proofpomt,>

Defending against Advanced Threats:

Addressing the Cyber Kill Chain

We have known for a considerable period of time that the perimeter-centric security approach is

not a panacea for all ills,

but organizations should not move away from these controls because they provide a solid

foundation. However, in order

to allocate and prioritize resources, they should be extended with methods based on an

understanding of the CKC.

- GartnerAddressing the Cyber Kill Chain, Craig Lawson, 15 August 2014

The latest data breach reports on the daily news remind

us of the rapidly changing state of enterprise security. No

longer can the focus remain solely on a strong perimeter

and end point protection; a new model and approach is

required inclusive of the above but extending to deeper

analysis and data protection as well. The current pre-

vention, prevention, prevention approach to dealing with

the threat landscape has failed to address advanced and

targeted attacks with enough efficacy."1 More is required

including updated thinking, a new course to address the

challenge and next generation protection solutions.

Atraditional castle moat and keep" defense mindset per-

sists today as enterprises invest heavily in perimeter and

endpoint protection solutions. While previously successful

in protecting companies, these investments are no longer

showing the same return. Attackers have innovated and

exploited channels through these traditional defenses.

Changing the conversation and focus to the mechanics of

an advanced or targeted attack is key to disrupting mali-

cious actions.

In this report:

From the Gartner Files: Addressing the Cyber Kill Chain

11

About Proofpoint, Inc.

Featuring research from Gartner

Gartner.

proofpomt.

In 2011, researchers at Lockheed Martin devel- advanced threats, automating incident response,

oped the Kill Chain modeled on evidence from and reducing the impact of potential breaches ad-

network attacks.2 The Kill Chain is widely known, dress the reality of todays advanced attacks and

understood and quoted in security circles. How- aligns security infrastructure with the Kill Chain.

ever, it is not generally applied to companies

security infrastructure investments. Gartner re- Email which continues to be a critical business

search recommends organizations: Understand service is the top route for attackers. The Proof-

the flow of the kill chain to better understand your point security suite detects and manages ad-

adversaries and therefore adjust your defensive vanced email-borne threats, provides security for

tactics to improve your security posture."3 Align sensitive data, and accelerates the identification

your defenses with reality. Augment existing and containment of new threats.

defenses with best of breed solutions which

deploy innovative techniques to detect, block and - Stopping more advanced threats: Delivered
disrupt the attack before it occurs, shorten the through the cloud-based Proofpoint Enterprise

response time and ultimately protect enterprise Protection Suite, organizations of all sizes

assets and data. have access to industry-leading inbound and

outbound email security. This suite accurately

Proofpoint Aligned to the Cyber Kill classifies and blocks threats, while leveraging

Chain Model phishing detection, anti-spam and antivirus

A suite of products which maps to the reality of technologies.

the kill chain is optimum. Alarge collection is

listed in Table 1 of the attached Gartner report. - Detecting advanced threats faster with

Our focus is a subset. Proofpoints solution set actionable intelligence: Proofpoint Targeted

maps to the Cyber Kill Chain model as detailed Attack Protection detects phishing and web

in the diagram below. compromise attacks and provides organizations

with actionable intelligence to quickly respond.

About Proofpoints Superior Advanced Backed by continuous big data analysis of bil-
Th reat Protection lions of data points, Proofpoint provides detailed

Block, Detect, Respond, and Harden are the key information around campaign type, targeted us-

pillars of the Proofpoint solution set. Proofpoints ers and potentially infected systems. Armed with

portfolio of industry-leading security solutions this information, organizations can identify and

for blocking email-borne attacks, detecting new manage new threats before they lead to data

breaches and destructive compromises.

Weaponise Deliver

Block Respond Harden

Known Threats to Incidents Against Loss

Enterprise Threat Regulatory

Protection Response Compliance

Detect Unknown Encryption

Threats

Ta rgeted Content

Attack Control

Protection
1Addressing the Cyber Kill Chain (Gartner), p. 1

2http://www.lockheedmartin.com/us/what-we-do/information-technology/cyber-security/cyber-kill-

chain.htrnl

3Ibid. 1

proofpomt.

