Three years ago a pair of security analysts at Lockheed Martin published a paper on "Intelligence-Driven Computer Network Defense." The paper suggested that network security organizations apply the military concept of a "kill chain" to disrupt network attacks. The paper inspired a new trend: to apply military doctrine tot network security. Next month at Black Hat USA 2014, Tom Cross, director of security research at Netflow analysis vendor Lancope, will team up with a pair of West Point professors to deliver a talk called "The Library of Sparta." Cross will reveal how network security teams can adopt additional military concepts in their battle to protect their networks. Cross sat down with SearchNetworking to give us a preview of the talk.
What concepts are you talking about with the "Library of Sparta?"
Tom Cross: In the world of computer security, people have been adopting certain ideas and jargon from military doctrine. You hear people talk about things like kill chain, OPSEC [operations security] and TTPs [tactics, techniques, and procedures]. It helps paint a picture of how nation states go about approaching the problem of attacking computer networks and how we defend computer networks. It has been very influential over the past couple [of] years as a way of changing people's perspective about how they go about the process of defending their network. I think there are a lot of other examples within the corpus of military doctrine that can be applied in the same way.
How has the kill chain concept been useful to network security?
Cross: The kill chain concept comes from the Air Force. If you are going to shoot a missile … there is a set of steps you go through … in order to determine who you are targeting, making sure your weapon is aimed properly, etc. You have to make sure all your ducks are in a row to take the shot. That whole process represents to your adversary different opportunities where they could potentially disrupt you before you achieve your goal.
There is [a] paper that some people at Lockheed Martin wrote where they applied this kill chain concept to computer security. They thought about a set of steps that an attacker goes through as they proceed to break into your network.
Thinking about each one of those steps in isolation is a useful mechanism for inspiring you to appreciate all the opportunities you have as a defender to disrupt what your attacker is doing.
[It is] a way of organizing the different artifacts that are discovered in the course of investigating an attack. All these artifacts can be organized into [the] stage of the attack it relates to. That helps you get a picture of the attack. The power comes from your ability to consider the different controls you have in an environment and where you put the controls in each stage of the attack. If you don't catch the attacker at one stage of their operation, perhaps you can catch them at another.
Why is the kill chain concept so useful?
Cross: We tend to think that the attacker has all the cards. People talk a lot about the asymmetry that exists in computer security, where the person defending a computer network has to find and fix every vulnerability that a network has; whereas, the attacker only has to find one vulnerability to be successful at breaking in.
But if you consider the kill chain, in a multistep, complicated operation [the attacker has] to get through each step in order to achieve their goal. Each one of those steps reflects an opportunity for the defender to disrupt what the attacker is trying to do. This really turns asymmetry on its head. It creates a situation where the defender has multiple opportunities to disrupt an attack and the attacker has to be successful at each stage. It has enabled people to improve the quality of what they're doing to defend their network.
What other concepts are you looking at from military doctrine that could be useful to network security?
Cross: One other concept is terrain analysis. The army has a way of analyzing a battlefield in order to figure out the high ground, where the key terrain that's going be valuable in the course of a battle, what are the avenues of approach to that terrain and how would you adequately defend it. They have a systematic way of answering those questions. We've taken that system and applied it to a computer network to see how well it mapped and what kind of lessons we could learn. We found that it maps very well and a lot of people go through this sort of analytic process today. When they are looking at their network security -- putting firewalls in place, for example -- they're thinking about how to segment the network and how to protect key assets from being directly accessible to areas like the Internet.
Defenders in theory both understand and control the environment that's being attacked. That's a key advantage that we don't emphasize enough when we think about computer security. Defenders built the network that's being attacked and they can even change -- dynamically -- the way it's structured or configured in the midst of an incident.
Attackers come in with no knowledge of the environment that they are trying to break into. And they have to discover that environment through reconnaissance. The problem with engaging in reconnaissance on a computer network is that you don't know for sure if the things you are seeing are really there. There is an opportunity for defenders to instrument their environment with honeypots that are attractive to attackers and cause them to reveal their presence.
People have been talking about honeypots for years, but I don't think that many organizations are actually doing a lot of instrumented "honeypotting" inside their network to identify people who are poking around inside. When an attacker first breaks into a network and gets a foothold, they have got to dig around to try to find the information that they actually want to steal. That process of lateralization within the network is a thing that could be disrupted through deception.
We often talk in computer security about the fact that the human is the weakest link in any network defense. Social engineering attacks target humans, so even if you have your technology platform locked down and you have great computer security and you've plugged all your vulnerabilities, somebody in your environment may do something stupid.
It would be interesting to turn that on its head and realize that perhaps the human behind the attack is the weakest link in the offense. What can you do to exploit the fact that the attack is being launched by a human? How can you confuse and divert that human to do things they don't want or that reveal their presence to you?
In terms of targeting the human element of an attack, how might that play out?
Cross: Often the next step [after breaking into a network] is to go after the authentication credentials. We see a lot attacks that target Active Directory servers or LDAPs as a second stage, because if you can get into those systems and start cracking password files, then you end up with people's legitimate access credentials for the network.
You know that the Active Directory server is a piece of key terrain that attackers are definitely going to target as they break into your network. What are the things you can do to make your Active Directory server deceptive? A lot of people administer Windows machines using Remote Desktop Protocol [RDP]. That is a service that lives in a particular port. Why not move that service to a different port and set an alarm if anyone ever tries to reach the Active Directory server on the normal RDP port? Any attacker that's poking around is likely to look if you have RDP running on your Active Directory server. That kind of setup would immediately identify them as suspicious.
Once you are aware of them and can see them, then you can analyze what they've gotten access to and eventually take action to kick them out. So a little tripwire like that can be an effective tool for tricking adversaries into revealing themselves.