Information Security can be similar to insurance … it’s only discussed when bad things happen and it’s rarely a revenue generating center. So how does one show return on investment? I was recently asked to do just that by participating in a presentation to our Board of Directors. Senior management wanted to show off the new security operation center and the SOC team to the board. My first thought was: <sarcasm>That is a great idea … they can walk through a SOC and see all the “Security Bling” screens on the wall.</sarcasm> But after brain storming with the team, we actually came up with a great idea that I will be writing about over the next several weeks.
Walk the Board of Directors through a live demonstration of a network attack and show them what could happen if the SOC were not doing its job!
As we walked through an outline of how we were going to accomplish this feat, we realized there would need to be some education to the demonstration. If we wanted the board to understand what was happening, we would need to introduce some basic information security knowledge. We only had 40-45 minutes for this presentation, so we decided that an understanding of the Cyber Kill Chain (see later in post) was needed. We also wanted to keep this very simple: one attacker, one victim, and a network that was composed of the typical corporate protections (firewall, IDS, etc…). Finally, we wanted to wrap it up by projecting this small demo into the much larger and complicated real world (i.e. this is one of the thousands of events we deal with every day). So the outline for the demo was similar to this:
|~10 minutes||introduce the SOC and the Cyber Kill Chain|
|~20 minutes||walk through the demonstration|
|~10 minutes||“we got your back” talk|
Outstanding! What could go wrong with a live demonstration in front of a large number of board members? (We will cover lessons learned in a future post.)
What is the Cyber Kill Chain?
The Cyber Kill Chain is a widely accepted visual method to break a network attack into smaller, simpler stages or phases. There are several variants of the Cyber Kill Chain, but they all have a similar theme: to stop a network attack, you want to break the chain as early as possible. The Cyber Kill Chain I will use for this demonstration has 4 steps or phases.
During this phase of the kill chain, the attacker will perform two types of activity: passive reconnaissance and active reconnaissance. Active reconnaissance consists of activities that can be seen by a defending team, such as port/service scans and vulnerability scans. Passive reconnaissance is harder to see or in some cases, just can’t been seen: Google research about a target company, email gathering from websites, or LinkedIn research about employees. The goal for the attacker is to learn as much about the target as possible focusing on weaknesses and strengths around their network security and to develop a plan of attack.
This is where the attacker’s “Hack-Fu” shows. A successful exploitation of a web vulnerability, use of stolen credentials, or delivery & execution of a phishing email will gain the attacker access inside a target company. To be successful an attacker should establishment some form of persistence during this phase. Persistence is a method by which an attacker can reestablish access with the exploited system later, hopefully even after a system is rebooted. The goal here is simply to gain access and maintain access.
Once a toe-hold has been established inside a target company, the attacker will next start looking around the inside of the company’s network. Similar to phase one and two, the goal is to learn more about the inside network and systems in the target company and to apply exploits to gain and maintain additional or better access. Having access to one system is never enough though. Lateral movement during this phase allows an attacker to spread out as much as they can. If they are discovered on one system, no problem, they’ve already gained access to many more and can access your network from other systems now.
The Actions phase is a catch all that covers anything else the attacker wishes to do: ex-filtrate files, databases, or emails. The attacker may also attempt to make it hard for the defenders to find out what happened. He may later delete logs, uploaded tools, and created accounts. Or the attacker may just burn down (delete everything) the environment. After all, what better way to hide a crime, than to sanitize the crime scene, i.e. delete all files, databases, and emails?
So how did we accomplish the demonstration? That is part of the follow on posts, but here is a teaser: Virtual Penetration Lab. So what are your thoughts on accomplishing this goal? What do you think could go wrong with a live demo? Do you use the Cyber Kill Chain in your Network Defense Strategy? Let me know in your comments.