To follow up for the article on TIME.
We’ve talked about the impact of time on the attacker and the defender. This led us to the Cyber Kill Chain (CKC) and a very quick introduction into how this can buy the defender more time during an engagement. CKC provides a way to explain the steps associated with an attack in a simplified manner.
It looks simple right, well of course it’s not. Each step has a lot of thought behind it and both parties, the attacker and the defender have a role to play at each step.
The first phase of the kill chain is Reconnaissance which is more than its name implies. First it is as much about Social Engineering and Human Malware as it is about Electronic Surveillance and Penetration Testing your environment and defenses in advance of the attack exploitation. Your business most likely does not apply Operations Security aka OPSEC in your day to day business dealings or outside communications.
You may have agreed to give a referral to your Vendors including your Security Vendors about how much their product keeps your company safe. Your name and or company logo is now recorded on the Internet as using their products to protect you. You have posted want ads on sites requesting IMMEDIATE hiring of new employees to work with such and such Security Tool or to work as part of your SOC team at different skill levels with specific applications or OS backgrounds.
This is the second piece of information your future attacker needs to know about you. First they’ve researched your business to include your market share, revenue and employees. They will map you and identify weaknesses in your team and operations model to exploit against you. All of these to create the business plan they use to profit off of you via a Business Email Compromise (BEC), Ransomware or worse using Remote Administration Trojan (RAT) attack to steal or modify company secrets.
The tweets, chats, stories and text messages of your employees will be collected from Social Media and other sources. Your staff may be offered a job to interview and asked about what they do now plus the tools or issues they see each day. All to know you better and to simplify the attack. This all sounds like fantasy or a Mission Impossible script but this happens everyday worldwide including here in Indonesia. Milyars are lost weekly if not daily across the country by successful attacks based on these steps.
Why would you ask someone to go through all of this work? Simple for the Money, Intellectual Property or simple power over you, your business or our county. Advanced Persistent Threats or APTs are Criminal or Nation State Organizations that use these techniques to profit off the ill prepared. The mass scale hacks of opportunity will also use some of the techniques like this to tune or target their attacks on a broader regional or national population. On the other hand the APT will use these tactics and techniques like a great surgeon to cut through your protections. One is simple brute force and one is an extreme sneak thief, either way if you don’t prepare for them you will lose.
Prepared? Are you? That is the big question. IF you are the average business I’ve met in Indonesia with a Stateful Firewall and an unmanaged Antivirus only solution. Sorry you are UNDER PREPARED like a person trying to win a long range missile battle with a knife, you are outclassed in this war. The Cybersecurity Framework (CSF) that is the standard for Security Maturity referenced by BSSN is more comprehensive than ISO 27001 with an additional 134 controls required. ISO 27001 is the beginning of the solution needed for Cybersecurity but is just the first step and CSF covers all of ISO 27001. Businesses need to complete ISO 27001 but they must understand that this is only 56% of the controls via People, Policy and Technology required to be performed today for Security 4.0 protection.
Back to that Stateful Firewall and the impact of change. When we first started to use firewalls back in the 1990’s they were the first way to protect our network providing wonderful Layer 2-3 protection above what our routers could effectively do without performance loss. The Attack Surface (the way we got hacked back then) has changed massively since the 1990s but most implementations of firewalls have not.
Firewalls and other network protections in the 1990s such as Network Intrusion protection systems as they got added. Had an ability then that they don’t have today. Visibility of the data on the Network. Today the Layer 2-3 data is still in the clear but the content of the package Layer 4-7 is encrypted more and more each day by SSL and TLS. The only system by default with clear text access to the data is each end of the data session. his lack of visibility degrades the performance of the Firewall as more and more established sessions are created the Firewall does its job and allows the new sessions to grow as they were part of the “TRUSTED” first connection started by the internal endpoint.
Layer 7 Gateways and Application level firewall go far to provide the required protections but they themselves are not best for Data Center protections as they only watch the outbound session and not the new inbound sessions to your servers. A Reverse-Proxy in addition to the Internet Access Gateway should be added to the Data Center for full Network to Application level protection.
At the Endpoint you need to have a full Application Layer 7 Firewall service installed that has access to Real-Time changes in their protection rules. The Internet changes extremely fast and in the future will move even faster. Your protections against Reconnaissance at the Network layer has to be able to defend you against over 40 years of tactics and techniques that criminal hackers have to draw on. You can not forget the old and only protect against the latest threats. We see daily at the endpoint level attack against systems from the 90s and early 20s that are bypassing the customers Network protections. TOO MUCH TRUST is given to incoming traffic from the internet.
The Firewall should be allowing your environment to go to the Internet and provide NAT (Network Address Translation) on all outbound traffic. The systems needing to be communicated from the outside need to be in DMZ completely away from the other endpoints. Region protections should be in place, if your users are only in Indonesia then there’s no reason why you are accepting incoming traffic from Eastern Europe. Even better is that communications should be on a VPN or Best on a Virtual LAN based on a VL2 system. NOTHING should be able to see or touch your Internal systems from Layer 2 to 7 without a security inspection. Hiding scripts and other malicious actions inside an established session is 100% normal for Criminal Hackers today.
Reconnaissance by a successful APT starts with you and your businesses permanent Internet Record. Once they have determined the best way to make money off you, they will migrate to their digital mapping of your environment to verify the earlier data. From here step two will begin with the Weaponization or creation of the tools to move through your Network for delivery.
Weaponization and Delivery will be covered in detail in the next article. Please look at how you are protecting yourself today. Are you still using best practices from the 1990 or have you moved to protections based on current best practices like CSF, MITRE ATT&CK and CKC? Is your architecture and applications including TOGAF and OWASP as part of your design and development planning? Or is this the first time you are seeing these terms. First CKC but we will be providing articles about these topics in future articles. Good Luck and Stay Safe
BIO Data:
Frank Rand Boatwright III (CISSP) is the COO and Chief Geek for PT. DNA which dba Naga Cyber, Naga Cybersecurity and Naga Cyber Defense. With 41 years of experience in IT and 34 years of Cybersecurity experience across the full spectrum of Cyber as a Presenter, Teacher and Enterprise Security Solutions Architect working in the Americas, Europe, Middle East and Asia for the Global 2000 Businesses and Governments as a part of Intel, Intel Security, McAfee, Citadel, Micromuse, GTEI, MCII and the USAF.
