Servaas Verbiest (SV): Welcome to IT Availability Now, the show that tells stories of business resilience from the people who keep the digital world available.
I’m your host Servaas Verbiest and today, I’m joined by Shannon Davis, Global Director of Partner Readiness at Alert Logic and we're going to be discussing the cyber kill chain.
Thank you for joining us on the show today, Shannon.
Shannon Davis (SD): Thank you so much for having me, Servaas. I always enjoy hanging out with you.
(SV): Yeah, I like to take advantage of every opportunity I can get. And this is an interesting topic because you know, unlike most times, this is something I wasn't really familiar with until it was brought to my attention. Given that the cyber kill chain is one of the latest security buzzwords, it shows up in a lot of great reports. One that jumps out to mind is Verizon's 2022 Data Breach Investigations report that a lot of industry experts and customers like to reference, and it specifically points out that ransomware has increased 13% year over year. And that's the largest jump we've seen in, I think, five years. And in that same report, another great statistic that jumps out and really plays into what we're going to discuss today, is 25% of the total breaches were associated with social engineering attacks, which is an interesting thing to account for because social engineering doesn't always incorporate technology. A lot of it is people just looking at general conversations like we're having today and exploiting the human element of security posture to get what they want.
So, Shannon, I assume the cyber kill chain comes up quite frequently in your interactions with customers. But let's go back to the beginning because it was new to me, I'm sure it's new to some folks out there. Where did that term come from? How did it get its name?
(SD): Servaas, great question and yes, the cyber kill chain comes up every single day. It's a buzzword. It's been around for a while. People are asking about it wondering about the origins. So where it really started is it's a military term, the term kill chain. And basically, what you're referring to is it's the identification of your target. You want to dispatch your forces to the target, initiate an attack on that target and then just have the ultimate destruction of that target. That's the kill chain. Our goal on the defense side is to break that chain of events that the cybercriminals are going down.
So in 2011, there was a group of computer scientists at Lockheed Martin. They took their military background and they kind of applied that framework to information security. And when you look at the technology kill chain or what we talk about today in cybersecurity, it's really broken down into more steps. You have reconnaissance: that's where the bad guys, for lack of a better term - you can say state-sponsored foreign actors, you can say cyber criminals, hackers - they're doing research to determine what's the best way to get into this company and extract value. Then after reconnaissance, they do weaponization. It could be emails, it could be RDP exploits, it could be - and this still happens today - putting some malware on a thumb drive and dropping it in the parking lot and knowing that somebody's going to pick it up and plug it in. Then they deliver. Delivery is the next step where they're actually acting on that intelligence that they have and deploying that weaponized malware or ransomware, you name it.
Then there's the actual exploit. So once it's been delivered, that's the boom, or the breach, or the exploit or whatever you want to call it. And basically, the code gets triggered and it starts its process. 20 years ago, cybercriminals were writing their own code. It was very manual. There's like a code of honor to it. Today, it's mostly bot-driven. So once that exploit happens, it's only a matter of minutes before systems get compromised because there's thousands of bots at work here. So that's all pre breach.
After the exploit, there's three more steps. There's the installation, and that's where they're installing some sort of a backdoor on your system so that they can get persistent access and get back in.
They want to take command and control. They want to bypass your security systems, any endpoint protection you may have, basically give themselves hands-on keyboard access, maybe escalate some privileges, and then, actions on objectives.
And that's the last step. And when you look at actions on objectives, in the case of ransomware they want to encrypt your systems, lock them down and then you'll see a notice that says “give us three Bitcoin by this date and this address, and we'll give you access back to your systems.” That's ultimately what happens with ransomware. Ultimately, that's the kill chain as adapted from the military for cybercrime.
(SV): And it's funny how in IT you see these parallels to the armed forces in terminology and execution. When we really kind of take a step back - just so I can make sure I can refine what we've covered - all the kill chain is, is the process in which a bad actor executes what they're going to do to get what they want.
Now, knowing that's correct, if we kind of look at it from that high level perspective, why must organizations be aware of the kill chain? And really, I don't want to make too many assumptions, but what makes it such a vital part of their security posture?
