Tracking the cyber kill chain: 'spot and block' no longer enough

It must be hard as an IT security professional not to feel overwhelmed by the sheer scale and sophistication of the threats facing your organisation, as the language used to describe modern cyber-attacks has become increasingly militaristic.

David Flower, Bit9
David Flower, Bit9

We talk of “weaponised” payloads, “command and control” infrastructure and the “cyber-kill-chain”. More than ever, today's threat landscape depicts a struggle between “us and them”, with embattled security teams holed up in their bunker, following orders to repel attack after attack.

We need to take a step back, accept that some attacks will get through our defences, and focus on monitoring that kill chain for signs of infection. It's the best chance we've got of neutralising a more agile, determined and resourceful enemy.

Formidable foe

Where once our cyber-adversaries were bedroom hobbyists, now they're state-sponsored operatives and financially motivated crime syndicates. Where are they focusing their efforts? At the endpoint. PCs, laptops, servers, Point of Sale systems: these form the gateway to the organisation and an attack surface that's expanded exponentially in recent years. They want your data – whether it's customer information, sensitive IP or trade secrets – and they've become extremely adept at getting it. The most advanced threats use zero day and polymorphic malware never seen before to bypass traditional AV blacklists. And they're using sophisticated spear- phishing attacks to spread this malware.

As if this external threat wasn't difficult enough to defend against, IT security managers must also keep one eye on the enemy within. Some 20 percent of the worst security breaches of the year were caused by “deliberate misuse of systems by staff”, according to the government's 2014 Information Security Breaches Survey. If you still need convincing, look no further than Morgan Stanley, which was forced to sack a senior member of staff after he allegedly stole data relating to up to ten percent of the firm's Wealth Management accounts.

Money, money, money

The problem with advanced targeted attacks is that they've been specifically crafted to fly under the radar of traditional defences. They'll quietly infect systems and lie hidden for months or even years without detection – all the while exfiltrating sensitive data. The recently discovered Equation Group, for example, is said to have remained undetected for at least 14 years.

The longer they stay undetected, the more it's going to hurt. This is because the attackers will have had time to bounce around inside your network to find what they're looking for and begin siphoning off that key data in earnest. Once a breach is discovered then follows the inevitable damaging media coverage, share price slump, customer exodus, potential industry fines, brand damage and legal costs. In the UK, the average cost of a breach to large firms was £600,000 to £1.15 million in 2014, as opposed to £450,000 to £850,000 the previous year.

Tracking the kill chain

So how should organisations react to this formidable foe? Prevention at the point of entry is a valuable tenet of any security programme – there are advanced tools which can help block attacks at the entry point, these typically use dynamically generated whitelists of trusted sources based on data gathered from across the web, and are far more effective than traditional static AV blacklists. But prevention is only one aspect.

Security bosses that succeed in neutralising the enemy will focus more attention on what happens further down the kill chain. No organisation can honestly say they're impervious to attack. Given the sophistication, agility and resourcefulness of many attackers, we must work to the assumption that our organisation has already been breached. Once security professionals have overcome this psychological hurdle, it's about finding tools which can give you the kind of continuous monitoring to provide crucial insight into an attack.

You need continuous recording – almost like a virtual CCTV camera – on every enterprise endpoint, to spot in real time things like file modifications and other unusual activity which can be the tell-tale signs of an attack. After that it's about putting in place the means to isolate, stop and remediate. The sooner you spot an attack the better the chance it hasn't had time to find its way to sensitive data. Even if attackers have begun to hide their activity, you'll have always-on recording to track the kill chain of what actions have been executed and what data has been exfiltrated.

Prevention alone is no longer enough to protect against today's sophisticated threats. You need CCTV to record what's going on in the building, as well as the “bouncer” on the door to stop attackers gaining entry, if you're to secure the endpoint. Follow this strategy and at the very least you'll be able to minimise risk and build better defences for the future. After all, it's about time we took the fight to the bad guys.

Contributed by David Flower, managing director, EMEA, Bit9 + Carbon Black