Cyber Installation - No Tools Neccesary?

This post is the sixth in a series of posts (Intro, Reconnaissance, Weaponization, Delivery, and Exploitation), aligning the 20 Critical Security Controls (CSC) from the Center for Internet Security (CIS) to the seven steps of the Lockheed Martin Cyber Kill Chain (CKC?). As I wrote in the intro post, I believe it is time to rethink the way we go about protecting our assets and building our cybersecurity practices. Mapping the CIS Critical Security Controls (CSC) against the CKC? achieves a relatively short list of actions that dramatically reduces risk. Also, this approach aligns well with the NIST Cybersecurity Framework and the NIST Cybersecurity Framework Controls Factory Model (NCSF-CFM) that I wrote about previously.

Some Assembly Required

Once the exploit has run, the next step is establishing an actionable foothold by creating a remote access trojan or backdoor to achieve persistence. The good news is it is not too late to break the chain. The bad news, is once the foothold is achieved, the chances of stopping the attack drop quickly.

At this stage, I see five approaches to reduce the opportunity for malware installation as well as preventing other actions that give the attacker a persistent foothold:

1. Limit the use of command-line based tools – This is an often overlooked requirement since often the exploit is not an executable binary, but rather a script to run on a command line interface (e.g. MSFT Powershell and Linux terminals)
2. Implement network and user behavior monitoring – Personally, I have mixed feelings about NBAD since I find the hype is over the top, especially when one throws in Big Data. However, as mentioned below for malware defense, network and user behavior monitoring is necessary, but not sufficient to exclusively block this step
3. File execution restrictions – This goes hand-in-hand with anti-malware controls
4. Configure User Account Controls (UAC) in MSFT environments, particularly to flag potential escalation of privileges
5. Configure and implement full stack firewalls

In addition to CSC1, CSC2, and CSC3, key Critical Security Controls to implement to disrupt the delivery step, include CSC4, CSC6, and CSC8:

CSC4 – Continuous Vulnerability Assessment and Remediation

CSC6 - Maintenance, Monitoring of Audit Logs – Actively monitoring logs is critical to detect indicators of compromise, particularly related to account creation and installation of a Remote Access Trojan (RAT)

CSC8 – Malware Defenses – This is a must-have but there is a big caveat here since much of advanced malware is quite stealthy and able to slip by malware defenses. This is definitely necessary, but not sufficient to prevent installation

A Holistic Approach

The below diagram highlights the relationship between the CKC Installation Phase, The NIST Cyber Security Framework Core, and the CIS-20. It is critical to think of the kill chain as a continuous loop, as depicted in the drawing. For example, there may be multiple installs, based on recon, weaponization, delivery, and exploit cycles.

Moving on Down the Chain

To make this as actionable and succinct as possible, I have done my best to distill best practices at each step while adding my insights. I base much of this analysis on a report from NTT/Dimension Data, but I also draw from excellent work done by multiple organizations, including the Australian Government's Cyber Security Centre, CIS, Lockheed Martin, NIST, Optiv, SANS, Trend Micro, and Verizon.

I welcome feedback to help refine this series. With critical and constructive feedback, I believe these posts may become an outline any organization - especially smaller organizations - may use to efficiently and effectively reduce its risk.

First Post:

Last Post:

Next stop is C&C, ETA 10/27/2017