(SD): That's a great question. And if you really break that kill chain down, there's the three steps - the reconnaissance, weaponization and delivery - that's all pre breach. You'll hear me call it left of boom, the boom or the exploit or the breach is there in the middle and then to the right of that, you would have install, command and control and actions on objectives. So those could be the post breach or the right of boom.
A lot of companies have folks in an IT capacity that they tap on the shoulder and say “by the way, you're now responsible for security as well.” There's just a security talent shortage worldwide, but specifically in the United States, there's millions of jobs open. So you have folks that might not have the strongest security background, but they do have a strong IT background, and they focus very, very heavily on those first three items to the left of boom: the reconnaissance, the weaponization and the delivery. If we can prevent them from getting in, we don't have to worry about the attack. That's just the old school mindset. The reason it's so important that we talk about the entire kill chain is yes, prevention is amazing. We should all be doing it, we should all be trying to prevent attacks. But in this day and age, you're constantly under attack. If you're connected to the Internet, you are under attack. So the odds of you being breached are extremely high. I wouldn't be surprised if every single company or person is breached at some point.
So today, we look at that right side of the kill chain and the post breach and we need to focus there as well. So that yes, we're minimizing, but if you do get breached, how do you rapidly identify that you've been breached so that you can minimize the impacts of a successful attack?
With ransomware they're not going to be in your environment for 200 days poking around. They quickly want to lock your system down so that they can get that ransom payment. This is a business for them. So you have to be able to detect within minutes that your system has been compromised so you can basically detect, deny, disrupt, get them out of your environment before they're able to do any serious damage. And, you know, if you look at the types of customers that are out there, that we talk to - it could be financial industry, it could be manufacturing, it could be health care - where if they had a downtime event, it could it could really impact a lot of people in a very negative way.
(SV): Well it's good that you talk about the impacts, but let's take a step back for a minute.
Knowing this is such an important concept for security and that organizations can use it to formulate a plan around how they're going to handle not just pre-breach but post-breach, what are some ways that organizations can detect a bad actor at each one of these stages? Are there any examples that you can give to help us understand a little deeper what they can do?
(SD): Absolutely, absolutely.
If you break down the kill chain - another reason it's so important - you might see indicators that somebody's trying to gain entry into your environment. And anybody out there that's managing network traffic, we're all seeing brute force login attempts every single day by the thousands. I mean, there's just tons of activity. I'm sure that everybody listening right now has received phishing emails or spear phishing attempts via email. For all the IT folks that are worried about VPN exploitation, there's all these ways that bad actors try to gain entry. So while you're handling that, that alone may not be that bad. Even if they were to gain entry, it's not the end of the world, it's not that bad. But you're monitoring the entire kill chain because maybe you see indicators of some lateral movement later on, where they're command and control and they're spreading across the environment. And that alone is bad, but when you correlate those two pieces of information together, you realize it's a more sophisticated attack.
So we need to monitor the entire kill chain. And some examples of that might be the pre-breach when you're monitoring how they're trying to gain entry. One of the big things I say is RDP, exploitations and VPN. Exploitation is a great way in for the bad guys. So we need to monitor our logs, our firewall logs, our VPN logs, any Windows logs, IDS logs and run analytics on them to see any indicators of compromise or inconsistency while they're gaining entry.
If they have gained entry, like I said, not the end of the world, that can happen. But next step, they're going to try to install that code. It could be a variety of different things, but let's just say that it was ransomware. So in that case, your intrusion detection system: if you're monitoring network traffic, or host-based traffic, you should be able to detect that. If you have file integrity monitoring in place, that's another way where you can see that they're writing to the registry or your file systems. If you have endpoint protection or EDR in place, it's another great way to detect that there's activity that's either being blocked, or that should be blocked, while they're gaining that access to your environment.
Once they've installed the payload, typically what they're going to do next is trying to escalate their privileges. So if they compromise somebody's account and get their credentials, they might try to elevate them or create some new admin type credentials. The way you're going to detect that is user behavior analytics and looking at your logs. Windows logs is a great opportunity to do that where if you see somebody - let's just say hypothetically: Shannon is the Director of Partner Readiness, so he should be interacting with sales folks, partners, engineering folks, technical folks. Shannon should never be looking at the CFO’s database of payments and vendors that we're sending payments to. It's just not something I would do. If I'm spotted doing that, we would hope there's a system in place to trigger an alert, whether that's log analytics, user behavior, things like that.
