highlights the relationship between the CKC Weaponization Phase, The NIST Cyber Security Framework Core, and the CIS-20. It is critical to think of the kill chain as a continuous loop, as depicted in the drawing. For example, after establishing a foothold and conducting additional reconnaissance, the adversary could develop a second weaponization step based upon the discovery of a new vulnerability.
Moving on Down the Chain
To make this as actionable and succinct as possible, I have done my best to distill best practices at each step while adding my insights. I base much of this analysis on a report from NTT/Dimension Data, but I also draw from excellent work done by multiple organizations, including the Australian Government’s Cyber Security Centre, CIS, Lockheed Martin, NIST, Optiv, SANS, Trend Micro, and Verizon.
I welcome feedback to help refine this series. With critical and constructive feedback, I believe these posts may become an outline any organization may use to efficiently and effectively reduce its risk.
First stop was Introduction. Last stop was Reconnaissance.
Next stop is Delivery, ETA 10/24/2017