Strengthening the intrusion kill chain
A few months ago, I wrote about intrusion detection and the “kill chain” (also known as the “intrusion kill chain,” or the “cyber kill chain”). Last week, Cindy wrote about our work around “Supercharging Incident Detection,” and a paper we published talking about System State Intelligence and Enterprise Security Intelligence.
This week, I would like to expand more on how System State Intelligence (SSI) relates to the intrusion kill chain. Why? Because in my work with many enterprises, I find a bias toward network- and event-centric elements of intrusion detection, and I would like to see stronger incorporation of state-centric security elements as a way to improve security effectiveness.
What’s an intrusion kill chain?
For a deeper description and a pointer to some third-party research on this topic, I suggest you refer to my original post about the intrusion kill chain. The short version? The intrusion kill chain is a model that describes the progression of a cyber attack, and give you a way to segment, analyze, and mitigate an attack.
A primary assumption in kill chain analysis is that an adversary must progress successfully through each stage of the chain before they can achieve the desired objective. Another premise is that just one successful mitigation disrupts the chain and thwarts the attacker.
I liken the intrusion kill chain to a “supply chain management for cyber attacks,” and its goal is to provide an objective model for dealing with attacks as early in the process as possible, to appropriately align your response with the progression and severity of an attack, and disrupt the chain as early as possible.
What is System State Intelligence (SSI)?
System State Intelligence, or SSI, is a security approach designed to increase the security of systems, identify leading indicators of security compromise, reduce false positives, and increase the accuracy of security incident detection.
SSI requires a couple of key capabilities: First, providing full awareness of the state of your systems – how they’re configured and whether they’re configured according to your policy. That awareness lets you anchor your systems to a baseline – a “known and trusted state.”
Second, SSI includes providing continuous monitoring of those systems for changes and deviations from your baseline or policies, and using that awareness to detect suspicious events and to enable security context and prioritization. SSI lets you know the security state of your systems – what the state was, what it should be, and how it’s changing – all in real time and continuously.
How does System State Intelligence strengthen the intrusion kill chain?
SSI contributes to the intrusion kill chain in most of the phases of an attack. The table below provides some examples:
This is not a comprehensive list, but should provide some food for thought about how SSI is involved in the intrusion kill chain.
SSI Improves The Effectiveness of Other Security Tools and Processes
In addition to the examples in the table above, SSI helps increase the timeliness and accuracy of security incident detection, as well as increasing the effectiveness of other security tools. For example:
- Reduce false positives: One of the complaints of many security professionals is the volume of data and false positives associated with traditional security monitoring and alerting. Suspicious changes to system state are very accurate initial indications of attack, which means SSI alerts are typically free of false positives
- Find evidence of compromise faster: Once SSI has identified a suspicious change to a group of systems, that knowledge enables a much more targeted investigation.
- If you perform full-packet capture of data on your network, the result is an overwhelming amount of data (I think of it as DVR-ing every channel on your cable system). The volume of data can be overwhelming when you are under the gun on an incident investigation – you know the relevant facts are in there somewhere, but where do you start?
- With SSI, you can look for something specific to begin the investigation, such as: ”I want to see the traffic that interacted with these specific (compromised) systems at this time, plus/minus one hour, and associated with these user accounts.”
- As you can imagine, using SSI to fuel your starting points yields a more efficient, focused investigation – which increases the value of your full-packet capture system, and increases the efficiency and effectiveness of your Security staff.
The bottom line
I’m just scratching the surface here, but hopefully you can see that System State Intelligence (SSI) is a core capability that will help you improve you strengthen your intrusion kill chain. I’ll be talking more in the future regarding this important topic – for example, even the kill chain may provide more incident data than your team can handle, so how do you prioritize your response? Stay tuned.