Featuring research from Gartner

Defending against Advanced Threats: Addressing the Cyber Kill Chain“We have known for a considerable period of time that the perimeter-centric security approach is not a panacea for all ills, but organizations should not move away from these controls because they provide a solid foundation. However, in order to allocate and prioritize resources, they should be extended with methods based on an understanding of the CKC. “

- Gartner Addressing the Cyber Kill Chain, Craig Lawson, 15 August 2014

The latest data breach reports on the daily news remind us of the rapidly changing state of enterprise security. No longer can the focus remain solely on a strong perimeter and end point protection; a new model and approach is required inclusive of the above but extending to deeper analysis and data protection as well. “The current pre-vention, prevention, prevention approach to dealing with the threat landscape has failed to address advanced and targeted attacks with enough efficacy.”1 More is required including updated thinking, a new course to address the challenge and next generation protection solutions.

A traditional “castle moat and keep” defense mindset per-sists today as enterprises invest heavily in perimeter and endpoint protection solutions. While previously successful in protecting companies, these investments are no longer showing the same return. Attackers have innovated and exploited channels through these traditional defenses.

4From the Gartner Files: Addressing the Cyber Kill Chain

11About Proofpoint, Inc.

In this report:

Changing the conversation and focus to the mechanics of an advanced or targeted attack is key to disrupting mali-cious actions.

2

In 2011, researchers at Lockheed Martin devel-oped the Kill Chain modeled on evidence from network attacks.2 The Kill Chain is widely known, understood and quoted in security circles. How-ever, it is not generally applied to companies’ security infrastructure investments. Gartner re-search recommends organizations: “Understand the flow of the kill chain to better understand your adversaries and therefore adjust your defensive tactics to improve your security posture.”3 Align your defenses with reality. Augment existing defenses with best of breed solutions which deploy innovative techniques to detect, block and disrupt the attack before it occurs, shorten the response time and ultimately protect enterprise assets and data.

Proofpoint Aligned to the Cyber Kill Chain ModelA suite of products which maps to the reality of the kill chain is optimum. A large collection is listed in Table 1 of the attached Gartner report. Our focus is a subset. Proofpoint’s solution set maps to the Cyber Kill Chain model as detailed in the diagram below. About Proofpoint’s Superior Advanced Threat ProtectionBlock, Detect, Respond, and Harden are the key pillars of the Proofpoint solution set. Proofpoint’s portfolio of industry-leading security solutions for blocking email-borne attacks, detecting new

advanced threats, automating incident response, and reducing the impact of potential breaches ad-dress the reality of today’s advanced attacks and aligns security infrastructure with the Kill Chain.

Email which continues to be a critical business service is the top route for attackers. The Proof-point security suite detects and manages ad-vanced email-borne threats, provides security for sensitive data, and accelerates the identification and containment of new threats.

• Stopping more advanced threats: Delivered through the cloud-based Proofpoint Enterprise Protection Suite, organizations of all sizes have access to industry-leading inbound and outbound email security. This suite accurately classifies and blocks threats, while leveraging phishing detection, anti-spam and antivirus technologies.

• Detecting advanced threats faster with actionable intelligence: Proofpoint Targeted Attack Protection detects phishing and web compromise attacks and provides organizations with actionable intelligence to quickly respond. Backed by continuous big data analysis of bil-lions of data points, Proofpoint provides detailed information around campaign type, targeted us-ers and potentially infected systems. Armed with this information, organizations can identify and manage new threats before they lead to data breaches and destructive compromises.

1Addressing the Cyber Kill Chain (Gartner), p. 1 2http://www.lockheedmartin.com/us/what-we-do/information-technology/cyber-security/cyber-kill-chain.html3Ibid. 1

Block Known Threats Enterprise Protection

Detect Unknown Threats Targeted Attack Protection

Respond to Incidents Threat Response

Harden Against Loss Regulatory Compliance

Encryption

Content Control

Recon Weaponise Deliver Exploit Install C2 Action Harden

3

• Automating incident response, accelera-ting threat remediation: Proofpoint Threat Re-sponse provides users with an open, extensible platform that automates incident response and the incident management lifecycle. Reduc-ing security alert response time from hours to seconds, Proofpoint Threat Response delivers consistent information to users and streamlines collaboration and workflow. Alerts are auto-matically integrated across multiple security so-lutions such as those from Proofpoint, FireEye, Palo Alto Networks and Splunk. This solution enables users to investigate, verify, prioritize and contain today’s advanced threats.