So as you move down that kill chain, there's so many ways to detect and disrupt the bad actors along the way. But really, you have to focus on both sides, not just that pre-breach, but also the post-breach and you have to do it constantly because the name of the game is speed. You want to quickly identify that you've been breached if you have so that you can minimize that attack window. It only takes minutes to hours for ransomware to really gain a foothold in your environment. So plenty to dive into there. But what are your thoughts on that?
(SV): No, no, it's really interesting that you covered all that because sometimes people will say, “hey, it's all about fundamentals of ASICs. Things are being deployed like hardened appliances, cloud native deployments, advanced technologies that are a bit more stateless and ethereal in how they execute. They only get called when they're needed, right? That's obviously something that you've got to factor in when you look at legacy approaches and understanding - I guess you would say - an evolving kill chain, right?
(SD): Yeah, absolutely.
You know, there's no silver bullet or one size fits all. It's going to be due diligence and training of your employees. It's going to be patch management, making sure that your security and operating system patches are up to date and installed, that you're scanning for vulnerabilities and managing those on a regular basis. And then monitoring your network traffic, reviewing your logs, doing user anomalous behavior detection, doing file integrity monitoring. You do all these things so that if any of them have indicators of compromise, you can then dive in across the kill chain and across all your detection techniques to determine if something larger is at play here. And the faster you can be identified, the faster that you can put a stop to it. I hate to say this, but you know there's that old joke about what do you do if you're being chased by a bear? You don't have to be fast, you just have to be faster than your friend. If you're too difficult to penetrate, maybe that lower level cybercriminal just moves on down and tries to find a less sophisticated target. So the more structure that you put around this and the more systems and controls that you put in place, the safer you're going to be across the board.
(SV): Almost like just going for the low hanging fruit.
(SV): I mean, that's what it comes down to. People want, or cybercriminals in this case, want the easiest and largest payout they can get and it's not about really maintaining the most advanced security. I know what I'm about to say is going to be dangerous, it might give you agita. But it's about maintaining a level of security that puts you in the upper mid market, that it's irritating enough and there's enough that they have to go through that they can't exploit you as easily as they'd like compared to other organizations who maybe lack or are simply unaware of the posture they need to maintain based on the threat landscape.
(SD): Exactly. And you know, if you look at cybercrime, it has evolved so much. How are you staying up to date? And how are your systems and tools keeping up with the new threats as they evolve? So when you combine that with the lack of cybersecurity talent that exists and the problems we're all having with hiring around cybersecurity analysts and folks in that space, it's a real recipe for ulcers and heartburn.
But you know, there is help out there. I know at Sungard, you have folks that specialize in having this conversation every single day. And I think that's a very important thing to understand: you don't have to have a perfect security posture today. But for anybody that's listening, that's panicking, thinking “well, I don't know if we're safe.” Well first step is awareness. Understand where you're at and where the deficiencies might be. Get an awareness of what the bad guys are doing and where would your company fit on the risk matrix there and then put together an action plan. It might be a three-year plan, it might be a five-year plan. Take steps towards having a secure posture and revisit them regularly. That would be my recommendation. Don't panic. Start taking steps today.
(SV): And that's great advice that you've provided there. You know, I think that people can take a lot away from this episode because we've talked about the origin of the term kill chain, and really why businesses and organizations should be focused on it when they think about their security posture. You've given some great examples of how you break the chain and also talked through how kill chains have evolved as new exploits and new technology gets introduced into these organizations as they try to match the pace the market is looking for.
So Shannon, I really appreciate you taking the time to be with us today.
(SD): Servaas, thanks for having me. It is always a pleasure. Love the podcast, love being a part of it.
(SV): Awesome, and we love having you. Shannon Davis is the Global Director of Partner Readiness at Alert Logic.
You can find the show notes for this episode at SungardAS.com/ITAvailabilityNow.
Please subscribe to the show on your podcast platform of choice to get new episodes as soon as they’re available.
IT Availability Now is a production of Sungard Availability Services.
I’m your host, Servaas Verbiest, and until next time, stay available.