Sergey Nivens - Fotolia

Cyber kill chain is outdated, says Carbon Black

The chief cyber security officer of Carbon Black calls for a new cognitive paradigm to fend off cyber adversaries that are now attacking in cycles

The cyber kill chain model that cyber defenders use to guide their threat detection and prevention efforts is outdated, says the top cyber security expert at Carbon Black.

Speaking to Computer Weekly on the sidelines of RSA Asia-Pacific and Japan earlier this month, Tom Kellermann, chief cyber security officer at Carbon Black, said while Lockheed Martin did a good job laying out the different stages of the cyber kill chain, hackers now attack in cycles.

Conceived in the early 2000s, Lockheed Martin’s cyber kill chain framework identifies the work performed by cyber adversaries in order to achieve their objectives. These include reconnaissance, weaponisation, delivery, exploitation, installation, command and control (C2) and action on objectives.

“It’s no longer relevant because attacks are now iterative, and combinations of TTPs [tactics, techniques and procedures] are now dynamic,” said Kellermann. “And because of island-hopping and counter incident response, we need a new cognitive paradigm.”

In this new paradigm, cyber defenders should focus on the attack loop comprising the three phases of an attack: reconnaissance and illustration; manipulation and maintenance; and execution and exploitation.

And in each phase, Kellermann said cyber defenders should pay heed to tactical phenomena, particularly in the second phase where lateral movement is likely to occur.

In fact, cyber attackers are making lateral movements 70% of the time, not just by exploiting Windows PowerShell scripts and process hollowing techniques, but also through corporate Dropbox drives.

Getting inside victims’ IT infrastructure

In some cases, cyber attackers are even tapping operational technology housed in buildings and facilities to get inside their victims’ IT infrastructure.

“This is a challenge we all face because typically the head of cyber security is not the head of facility security. And because of that, the traditional heads of building security are deploying technology to improve physical security. But in doing so they’re dramatically increasing the attack surface,” said Kellermann.

I’m not sure why cyber space has become more punitive – it could be geopolitical tension, but it could also be the decades of low prosecution rates.
Tom Kellermann, Carbon Black

In the third phase, attackers are also likely to launch disinformation campaigns and system integrity attacks in a bid to confuse their victims and throw them off-course. “So that integrity attack and manipulation phenomenon that we were all worried about 10 years ago is now manifesting,” he said.

When mounting a response, Kellermann urged cyber defenders to be careful about conducting their operations too loudly as adversaries no longer leave their victims’ environments after they are exposed.

“No longer are they leaving when you turn on the lights and call the police – they’re choosing to stay and fight,” said Kellermann. “I’m not sure why cyber space has become more punitive – it could be geopolitical tension, but it could also be the decades of low prosecution rates”.

It could also be due to the fact that incident response teams are terminating C2 servers and dismantling buffer posts associated with an attack to the point of annoying adversaries that have decided to fight back in return.

The way forward would be to conduct regular cyber threat hunting, based on TTPs rather than indicators of compromise. “Before we go to bed at night, we need to search our homes to make sure no window is open and no one’s in the basement or the garage.”

A key aspect of threat-hunting is the use of deception technology to deploy traps in an organisation’s IT infrastructure to nab cyber adversaries and uncover their TTPs.

Noting that Carbon Black is integrated with major deception vendors through application programming interfaces, Kellermann said the company is able to capture a large volume of telemetry data – whether it is good or bad – that might point to a cyber attack.

Read more about cyber security in APAC

“We can’t always define if certain behaviour is bad or good, but we need to over time understand all of the activity on an endpoint,” said Kellermann.

“That’s because regardless of whether they use the endpoint to target an organisation, they will exfiltrate or execute on the endpoint at some point in the future – whether it’s lateral movement or the release of your secrets and intellectual property.

“They may even use the endpoint to release the second payload through inside of you, because they choose to stay long term.”

Likening the current state of cyber security to guerrilla warfare, Kellermann said that cyber adversaries now know what organisations know about them, and are looking to change the way cyber defenders think.

“It’s not sufficient for them to just take your ideas.” he said. “They want to hinder your capacity to react to them, they want to hinder your capacity to compete with them and they want to hinder your capacity to be you.”

Read more on Endpoint security

Data Center
Data Management