• Reducing the impact of data breaches caused by advanced threats: The easy-to-deploy, user-friendly Proofpoint

Content Control solution delivers enhanced visibility and control over sensitive con-tent. Through contextual data intelligence, privacy and security teams can effectively identify and manage information with PCI, HIPAA and FINRA regulated content and other high value information. Violations can be quarantined, copied or deleted to reduce the attack surface and potential impact of a data breach.

Proofpoint’s security solutions align with the new security strategy required to address the cyber kill chain. For more information on Proofpoint secu-rity suite solutions, please visit www.proofpoint.com/us/solutions - and read Gartner’s research on Addressing the Cyber Kill Chain, available on the following pages.

Source: Proofpoint

4

Addressing the Cyber Kill ChainFrom the Gartner Files:

The Cyber Kill Chain model describes how at-tackers use the cycle of compromise, persistence and exfiltration against an organization. Once the kill chain is understood, CISOs can make prag-matic decisions to improve their security posture.

Key Challenges• The current prevention, prevention, preven-

tion approach to dealing with the threat landscape has failed to address advanced and targeted attacks with enough efficacy.

• IT security organizations have historical investments in a protection model that is out of balance with today’s threat landscape.

• IT security organizations have largely not taken into account the kill chain life cycle ap-proach to thinking about adversaries; this is a reason why attackers are continuing to be so successful.

• While the kill chain is easy to comprehend, resourcing to address it in the face of com-petitive business realities and innovation from adversaries is a key challenge.

• Common security architectures and compli-ance regimes are not prioritizing methods to address the kill chain.

Recommendations• Understand the flow of the kill chain to better

understand your adversaries and therefore adjust your defensive tactics to improve your security posture.

• Move to an architecture and develop sup-porting processes that address the postb-reach and exfiltration stages of the kill chain.

• Augment existing prevention methods with methods to detect, deny, disrupt and recover from the activity of threat actors.

• Implement methods that detect and deny threats at each stage of the kill chain. This will significantly increase the defensibility of your environment, since attackers need to execute all phases of the kill chain to be considered successful.

Strategic Planning AssumptionBy 2017, security strategies of lean forward orga-nizations will routinely include a mapping of their security architecture and/or their processes to the kill chain life cycle.

IntroductionTargeted attacks have escalated in scale and frequency, and the potential for financial and reputational damage resulting from a breach has increased as a consequence. The ease with which traditional security defenses were bypassed in some incidents has left many organizations feel-ing powerless to defend themselves against these types of threats. This issue has become a concern at the executive boardroom level.

The leading operational archetype in information security practiced by a majority of organizations has a focus on the perimeter, organized accord-ing to defense-in-depth principles. While this gives the appearance of concentrating resources on the most exposed assets and attack vectors, it provides a false sense of security and represents a misallocation of resources. This model means adversary needs to be successful only once out of an unlimited number of attempts. Defenders, conversely, must be right every time.

This has led to a perception that, because there has been a successful malware infection or SQL injection attack against your organization, the adversary has won. The kill chain highlights that this is clearly not the case, because the adversary is victorious only when all phases of the Cyber Kill Chain (CKC) have been executed successfully. Rather than thinking that someone wins when an organization is compromised, you need to move to a mindset of: “Did they achieve their goal of exfiltrating data?”

5

The CKC is a reference model representing the stages of an attack, mapped distinctively to activities that encompass current attack meth-odologies. It breaks an attack into seven distinct stages or phases, each allowing a breach to be prevented, discovered or successfully mitigated.

The CKC reference model can show how your organization can detect, deny, disrupt and recover at each phase. By aligning enterprise defenses to the same success criteria as that of adversaries, you can right size the prevention centric approach that has dominated enterprise thinking and spending on IT security to date.

AnalysisThe Phases of the Cyber Kill ChainThe CKC is historically a well-understood concept in military circles that is now being ap-plied to cyber security. Originally developed by Lockheed Martin1 in 2011 as an intelligence-driven network defense process, it describes the phases that an adversary will take when targeting your environment, exfiltrating data and maintaining persistence in an organization. It is also similar to a majority of penetration testing methodologies and is often described as an at-tack chain. The two are closely related and can often be used interchangeably.

