How to Efficiently Test Cyber Defenses across the Kill ChainSeptember 21, 2020 No Comments
Featured article by Donovan Lepold, Independent Technology Author
The focus on most reports about cyberattacks has mainly been on the results. It’s common to read about how many records were stolen from Company X in a data breach or how many hours of downtime Company Y suffered due to a ransomware attack. To be fair, readers are more interested in how an attack may impact them directly.
Because of this, details on how specifically attackers were able to pull of these attacks successfully are often downplayed. It can appear as if attacks are a result of one-step processes instead of a protracted and complicated battle. Yet, successful cyberattacks aren’t quite simple as the reportage implies. Such thinking can even be dangerous as some organizations may be led to think that they can be selective in choosing which components of their infrastructure they should protect.
Often, attackers use a combination of methods to carry out hacks. Many now even operate as advanced persistent threats (APTs) which probe defenses and lurk in networks over extended periods of time while methodically carrying out a series of activities to ensure their success.
The structure of activities involved in complex hacks is what’s now referred to as the cyber kill chain. The idea was adopted from military concepts by its proponent, Lockheed Martin. A kill chain basically outlines the structure of any attack, and it was deemed fitting to apply the idea to cyberattacks as well.
Knowing the cyber kill chain helps organizations map out a cohesive cybersecurity strategy. It also guides them on how to test security controls against potential APT activities. With APTs a constant threat in today’s landscape, there is a need for a systematic and efficient ways to test security across the kill chain.
Unfortunately, security validation is often overlooked in practice due to various reasons. For starters, the resources required by conventional testing methods such as penetration testing can be taxing even to larger organizations. Penetration tests aren’t exactly cheap especially when one has to run them routinely against the security measures deployed to prevent hacking activities across the kill chain.
As such, organizations must find ways to conduct comprehensive testing effectively.
Breach and attack simulation (BAS) and security validation platforms like Cymulate.com are emerging as a preferred approach to achieve this. BAS platforms, which automate attack simulations across different vectors, can offer the advantages of penetration testing while overcoming its limitations. Here’s how its adoption can lead to more efficient testing across the cyber kill chain.
Understanding the Kill Chain
Most of APT activities and cyberattacks fit into the cyber kill chain framework. Hackers’ actions during a campaign can be mapped out according to these stages:
- Reconnaissance – The attacker probes the organization for weak links.
- Weaponization – Based on the intelligence, the attacker chooses and prepares tactics and tools to be used for the attack.
- Delivery – The payload is delivered through a phishing email, fake website, or infected removable drive.
- Exploitation – The attacker exploits vulnerabilities such as escalating access privileges.
- Installation – Malware and hack tools are installed in the system, endpoint, or network.
- Command and Control – Outbound communication is established, giving the attacker means to perform what is needed remotely.
- Action – The attacker works on the goals of the hack such as exfiltration, encryption, or destruction of data. This could include many other steps and transpire over a prolonged period of time.
Understanding the activities in each kill chain stage allows security teams to capably mitigate and respond to threats. This way, they can look out for suspicious activities and track and anticipate hackers’ actions. It also helps define what solutions and tools they would need.
For instance, by knowing that hackers probe networks by looking for open ports or vulnerable login pages as part of their reconnaissance, organizations would know to mitigate this by adopting firewalls and stringent access management.
How to Test Defenses Efficiently
There’s no better way to test security controls than subjecting them to actual attacks. This is why penetration tests and red team exercises have become quite useful in security validation since they essentially are cyberattacks albeit carried out by trusted actors. However, these conventional methods can bring about certain challenges and limitations.
Penetration tests and red teaming have to be carried out by highly skilled professionals. They should be able to replicate APT tactics and methods in order to truly see how well security controls perform. But access to qualified professionals can be limited. As it is, the cybersecurity industry is facing a worrying talent gap.
Testers also charge a minimum of $7,000 for a single test. Considering the complexity of most modern infrastructure, changes can happen quickly. Ideally, all updates to systems and applications should be tested for vulnerabilities. But with the high cost of tests, validation has become a luxury that not all organizations are willing to indulge. Tests may also limited by the prearranged scope so they might not actually be able to cover the full kill chain.
Because of this, approaches such as BAS have started to gain traction in organizations. BAS essentially automates penetration testing and makes running them simple enough. Most platforms have made BAS available as software-as-a-service (SAAS) where users simply need to click on dashboard in order to run a test. Users often only need to install a client on a designated endpoint in the network to enable the service.
Users can simulate attacks against the following controls:
- Firewall – The platform can attempt to bypass web application firewall configurations and even launch cross-site scripting and SQL injection attacks.
- Phishing - Dummy phishing emails can be sent to actual users to see how well they identify and react to social engineering attempts.
- Email Security – Emails containing simulated malicious payloads are sent to the service to check if filters can screen for them.
- Endpoint Protection – Malware and malicious commands are run on the designated endpoint to check if the antimalware solution is able to identify, block, and remove them.
- Lateral Movement – Assuming that a malicious actor has found ways to enter the network, BAS can check if the threat can move across other endpoints and devices.
- Data Security – The platform attempts to send data to an outside server to simulate a hacker exfiltrating information.
BAS tests use what are essentially malware to test defenses though they are configured to simply test security controls and not cause any harm to the network or its components. More advanced platforms even have specialized modules that simulate the full APT kill chain. Tests are even patterned on the known modus operandi of APT groups, allowing for a comprehensive assessment of how well the entire security can actually thwart a real-world APT attack.
BAS tests can even be scheduled and run automatically. Test results typically include insights on what gaps were found by the test and the recommended actions to remedy them.
Why Even Bother Testing
APTs today are deliberate and systematic. With resources such as malware, remote access tools, and massive botnets now at their disposal, they can practically run all sorts of campaigns to the detriment of organizations. APTs have even organized themselves into threat groups, each with their own specialization, to give them better chances of success. Many are also state-sponsored and are actively engaged in espionage, cyberwarfare, and economic disruption campaigns.
Since APTs also use automated tools to probe networks online, any organization can fall victim to attacks. Since getting breached or hacked can have grave consequences to any organization, it comes as no surprise why cybersecurity is expected to continue its rise over the next years. So, to ensure that these investments are maximized, it’s important that security controls must be tested.
It only takes one flawed integration, faulty tool, or weak link in security for a network to be breached.
Organizations are making significant investments in their cybersecurity. It’s crucial to check if these solutions actually work against real-world threats. However, considering the costs and limitations of conventional methods, organizations must find ways to conduct security validation effectively and efficiently. With solutions like cost-effective BAS, continuous testing can be done to ensure that all measures work. This essentially overcomes the limitations of conventional penetration tests such as repeatability and costs. By having specialized tools that simulate real-world threats, organizations can strengthen their defenses.