I’ve been reading up a lot on 2016 predictions by analysts, peers and other vendors. While I agree with most of these predictions (moving towards a preventive approach, cyber-insurance guidelines will drive security initiatives, addressing the need to prevent downtime during alert investigation) I hadn’t yet come across those re-visiting the cyber kill chain.
The thing is, threat actors can already start to leverage mature technologies widely adopted in 2016. Specifically, I’m talking about multi-tenancy. With multi-tenancy, the Cyber Kill Chain has just doubled up.
Re-Cap: The Cyber Kill Chain
When analyzing Advanced Persistent Threats (APT), Lockheed Martin modeled the threat actor’s activity and coined the attack process the “Cyber Kill Chain” (CKC). This is a simple model, quick to understand and accordingly, is embraced by the cyber-security community looking to deal with the increasing threat of APTs.
As every model goes, a few variations came along over time. Generally speaking, however, we can view the CKC as a 5-step process:
- Reconnaissance. This is when the attackers do their “homework” to understand who best to target and the best ways to attack. For instance, they’ll consider lucrative industries, hone into key players in that industry, and decide which company from that industry to target. From that point on, they’ll collect intelligence on that company from various sources – from the employees’ LinkedIn profiles to online research reports. They’ll even send out remote pings to the target to get an idea of the target’s network infrastructure and defenses.
- Infiltration. Based on the reconnaissance step, the attacker finds the weakest link in the organization and penetrates it. For example, this could be by creating a so-called Adobe PDF invoice, containing a malicious payload, seemingly coming from a supplier that is known to work with the target. The accounting department, expecting invoices from that supplier, opens the PDF not knowing that in that process they invariably compromised their systems.
- Lateral Movement. The attacker is well-aware of the data they want to get their hands on. Once inside the organization, the attacker moves around the network, moving from machine to machine as they seek that information. Continuing the example from above, and assuming the target is a pharmaceutical company, the malware could move on from the accounting department, to the research department, to the CTO and on to the legal department.
- Discovery. This is the stage where the attacker finds the actual data they’re interested in. For example, at the aforementioned pharmaceutical company, this could be the server that actually holds the patents.
- Exfiltration. With the discovered data in the hands of the threat actor, the threat actor establishes a communication channel and sends the data back to a “drop zone” – an external server under the control of the threat actor.
The Amplified Cyber Kill Chain
The mass adoption of multi-tenancy created a new variant of the CKC. There are still, generally speaking, 5 steps of the CKC. The main difference, however, is that the attack is not a direct attack on the target. It’s not even through an attack on a 3rd party supplier (that’s so Target 2013). The attack is actually through one of the cloud computing service models: SaaS, PaaS or IaaS (SPI) providers. Taking it further, it may even be though a Content Delivery Network (CDN). The thing is, the target cannot prepare in advance against infiltration coming from these locations.
Let’s take a proper look at the 5 steps of the “Amplified Cyber Kill Chain”:
- Reconnaissance. This reconnaissance stage will include researching the different Cloud hosting and platforms. For example, threat actors will analyze the security of pure SaaS apps, popular with enterprises, and test for vulnerabilities and penetration points. The threat actors will look at PaaS – more like these Cloud apps on the borderline of storage, for example Box, DropBox, Google Drive, MS 365, etc. used at enterprises in order to mass infect employees through the services sync process. In fact, Dropbox warns precisely against this threat, encouraging users to consider additional security measures when sync’ing files. Threat actors will even look at IaaS vulnerabilities, such as those provided by Amazon and RackSpace. More so, threat actors will investigate those companies that faltered in adding security measures on top of the IaaS platform. To recall, Amazon doesn’t even assume to deliver security - they place security as the user’s responsibility.
- Cloud Computing Service Infiltration. Once the threat actor mapped out the SPIs they can proceed to target multiple companies. For example, a vulnerability appearing in a shared hosting, may allow a threat actor to bring down those virtual dividers and infect all users on that same infrastructure.
As alluded to earlier, attacks can even be greater amplified by leveraging CDNs. For instance, consider an attacker uploading a YouTube video containing an infected SWF. The YouTube video becomes viral, and as a result, is propagated and cached across CDN Point-of-Presence. The problem is that even if Google recognizes the malicious YouTube and removes it within just a few days, that video is still cached at the CDNs, and will take time until all the CDN servers remove it. In the meanwhile, more and more people view the video and become infected.
- Lateral Movement between Tenants. This is the “interesting” stage for the threat actor. Since instead of “walking” around the corporate network, the threat actor is able to move around various tenants, gaining a foothold within a few specific targets.
- Discovery. The attacker moved around the tenants and honed into (at least) one target. From there the discovery remains as in the traditional CKC.
- Exfiltration. Also here, this stage remains the same as in the traditional CKC.
As APTs grow in sophistication, we cannot foresee ways to actually be able and stop the infiltration. It’s like a whack-a-targeted-attack, every time you think you brought down a perpetrator, it pops up at from some unknown location. Once you find out that location, you realize that you don’t even have control over it.
Recognizing that infiltration is inevitable, I believe that organizations and service providing vendors will need to place security processes and technologies towards the end of the CKC – namely, the exfiltration. The reason is that what does remain certain throughout the CKC evolution is that threat actors must succeed at that exfiltration stage in order to achieve their ultimate goal of data theft.
Moving into 2016, it’ll even make sense to say that security professionals will start addressing the need to not only prevent the theft of sensitive data, but also to ensure continuous uptime in the event of an attack.