This research will show that the adversary is only successful when all phases of the kill chain have been executed. So rather than thinking that if adversaries compromise an organization they win, organizations need to move away from this mindset to ask: “Did they achieve their goal of exfiltrating data?” Our version of defeat is often described and measured in terms that are differ-ent than the way adversaries define victory. The CKC has seven stages:

1 Reconnaissance — This is anything that can be defined as identification, target selec-tion, organization details, industry-vertical-legislative requirements, information on technology choices, social network activity or mailing lists. The adversary is essentially

looking to answer the questions: “How many methods do we assume will work with the highest degree of success?” and of those, “Which are the easiest to execute in terms of our investment of resources?”

2 Weaponization or Packaging — This takes many forms: Web application exploitation, off-the-shelf or custom malware, compound document vulnerabilities (PDF, Office) or wa-tering hole attacks. These are prepared with general, opportunistic or very specific intel-ligence on a target.

3 Delivery — Transmission of the payload is either target-initiated (users browse to a mali-cious Web presence, leading to the dropping of malware, or they open a malicious PDF file) or attacker-initiated (SQL injection or network service exploitation).

4 Exploitation — After delivery to the user or server, the malicious payload will gain a foothold in the environment by compromising it, usually by exploiting a known vulnerability for which a patch has often been available for months or years. While zero-day exploitation does occur, in a majority of cases, it is often not necessary.

5 Installation — This often takes the form of a remote-access trojan (RAT). The application is usually stealthy in its operation, allowing persistence or “dwell time” to be achieved. The adversary can then control this without alerting the organization — a common outcome.

6 Command and Control — In this phase, adversaries have control of assets within your organization through methods of control such as DNS, Internet Control Message Proto-col (ICMP), websites and social networks or other methods of command and control. This channel is how the adversary tells the controlled “asset” what to do next and what information to gather. The methods used to gather data under command include screen captures, keystroke monitoring, password

6

cracking, gathering of sensitive content and documents, and network monitoring for credentials. Often a staging host is identified to which all internal data is copied, and then compressed and/or encrypted and made ready for exfiltration.

7 Actions on Targets — This final phase cov-ers how the adversary exfiltrates data and maintains dwell time in an organization and then takes measures to identify more targets, expand their footprint within an organization and — most critical of all — exfiltrate data.

Why Attackers Are So SuccessfulAdversaries will continue to achieve their objec-tive of successfully completing the CKC unless defenders implement an approach that takes into consideration how an attack is executed. This is difficult to achieve because most soft-ware has not been developed using a security development life cycle (SDL), applications have increased in complexity and people remain a weak link.

We have known for a considerable period of time that the perimeter-centric security approach is not a panacea for all ills, but organizations should not move away from these controls be-cause they provide a solid foundation. However, in order to allocate and prioritize resources, they should be extended with methods based on an understanding of the CKC. Whether adversaries

are motivated by geopolitical, activist or finan-cial motives, they seek to fulfill specific goals of obtaining an organization’s data. Although we tend to think of IT security in terms of network security, host security and identity security, an “adversary-centric” model is a better-suited and more effec-tive approach in today’s threat landscape.

How Organizations Should Address the Cyber Kill ChainInstead of continuing to invest primarily in defend-ing an organization’s perimeter, a more pragmatic approach focuses on detecting, denying, disrupt-ing and recovering as it allows for identification capabilities after a breach. This places the focus on protecting enterprise data, instead of looking at this as a collection of technology point solutions.

A success rate of 100% for prevention against all steps of the attack chain is not attainable. This is also not necessary, as attackers must complete all phases to achieve their goals. Therefore planning for the prevention of privilege escalation, detect-ing postcompromise activity, stopping exfiltration of sensitive data and denying the attacker persis-tence are key.

At a high level, you must take the seven phases of the kill chain that are illustrated in Table 1 and then identify how you can detect, deny, disrupt and recover at each phase.