Automating incident response, accelera-

ting threat remediation: Proofpoint Threat Re-

sponse provides users with an open, extensible

platform that automates incident response and

the incident management lifecycle. Reduc-

ing security alert response time from hours to

seconds, Proofpoint Threat Response delivers

consistent information to users and streamlines

collaboration and workflow. Alerts are auto-

matically integrated across multiple security so-

lutions such as those from Proofpoint, FireEye,

Content Control solution delivers enhanced

visibility and control over sensitive con-

tent. Through contextual data intelligence,

privacy and security teams can effectively

identify and manage information with PCI,

HIPAA and FINRA regulated content and

other high value information. Violations

can be quarantined, copied or deleted to

reduce the attack surface and potential

impact of a data breach.

Palo Alto Networks and Splunk. This solution

enables users to investigate, verify, prioritize

and contain todays advanced threats.

Proofpoints security solutions align with the new

security strategy required to address the cyber kill

chain. For more information on Proofpoint secu-

rity suite solutions, please visit www.proofpoint.

com/us/solutions - and read Gartners research on

Addressing the Cyber Kill Chain, available on the

following pages.

- Reducing the impact of data breaches

caused by advanced threats: The

easy-to-de ploy, user-friendly Proofpoint

Source: Proofpoint

proofpomt.

From the Gartner Files:

Addressing the Cyber Kill Chain

The Cyber Kill Chain model describes how at-

tackers use the cycle of compromise, persistence

and exfiltration against an organization. Once the

kill chain is understood, CISOs can make prag-

matic decisions to improve their security posture.

Key Challenges

- The current prevention, prevention, preven-

tion approach to dealing with the threat

landscape has failed to address advanced

and targeted attacks with enough efficacy.

- IT security organizations have historical

investments in a protection model that is out

of balance with todays threat landscape.

- IT security organizations have largely not

taken into account the kill chain life cycle ap-

proach to thinking about adversaries; this is

a reason why attackers are continuing to be

so successful.

- While the kill chain is easy to comprehend,

resourcing to address it in the face of com-

petitive business realities and innovation

from adversaries is a key challenge.

- Common security architectures and compli-

ance regimes are not prioritizing methods to

address the kill chain.

Recommendations

- Understand the flow of the kill chain to better

understand your adversaries and therefore

adjust your defensive tactics to improve your

security posture.

- Move to an architecture and develop sup-

porting processes that address the postb-

reach and exfiltration stages of the kill chain.

- Augment existing prevention methods with

methods to detect, deny, disrupt and recover

from the activity of threat actors.

- Implement methods that detect and deny

threats at each stage of the kill chain. This

will significantly increase the defensibility

of your environment, since attackers need

to execute all phases of the kill chain to be

considered successful.

Strategic Planning Assumption

By 2017, security strategies of lean forward orga-

nizations will routinely include a mapping of their

security architecture and/or their processes to the

kill chain life cycle.

Introduction

Targeted attacks have escalated in scale and

frequency, and the potential for financial and

reputational damage resulting from a breach has

increased as a consequence. The ease with which

traditional security defenses were bypassed in

some incidents has left many organizations feel-

ing powerless to defend themselves against these

types of threats. This issue has become a concern

at the executive boardroom level.

The leading operational archetype in information

security practiced by a majority of organizations

has a focus on the perimeter, organized accord-

ing to defense-in-depth principles. While this gives

the appearance of concentrating resources on

the most exposed assets and attack vectors, it

provides a false sense of security and represents

a misallocation of resources. This model means

adversary needs to be successful only once out

of an unlimited number of attempts. Defenders,

conversely, must be right every time.

This has led to a perception that, because there

has been a successful malware infection or SQL

injection attack against your organization, the

adversary has won. The kill chain highlights that

this is clearly not the case, because the adversary

is victorious only when all phases of the Cyber Kill

Chain (CKC) have been executed successfully.

Rather than thinking that someone wins when an

organization is compromised, you need to move

to a mindset of: Did they achieve their goal of

exfiltrating data?

proofpomt.

The CKC is a reference model representing

the stages of an attack, mapped distinctively to

activities that encompass current attack meth-

odologies. It breaks an attack into seven distinct

stages or phases, each allowing a breach to be

prevented, discovered or successfully mitigated.

looking to answer the questions: How many

methods do we assume will work with the

highest degree of success?" and of those,

Which are the easiest to execute in terms of

our investment of resources?"

2 Weaponization or Packaging This takes

many forms: Web application exploitation,

off-the-shelf or custom malware, compound

document vulnerabilities (PDF, Office) or wa-

tering hole attacks. These are prepared with

general, opportunistic or very specific intel-

ligence on a target.

The CKC reference model can show how your

organization can detect, deny, disrupt and

recover at each phase. By aligning enterprise

defenses to the same success criteria as that of

adversaries, you can right size the prevention

centric approach that has dominated enterprise

thinking and spending on IT security to date.

3 Delivery Transmission of the payload is

either target-initiated (users browse to a mali-

cious Web presence, leading to the dropping

of malware, or they open a malicious PDF file)

or attacker-initiated (SQL injection or network

service exploitation).

Analysis

The Phases of the Cyber Kill Chain

The CKC is historically a well-understood

concept in military circles that is now being ap-

plied to cyber security. Originally developed by

Lockheed Martin1 in 2011 as an intelligence-

driven network defense process, it describes 4

the phases that an adversary will take when

targeting your environment, exfiltrating data and

maintaining persistence in an organization. It is

also similar to a majority of penetration testing

methodologies and is often described as an at-

tack chain. The two are closely related and can

often be used interchangeably.

Exploitation After delivery to the user or

server, the malicious payload will gain a foothold

in the environment by compromising it, usually

by exploiting a known vulnerability for which a

patch has often been available for months or

years. While zero-day exploitation does occur, in

a majority of cases, it is often not necessary.

5 Installation This often takes the form of a

remote-access trojan (RAT). The application

is usually stealthy in its operation, allowing

persistence or dwell time" to be achieved. The

adversary can then control this without alerting

the organization a common outcome.

This research will show that the adversary is

only successful when all phases of the kill chain

have been executed. So rather than thinking that

if adversaries compromise an organization they

win, organizations need to move away from this

mindset to ask: Did they achieve their goal of

exfiltrating data?" Our version of defeat is often 6

described and measured in terms that are differ-

ent than the way adversaries define victory. The

CKC has seven stages:

Command and Control In this phase,

adversaries have control of assets within your

organization through methods of control such

as DNS, Internet Control Message Proto-

col (ICMP), websites and social networks

Reconnaissance This is anything that

can be defined as identification, target selec-

tion, organization details, industry-vertical-

Iegislative requirements, information on

technology choices, social network activity

or mailing lists. The adversary is essentially

or other methods of command and control.

This channel is how the adversary tells the

controlled asset what to do next and what

information to gather. The methods used to

gather data under command include screen

captures, keystroke monitoring, password

proofpomt.

cracking, gathering of sensitive content

and documents, and network monitoring for

credentials. Often a staging host is identified

to which all internal data is copied, and then

compressed and/or encrypted and made

ready for exfiltration.

7 Actions on Targets This final phase cov-

ers how the adversary exfiltrates data and

maintains dwell time in an organization and

then takes measures to identify more targets,

expand their footprint within an organization

and most critical of all exfiltrate data.

Why Attackers Are 80 Successful

Adversaries will continue to achieve their objec-

tive of successfully completing the CKC unless

defenders implement an approach that takes

into consideration how an attack is executed.

This is difficult to achieve because most soft-

ware has not been developed using a security

development life cycle (SDL), applications have

increased in complexity and people remain a

weak link.

We have known for a considerable period of

time that the perimeter-centric security approach

is not a panacea for all ills, but organizations

should not move away from these controls be-

cause they provide a solid foundation. However,

in order to allocate and prioritize resources, they

should be extended with methods based on an

understanding of the CKC. Whether adversaries

Figure 2. Diagram of the Cyber Kill Chain

Recon Deliver

Weaponize

Source: Gartner (August 201 4)

Exploit

are motivated by geopolitical, activist or finan-

cial motives, they seek to fulfill specific goals of

obtaining an organizations data. Although we tend

to think of IT security in terms of network security,

host security and identity security, an adversary-

centric" model is a better-suited and more effec-

tive approach in todays threat landscape.

How Organizations Should Address

the Cyber Kill Chain

Instead of continuing to invest primarily in defend-

ing an organizations perimeter, a more pragmatic

approach focuses on detecting, denying, disrupt-

ing and recovering as it allows for identification

capabilities after a breach. This places the focus

on protecting enterprise data, instead of looking at

this as a collection of technology point solutions.

A success rate of 100% for prevention against all

steps of the attack chain is not attainable. This is

also not necessary, as attackers must complete all

phases to achieve their goals. Therefore planning

for the prevention of privilege escalation, detect-

ing postcompromise activity, stopping exfiltration

of sensitive data and denying the attacker persis-

tence are key.

At a high level, you must take the seven phases

of the kill chain that are illustrated in Table 1 and

then identify how you can detect, deny, disrupt

and recover at each phase.

Install Act

Command

proofpomt.

Table 1. Technologies and Processes Applicable to Addressing the Kill Chain

wrapping

Phase Detect Deny or Contain Disrupt, Eradi- Recover

cate or Deceive

Reconnaissance Web analytics, firewall ACL, sys honeypot SAST/DAST

Internet scanning tem and service

activity reports, hardening, net-

vulnerability scan- work obfuscation,

ning, external logical segmenta-

penetration test tion

ing, SIEM, DAST/

SAST, threat intel-

ligence, TIP

Weaponization sentiment anaIy- NIPS, NGFW, SEG, SWG,

sis, vulnerability patch manage-

announcements, ment, configura-

VA tion hardening,

application reme-

diation

Delivery user training, SWG, NGIPS, EPP backup or EPP

security analytics, ATD, TIP cleanup

network behav-

ioral analysis,

threat intelligence,

NIPS, NGFW,

WAF, DDoS, SSL

inspection, TIP

Exploitation EPP, NIPS, SIEM, EPP, NGIPS, ATD, NIPS, NGFW, data restoration

WAF WAF EPP, ATD from backups

Installation EPP, endpoint fo- EPP, MDM, IAM, EPP, HIPS, incident response,

rensics or ETDR, endpoint con- incident forensics ETDR

sandboxing, FIM tainerization/app tools

Command and NIPS, NBA, net IP/DNS reputation DNS redirect, incident response,

Control work forensics, blocking, DLP, ATA threat intelligence system restore

SIEM, DNS secu- on DNS, egress

rity, TIP filtering, NIPS

Action on Targets logging, SIEM, egress filtering, QoS, DNS, DLP, incident response

DLP, honeypot, SWG, trust zones, ATA

TIP, DAP DLP

Source: Gartner (August 2014)

proofpomt.

The section below expands on the table above, - Use software application security testing

giving specific examples and guidance that orga- (SAST) and security development life cycle

nizations can investigate. Adding more technology (SDL) to make sure that applications arent

is often not required, but CISOs should take full leaking sensitive details and are processing

advantage of improving the effectiveness of exist untrusted input correctly.

ing tools and processes already at their disposal.

Weaponization

Reconnaissance This phase is often performed with no specific

This phase is often executed without knowledge of knowledge of the organization being targeted.

your organization. Approaches forthis phase are: Organizations need to take proactive steps:

- Perform regular external scanning and pene- - Keep abreast of newly disclosed vulnerabili-

tration testing to highlight what an adversary ties and have up-to-date data about which

would find if and when your organization vulnerabilities have weaponized exploits avail-

comes under scrutiny. This information can able for them. V\th this information, prioritize

be used to remediate vulnerabilities, reduc patching them or implementing mitigating

ing the attack surface area. controls like virtual patching through intrusion

prevention systems (IPSs).

- Use search engines to uncover cached

content that can be used for exploits or that - Investigate the use of threat intelligence pro-

discloses information that would make it viders that can add value with threat forecast-

easier to target the environment. ing and advanced notification of impending

activity against your organization. An example

- Utilize sentiment analysis, a newer method would be notification of a phishing template

for monitoring both public and underground becoming available for sale that is designed

Internet sites, to look for activity that is spe- to look identical to your organizations.

cificaIIy related to your organization.

- Investigate the use of threat intelligence plat-

- Ensure that perimeter controls and Internet forms (TIPs) to add in threat and adversary

facing services are aggressively enforcing tracking.

the principle of least privilege, including

service hardening. Delivery

An array of traditional controls can assist greatly

- Use analytics to detect indicators of unwant in denying access to your environment:

ed activity against Internet-facing services

like Web servicers, DNS servers, email and - Firewall or next-generation firewall to control

VPN gateways. traffic at the perimeter

- Use honeypots where adversary activity can - Next-generation intrusion prevention to pro-

be monitored for exploitation tactics. vide visibility and prevention of compromise

attempts

proofpomt.

Email and Web gateway security to enforce

multiple methods of content inspection for

malicious and unwanted activity

Distributed denial of service (DDoS) pre-

vention to ensure the business can continue

to transact under high volumes of traffic or

other methods of application-specific DDoS

activity

Web application firewall (WAF) to prevent

the exploitation of e-commerce infrastructure

Network behavioral analysis (NBA) and

security analytics, where network traffic pat-

terns and content can be reviewed for indi-

cators of compromise and suspicious activity

Payload inspection technology that uses

techniques like CPU emulation and sand-

boxing to provide a behavioral-centric

method of malware detection

DNS security to give visibility and protection

against the resolution of unwanted or mali-

cious hosts

- Advanced targeted attack (ATA) or advanced

persistent threat (APT) technologies that can

provide enhanced detecting against new

threats or variants of existing threats

- Security analytics to review full session analy-

sis detailing the exploitation and subsequent

activity with a high level of details

- Threat intelligence usage in SIEM and network

security technologies to provide additional detec-

tion and prevention opportunities

Installation

During this phase of the kill chain, host-specific

methods are the primary method to detect the

execution of malicious content:

- EPP can deliver multiple methods of malware

prevention, browser security and application

whitelisting.

- Mobile device management can control and

deny unwanted applications to run on bring

your own device (BYOD) devices. This can

also deny user-installed applications from ac-

cessing corporate-sensitive data via methods

Exploitation like per-application authentication VPN and

An array of network, host and server technolo- containerization.

gies in conjunction with continuous monitoring

can detect and deny access to the organizations - Identity and strong authentication methods

environment: can reduce the chance of installation and ac-

cess to data.
- Security information and event management

(SIEM) to correlate the events and logs from Once identified, recover from the situation by

multiple security, infrastructure and identity being able to:

elements to provide better visibility of mali-

cious behavior - Perform incident response

- Prevention-focused security technologies like - Recover compromised data from backups

firewall, endpoint protection platform (EPP),

network generation intrusion prevention sys - Restore servers and end-user devices back to

tern (NGIPS), email and Web security known good trusted states

proofpomt.

- Potentially comply with law enforcement at-

tempts to prosecute malicious actors

- Report on details of the breach and other

compliance mandates (such as reports to

financial regulators, on any further impact

expected by the company)

Command and Control

V\th this phase of the CKC, look for methods

that detect the adversarys attempts to control

assets that have been previously compromised.

If there are infected devices with remote-access

trojans or rootkits, use methods such as:

- IP and DNS reputation-filtering capabilities

of network behavioral analysis (NBA) tools,

network forensics tools, next-generation

firewalls, intrusion prevention systems and

security Web gateways

- DNS security, where internal DNS servers

themselves have threat intelligence capabilities

to deny name resolution of malicious hosts

- SIEMs with watchlists, threat intelligence and

other policies configured to detect this type

of out-ofcharacter behavior

Action on Targets

During this phase, the adversary is trying to perform

the most important part of its activity. This is to exfil-

trate the data gathered in this and earlier phases of

the kill chain. Methods to be addressed are:

- After a compromise, all subsequent attack

activity is performed as internal or trusted

users. A SIEM, data loss prevention (DLP) or

database activity monitoring and protection

(DAP) function performing continuous moni-

toring can assist with identifying trusted user

access to data that is not specific to their role,

access to data in volumes previously unseen,

access to data at times of day that is out of

character, and access to data from locations

previously unseen.

- Network behavioral analysis can highlight de-

vices that are moving data around that is not

part of its role (traffic to hosts that stand out),

an exceedingly high volume of DNS traffic to

an external DNS server that is not defined for

external host name resolution, traffic protocols

being actively used that are against policy.

- Next-generation firewalls can identify a trust-

ed user attempting cIearIy malicious activity

such as an FTP session to an unexpected

destination.

proofpomt.

Acronym Key and Glossary Terms

ACL access control list MDM master data management

ATD advanced threat defense NGFW next-generation firewall

DAP database activity monitoring and NGIPS network generation intrusion preven-

protection tion system

DAST dynamic application security testing NIPS network intrusion prevention system

DBSM database security monitoring 003 quality of service

DLP data loss prevention SEG secure email gateway

EPP endpoint protection, including host SIEM security information and event

based features like firewall, anti-mal management

ware, whitelisting and disk encryption SSL Secure Sockets Layer

ETDR endpoint threat detection and response SWG secure Web gateway

FIM file integrity monitoring TIP threat intelligence platform

HIPS host-based intrusion prevention system VA vulnerability assessment

IAM identity and access management

Evidence

Mitres Cybersecurity Threat-Based Defense"

1 Lockheed Martins Cyber Kill Chain"

Source: Gartner Research, 600263765, Craig Lawson, 15 August 2014

About Proofpoint, Inc. proofpomt.>

Proofpoint Inc. (NASDAQ:PFPT) is a leading next-generation security and compliance company

that

provides cloud-based solutions for comprehensive threat protection, incident response, secure

commu-

nications, social media security, compliance, archiving and governance. Organizations around the

world

depend on Proofpoints expertise, patented technologies and on-demand delivery system. Proofpoint

protects against phishing, malware and spam, while safeguarding privacy, encrypting sensitive

infor-

mation, and archiving and governing messages and critical enterprise information. More

information is

available at www.proofpoint.com.

Defending against Advanced Threats: Addressing the Cyber Kill Chain is published by Proofpoint
Editorial content supplied by Proofpoint is independent of Gartner analysis.

All Gartner research is used with Gartners permission, and was originally published as part of

Gartners syndicated research service available to all entitled Gartner clients.

2015 Gartner, Inc. and/or its afliates. All rights reserved. The use of Gartner research in this

publication does not indicate Gartners endorsement of Proofpoints products

and/or strategies. Reproduction or distribution of this publication in any form without Gartners

prior written permission is forbidden. The information contained herein has

been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the

accuracy, completeness or adequacy of such information. The opinions

expressed herein are subject to change without notice. Although Gartner research may include a

discussion of related legal issues, Gartner does not provide legal advice

or services and its research should not be construed or used as such. Gartner is a public company,

and its shareholders may include rms and funds that have nancial

interests in entities covered in Gartner research. Gartners Board of Directors may include senior

managers of these rms or funds. Gartner research is produced indepen-

dently by its research organization without input or inuence from these rms, funds or their

managers. Forfurther information on the independence and integrity of Gartner

research, see Guiding Principles on Independence and Objectivity" on its website,

http://wwwgartner.com/technoIogy/about/ombudsman/omb_guide2.jsp.