Cyber Exploitation: Detonate on Impact

This post is the fifth in a series of posts (Intro, Reconnaissance, Weaponization, and Delivery), aligning the 20 Critical Security Controls (CSC) from the Center for Internet Security (CIS) to the seven steps of the Lockheed Martin Cyber Kill Chain (CKC?). As I wrote in the intro post, I believe it is time to rethink the way we go about protecting our assets and building our cybersecurity practices. Mapping the CIS Critical Security Controls (CSC) against the CKC? achieves a relatively short list of actions that dramatically reduces risk. Also, this approach aligns well with the NIST Cybersecurity Framework and the NIST Cybersecurity Framework Controls Factory Model (NCSF-CFM) that I wrote about previously.

Detonate on Impact

Once delivered, the exploit is activated. Typically, exploits target applications or operating system vulnerabilities.

At this stage, I see seven primary defensive moves to minimize the opportunities for the exploit executing:

1. Application Whitelisting is one of the best ways to limit the potential of an exploit executing. For organizations where this is not workable, blacklisting is better than nothing
2. Use a sandbox or some other means to “detonate” the malicious code in a safe environment. This can provide useful analysis of the exploits goals and tactics
3. Active pen testing program to detect/mitigate potential vulnerabilities
4. Use a tool like Windows Defender Exploit Guard (WDEG)(the recent replacement for Enhanced Mitigation Experience Toolkit (EMET)) and Data Execution Prevention (DEP) as disruption mechanisms. Windows Defender Exploit Guard contains four components: Attack Surface Reduction (ASR), Network Protection, Controlled Folder Access, and Exploit protection (direct EMET replacement). DEP defines whether certain memory locations are executable or nonexecutable, specifically to disrupt exploits such as buffer overflow attempts and malicious code
5. Address space layout randomization – Available on Windows and Linux platforms, this feature can disrupt buffer overflow-based attacks
6. Remove externally facing remote admin consoles for web apps – Most web apps offer a remote admin console for configuration and management. This is a prime target for attackers
7. Patch, patch, patch, patch, patch

Key CIS Critical Security Controls to implement to disrupt the delivery step, include: 4,5,8,17, 18

CSC4 – Continuous Vulnerability Assessment and Remediation – This requires running frequent vulnerability scans and as mentioned above, scanners need credentials to authenticate to the target systems

CSC5 – Controlled Use of Administrator Privileges – It is way too often that end-users have admin privileges on their machines. Organizations much take a least privilege approach (calling on CSC14 – Need to know). One area that many organizations overlook is shared computers, such as conference room computers. In addition to limiting admin privileges, logging must be enabled to identify any systems where admin privileges are changed. This also calls for admin privileges on all network devices

CSC8 – Malware Defense – This is referring to enterprise-grade anti-malware. It is important to have centralized logging to prevent local malware from covering tracks by deleting log entries, locally. This step also includes file reputation tracking/management and routinely blocking PUAs as well as detonating suspect executables in sandboxes to detect malicious activity. Of course, as discussed throughout anti-malware is necessary but not sufficient to stop the CKC?. It still has challenges with quickly morphing malware and extensive use of encryption

CSC17- Security Skills Assessment and Training

CSC18- Application Software Security – Hackers often look for web application security flaws as their path of least resistance. Security best practices need to be included in the full software design lifecycle (SDLC). This includes proper code hygiene including eliminating unused libraries, standardizing and limiting error messages, scrubbing debug and comment code from production releases, implementing least privilege (CSC14) on all database access. This step aligns with CSC12 – Boundary Defense to include a WAP Firewall as part of the overall boundary defense strategy. This step also closely aligns with CSC20 – Penetration Testing to run web application attacks. Finally, it is critical to closely track vulnerabilities against open source libraries in production code. These are another low hanging fruit for adversaries

A Holistic Approach

The below diagram highlights the relationship between the CKC Exploitation Phase, The NIST Cyber Security Framework Core, and the CIS-20. It is critical to think of the kill chain as a continuous loop, as depicted in the drawing. For example, there may be multiple exploits, based on recon, weaponization and delivery cycles.

Moving on Down the Chain

To make this as actionable and succinct as possible, I have done my best to distill best practices at each step while adding my insights. I base much of this analysis on a report from NTT/Dimension Data, but I also draw from excellent work done by multiple organizations, including the Australian Government's Cyber Security Centre, CIS, Lockheed Martin, NIST, Optiv, SANS, Trend Micro, and Verizon.

I welcome feedback to help refine this series. With critical and constructive feedback, I believe these posts may become an outline any organization - especially smaller organizations - may use to efficiently and effectively reduce its risk.

First Post:

Last Post:

Next stop is Install, ETA 10/26/2017