Figure 2. Diagram of the Cyber Kill Chain

Source: Gartner (August 2014)

7

Phase Detect Deny or Contain Disrupt, Eradi-cate or Deceive

Recover

Reconnaissance Web analytics, Internet scanning activity reports, vulnerability scan-ning, external penetration test-ing, SIEM, DAST/SAST, threat intel-ligence, TIP

firewall ACL, sys-tem and service hardening, net-work obfuscation, logical segmenta-tion

honeypot SAST/DAST

Weaponization sentiment analy-sis, vulnerability announcements, VA

NIPS, NGFW, patch manage-ment, configura-tion hardening, application reme-diation

SEG, SWG,

Delivery user training, security analytics, network behav-ioral analysis, threat intelligence, NIPS, NGFW, WAF, DDoS, SSL inspection, TIP

SWG, NGIPS, ATD, TIP

EPP backup or EPP cleanup

Exploitation EPP, NIPS, SIEM, WAF

EPP, NGIPS, ATD, WAF

NIPS, NGFW, EPP, ATD

data restoration from backups

Installation EPP, endpoint fo-rensics or ETDR, sandboxing, FIM

EPP, MDM, IAM, endpoint con-tainerization/app wrapping

EPP, HIPS, incident forensics tools

incident response, ETDR

Command and Control

NIPS, NBA, net-work forensics, SIEM, DNS secu-rity, TIP

IP/DNS reputation blocking, DLP, ATA

DNS redirect, threat intelligence on DNS, egress filtering, NIPS

incident response, system restore

Action on Targets logging, SIEM, DLP, honeypot, TIP, DAP

egress filtering, SWG, trust zones, DLP

QoS, DNS, DLP, ATA

incident response

Source: Gartner (August 2014)

Table 1. Technologies and Processes Applicable to Addressing the Kill Chain

8

The section below expands on the table above, giving specific examples and guidance that orga-nizations can investigate. Adding more technology is often not required, but CISOs should take full advantage of improving the effectiveness of exist-ing tools and processes already at their disposal.

ReconnaissanceThis phase is often executed without knowledge of your organization. Approaches for this phase are:

• Perform regular external scanning and pene-tration testing to highlight what an adversary would find if and when your organization comes under scrutiny. This information can be used to remediate vulnerabilities, reduc-ing the attack surface area.

• Use search engines to uncover cached content that can be used for exploits or that discloses information that would make it easier to target the environment.

• Utilize sentiment analysis, a newer method for monitoring both public and underground Internet sites, to look for activity that is spe-cifically related to your organization.

• Ensure that perimeter controls and Internet-facing services are aggressively enforcing the principle of least privilege, including service hardening.

• Use analytics to detect indicators of unwant-ed activity against Internet-facing services like Web servicers, DNS servers, email and VPN gateways.

• Use honeypots where adversary activity can be monitored for exploitation tactics.

• Use software application security testing (SAST) and security development life cycle (SDL) to make sure that applications aren’t leaking sensitive details and are processing untrusted input correctly.

WeaponizationThis phase is often performed with no specific knowledge of the organization being targeted. Organizations need to take proactive steps:

• Keep abreast of newly disclosed vulnerabili-ties and have up-to-date data about which vulnerabilities have weaponized exploits avail-able for them. With this information, prioritize patching them or implementing mitigating controls like virtual patching through intrusion prevention systems (IPSs).

• Investigate the use of threat intelligence pro-viders that can add value with threat forecast-ing and advanced notification of impending activity against your organization. An example would be notification of a phishing template becoming available for sale that is designed to look identical to your organization’s.

• Investigate the use of threat intelligence plat-forms (TIPs) to add in threat and adversary tracking.

DeliveryAn array of traditional controls can assist greatly in denying access to your environment:

• Firewall or next-generation firewall to control traffic at the perimeter

• Next-generation intrusion prevention to pro-vide visibility and prevention of compromise attempts

9

• Email and Web gateway security to enforce multiple methods of content inspection for malicious and unwanted activity

• Distributed denial of service (DDoS) pre-vention to ensure the business can continue to transact under high volumes of traffic or other methods of application-specific DDoS activity

• Web application firewall (WAF) to prevent the exploitation of e-commerce infrastructure

• Network behavioral analysis (NBA) and security analytics, where network traffic pat-terns and content can be reviewed for indi-cators of compromise and suspicious activity

• Payload inspection technology that uses techniques like CPU emulation and sand-boxing to provide a behavioral-centric method of malware detection

• DNS security to give visibility and protection against the resolution of unwanted or mali-cious hosts

ExploitationAn array of network, host and server technolo-gies in conjunction with continuous monitoring can detect and deny access to the organization’s environment:

• Security information and event management (SIEM) to correlate the events and logs from multiple security, infrastructure and identity elements to provide better visibility of mali-cious behavior

• Prevention-focused security technologies like firewall, endpoint protection platform (EPP), network generation intrusion prevention sys-tem (NGIPS), email and Web security

• Advanced targeted attack (ATA) or advanced persistent threat (APT) technologies that can provide enhanced detecting against new threats or variants of existing threats

• Security analytics to review full session analy-sis detailing the exploitation and subsequent activity with a high level of details

• Threat intelligence usage in SIEM and network security technologies to provide additional detec-tion and prevention opportunities

InstallationDuring this phase of the kill chain, host-specific methods are the primary method to detect the execution of malicious content:

• EPP can deliver multiple methods of malware prevention, browser security and application whitelisting.

