YouTube is filled with videos of criminals who manage to break into a bank or jewelry store, but then find themselves locked inside and when it comes to cyber intruders sometimes stopping one from escaping from your system can be just as beneficial as stopping him at the gate.
The essence of an intrusion is that the aggressor must develop a payload to breach a trusted boundary, establish a presence inside a trusted environment, and from that presence, take actions towards their objectives, be they moving laterally inside the environment or violating the confidentiality, integrity, or availability of a system in the environment. The intrusion kill chain is defined as reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives.
A kill chain is a process for finding and taking action on a target. This integrated, end-to-end process described as a “Chain” because any one deficiency will interrupt the entire process. At each step, the malware must “phone home” for more instructions. If we interrupt any one communication, we win. Rather than focusing all cyber protection efforts at one point (i.e. the perimeter), network and information defenses must be designed to interrupt the “kill chain” at multiple layers in the system. This yields a much more robust security infrastructure than traditional methods
In the real world we have to face the fact that, despite our best efforts, we are not going to be able to defend against every attack all of the time. This does not mean that information security is ineffective. On the contrary, security managers are on the front line fighting against the world’s most sophisticated adversaries. But to succeed we need to stack the odds in our favor through better planning; defense strategies that frustrate attackers; and faster spotting, response, and recovery efforts. We can build the biggest castle with the largest moat to protect us but the sentry in the parapets is our most effective early warning system. We shouldn’t wait till the siege engine has brought down the walls to react. As General George S. Patton, famous World War II General most noted for his actions at the Battle of the Bulge, so eloquently said, “Nobody ever defended anything successfully.”
While we in industry can’t really go on the offensive, though the idea is interesting, we must realize that as a corporation we tend to be a somewhat large, static object. Nothing is easier to target than something that is not moving or in the case of industry, remains unchanging. We cannot rest on our laurels and must be constantly varying the target landscape that we present to the hackers. We need to be proactive in what we do and not reactive. Sort of like the Star Trek series where they adjust the shield modulation to thwart the enemies ability to penetrate their defensive perimeter around the star ship Enterprise. Also, another huge lesson from Star Trek is: Never be the landing party crewman in the red shirt – it means you will be the one to die. (Fashion tips for your next board meeting update)
George S. Patton also said that if everyone is thinking alike, then somebody isn’t thinking. To effectively counter the bad guys we need to think outside of the box. Using the same defense strategies and tools that every other corporation uses just makes the job easier for the bad guys. We need to be creative in our approaches. They know how we think, act and respond. We need to start thinking, acting and responding like them.
Gene Fredriksen is the Chief Information Security Officer for PSCU. In this role he is responsible for the development of information protection and technology risk programs for the company. Gene has over twenty-five years of Information Technology experience, with the last twenty focused specifically in the area of Information Security. In this capacity, he has been heavily involved with all areas of Audit and Security.