Our team has been actively involved in defending some of the most attacked organizations in the world. Having a front row seat in the fight against advanced persistent threats (APTs) has informed how I think about defense and intelligence. Last month I teamed up with our partners at Cybereason to discuss:
- The most pressing challenges your company faces when fighting APTs:
- Excessive false positives
- Lack of threat context
- Poor endpoint visibility
- Four steps you can take to combat APTs in your organization, including automating threat detection and implementing behavioral analysis
- How to empower your security team in the fight against APTs by adopting automatic threat detection, eliminating alert fatigue and using endpoint data to reveal full attacks
Below are three questions posed by attendees that were not answered during the live broadcast. Here are my thoughts:
1. If an organization is relatively new to cybersecurity, would you recommend they go through an overview of the Cyber Kill Chain® before digging further into techniques and technologies?
First and foremost I think it’s critical to have a solid, reliable foundation and a framework can provide just that. There are a lot of cybersecurity frameworks, most notably NIST, NERC CIP, and some ISO frameworks. These provide guidance in establishing critical controls, processes, and capabilities needed to establish a reasonable security posture. Once that framework is established – which is no small feat, then an analytical framework such as the Cyber Kill Chain comes into play. The Cyber Kill Chain can be used to develop a better understanding of adversary activity which directly drives the evolution of defensive capabilities. While the Cyber Kill Chain, as an analytical methodology is always applicable, using it in the absence of solid, fundamental cybersecurity is extremely challenging and provides limited practical impact.
Rob M. Lee, SANS Certified Instructor and the course author of SANS ICS515: Active Defense and Incident Response, has written a white paper that looks at a very similar concept. His premise is that security consists of multiple points on a continuum which includes architectural security (designing secure networks), passive security (security as a result of deployed tools and solutions), and active security (security that is actively driven by analysis, threat hunting, threat intelligence). This is a very appropriate and useful frame of reference for understanding and establishing a cybersecurity program.
The Leidos cybersecurity team also offers a suite a services that include cybersecurity program assessments, strategic roadmaps, and transformative consulting work. We engage with our clients as a cybersecurity partner to build, transform, integrate and execute proactive and measureable cybersecurity programs.
2. Is there a template or process for performing a Cyber Kill Chain analysis on a company’s controls? Is this a service offered?
This is a great question. We continually analyze process performance for ourselves and our clients. Using the Cyber Kill Chain as a framework to map and understand defenses in a holistic manner is really powerful. We use the Cyber Kill Chain to understand what we feel is true “defense in depth” – namely detecting and defending against a breach throughout the entire lifecycle of an attack.
There isn’t a specific template that we use, but we do work with clients to help them better understand this kind of “mapping.” In general terms, we consider how the control or capability in question can be used to detect or disrupt the attacker’s actions at each stage of the Cyber Kill Chain. That understanding can then be used to create a matrix of capabilities across the Cyber Kill Chain. This exercise can and should be approached from two angles; first from the view point of the Cyber Kill Chain – determining capabilities that apply to each step and secondly from the view point of your capabilities – identifying where the capability applies in the framework. This approach not only serves to highlight where existing investments are underutilized but also provides a framework for evaluating potential future investments for new or improved capabilities.
To give a feel for a simplified version of the output from this type of exercise, below is 4a conceptual matrix. Note that this kind of matrix should be accompanied by a more thorough explanation of the capabilities and how they apply. In this example, we specify whether the capability provides “Detection" () or “Protection” () at each step of the Cyber Kill Chain.
The process of creating this type of matrix includes evaluating each capability to understand how it applies – or doesn’t apply – to each step. This same approach can be used to drive down to the level of individual incidents to understand how each capability was applied. This can provide further insights into strengths and needs of the overall defensive posture.
3. Is your company doing any research in the field of active defense?
I’m going to answer this question with the definition of “active defense” proposed by Rob M. Lee in his white paper. According to this definition, active defense is “the process of analysts monitoring for, responding to, learning from, and applying their knowledge to threats…” We believe that an intelligence-driven defense is key to success. Research into this methodology spans everything we do across our products and services. We’re continually looking to turn this research into an active opportunity to influence the domain by increasing an analyst's access to timely and accurate information and intelligence. In our experience, this kind of access empowers cybersecurity teams to build context, improve situational awareness and stay a step ahead of the adversaries. Our partnership with Cybereason supports our continued mission to deliver mature capabilities around threat hunting and active defense. This type of active defense approach and posture is critical in combating the threats facing companies today.
Watch the full on-demand broadcast:
[Note: Justin Lachesky is a Senior Cyber Analyst with Leidos Cyber Inc. Justin's presentation was recorded prior to a merger of Lockheed Martin IS&GS and Leidos. Leidos Cyber Inc. is a leading provider of cybersecurity products and services, and was acquired by Leidos through the merger of Lockheed Martin IS&GS and Leidos on August 16th, 2016. Leidos Cyber's products and services leverage heritage Lockheed Martin IS&GS intellectual property and processes, including services provided using Lockheed Martin's Cyber Kill Chain® framework and Intelligence Driven Defense® methodology. (Cyber Kill Chain® and Intelligence Driven Defense® are registered trademarks of Lockheed Martin).]
Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?
Any other details or context?
to view this video.