• Mobile device management can control and deny unwanted applications to run on bring your own device (BYOD) devices. This can also deny user-installed applications from ac-cessing corporate-sensitive data via methods like per-application authentication VPN and containerization.

• Identity and strong authentication methods can reduce the chance of installation and ac-cess to data.

Once identified, recover from the situation by being able to:

• Perform incident response

• Recover compromised data from backups

• Restore servers and end-user devices back to known good trusted states

10

• Potentially comply with law enforcement at-tempts to prosecute malicious actors

• Report on details of the breach and other compliance mandates (such as reports to financial regulators, on any further impact expected by the company)

Command and ControlWith this phase of the CKC, look for methods that detect the adversary’s attempts to control assets that have been previously compromised. If there are infected devices with remote-access trojans or rootkits, use methods such as:

• IP and DNS reputation-filtering capabilities of network behavioral analysis (NBA) tools, network forensics tools, next-generation firewalls, intrusion prevention systems and security Web gateways

• DNS security, where internal DNS servers themselves have threat intelligence capabilities to deny name resolution of malicious hosts

• SIEMs with watchlists, threat intelligence and other policies configured to detect this type of out-of-character behavior

Action on TargetsDuring this phase, the adversary is trying to perform the most important part of its activity. This is to exfil-trate the data gathered in this and earlier phases of the kill chain. Methods to be addressed are:

• After a compromise, all subsequent attack activity is performed as internal or trusted users. A SIEM, data loss prevention (DLP) or database activity monitoring and protection (DAP) function performing continuous moni-toring can assist with identifying trusted user access to data that is not specific to their role, access to data in volumes previously unseen, access to data at times of day that is out of character, and access to data from locations previously unseen.

• Network behavioral analysis can highlight de-vices that are moving data around that is not part of its role (traffic to hosts that stand out), an exceedingly high volume of DNS traffic to an external DNS server that is not defined for external host name resolution, traffic protocols being actively used that are against policy.

• Next-generation firewalls can identify a trust-ed user attempting clearly malicious activity such as an FTP session to an unexpected destination.

11

ACL access control listATD advanced threat defenseDAP database activity monitoring and protectionDAST dynamic application security testingDBSM database security monitoringDLP data loss preventionEPP endpoint protection, including host- based features like firewall, anti-mal ware, whitelisting and disk encryption ETDR endpoint threat detection and responseFIM file integrity monitoringHIPS host-based intrusion prevention systemIAM identity and access management

MDM master data managementNGFW next-generation firewallNGIPS network generation intrusion preven- tion systemNIPS network intrusion prevention systemQoS quality of serviceSEG secure email gatewaySIEM security information and event managementSSL Secure Sockets LayerSWG secure Web gatewayTIP threat intelligence platformVA vulnerability assessment

Acronym Key and Glossary Terms

Evidence“Mitre’s Cybersecurity Threat-Based Defense”1 “Lockheed Martin’s Cyber Kill Chain”

Source: Gartner Research, G00263765, Craig Lawson, 15 August 2014

About Proofpoint, Inc.Proofpoint Inc. (NASDAQ:PFPT) is a leading next-generation security and compliance company that provides cloud-based solutions for comprehensive threat protection, incident response, secure commu-nications, social media security, compliance, archiving and governance. Organizations around the world depend on Proofpoint’s expertise, patented technologies and on-demand delivery system. Proofpoint protects against phishing, malware and spam, while safeguarding privacy, encrypting sensitive infor-mation, and archiving and governing messages and critical enterprise information. More information is available at www.proofpoint.com.

Defending against Advanced Threats: Addressing the Cyber Kill Chain is published by Proofpoint Editorial content supplied by Proofpoint is independent of Gartner analysis. All Gartner research is used with Gartner’s permission, and was originally published as part of Gartner’s syndicated research service available to all entitled Gartner clients. © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner’s endorsement of Proofpoint’s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner’s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced indepen-dently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp.