Stalking the Kill Chain: Position Before Submission

Categories: Advanced Security,FirstWatch

By Alex Cox, Sr. Researcher, RSA Advanced Threat Intelligence Research Group

In Brazilian Jiu Jitsu (BJJ), a modern martial art focused on ground fighting, a common theme among practitioners is the concept of “position before submission”. In other words, the fighter seeks to establish physical and positional dominance before ending the fight with an attack resulting in submission. Embracing the concept allows the fighter to increase his chances of winning the confrontation by making sure he is in control of the situation prior to attempting a fight-ending attack. BJJ’s philosophical approach has direct relevance to cyber security as the same approach can be taken to establish a more proactive defense based on threat intelligence and network-wide visibility. The notion of establishing an “active defense” can be approached using the following guiding principles:

- Know your enemy
- Know your network
- Know your people

Know Your Enemy
Advanced Persistent Threats (APTs) has been spoken of over the past few years as both a descriptive term for a class of attacker as well as an industry buzzword to describe the effectiveness of a particular product (“Our insert device here stops APTs!”). While this term is most commonly applied to nation-states, the idea of an “Advanced Threat” can be applied almost across the board in today’s threat landscape. Regardless of nation-state attackers, cybercriminals, and hacktivists, all use similar tactics to penetrate a target organization.

Advanced – All modern threats use advanced, blended attacks. This may include targeting specific individuals or organizations with directed email attacks (spear phishing), hacking websites to serve malware from a “known good” or at least “not known bad” location, or using newly discovered zero-day attacks to increase the chances of a successful exploitation. Once entrenched, the attacker may then use encryption or other obfuscation techniques to further mask their presence and intentions.

Persistent – Threat actors understand that repeated and coordinated attacks are likely to garner a penetration eventually. In the nation-state example, this may be repeatedly attacking a “target list” with spear-phishing until someone “takes the bait”, but it could also refer to being watchful for defender activity during a penetration operation and changing tactics as defenders respond, allowing continuous presence in the network. On the cybercrime side, this is increased to large-scale persistent modification of infrastructure, malware and domain names to allow continued operation among the ebb and flow of defender activity.

Threat – Ultimately, for an event to be considered a “threat” it must meet a set of criteria.

Intent + Opportunity + Capability = Threat

Lacking any one of these criteria negates the threat, for example:

Attacker A wants to attack organization B with a PDF-based spear-phishing attack against an HR manager. The attacker is using a known and reliable PDF exploit in Adobe Reader, has a “builder” that builds an attack PDF in a way that makes it undetectable by antivirus, and has the name of an HR manager that is responsible for hiring database developers. Organization B has a patching policy for Adobe Reader, and all organizational workstations are up to the current patch level.

In this scenario, the attacker has the intent to attack, the capability with his attack PDF to compromise a workstation, and a target for the attack via the HR manager. He doesn’t, however, have the opportunity in this case, because the target workstation is patched and non-vulnerable to his attack. In this case, there is no threat because of the lack of opportunity provided by the patched PDF reader.

While real-life scenarios are seldom this simple, it provides an example of things you might want to know about how common attackers operate in order to intelligently defend your network.

- What are the common threat vectors (e.g., spear-phishing)?
- What exploits are commonly used? (Exploit kits target A, B and C vulnerabilities, spear-phishing attacks are often launched using PDF and Microsoft Office exploits)

Attacker groups, especially in the nation-state arena, commonly attack organizations by industry vertical. It might be a good opportunity to establish relationships that may help you identify tactics, techniques and procedures of groups targeting your vertical, including:

- Threat Research groups and vendors
- Threat teams from competitors (the enemy of my enemy is my friend).
- Industry Working Groups – Is there an ISAC that supports your vertical?

Know Your Network
When an RSA NetWitness system engineer gets a new NetWitness deployment up and running at a customer location, a common reaction when network traffic is first observed is the customer being overwhelmed by the volume of data now readily available for analysis. The complexities and idiosyncrasies of a large network are very hard for a human being to visualize without additional framing, and NetWitness NextGen typically becomes that frame among customers. This framing typically leads to a number of “I don’t expect to see that, why is it there?” events over the next few weeks as the customer becomes more intimately acquainted with their network.

The ability to pervasively know what your network looks like on a day-to-day basis is CRITICAL in helping to identify advanced attacks.

If you’ve ever known a hunter that hunts a certain tract of land time and again, year after year, you will have an understanding of how this concept works. The hunter can typically look across a large field into a tree line, maybe even farther than he can really “see” and pick out a deer with a glance. That same deer may be invisible to you and I at that distance because the hunter is accustomed to his land, knows what it looks like on a “normal” day, and can quickly pick out the variance – the deer.

The network hunter is similar. If I know what my network looks like on a day-to-day basis, I can better pick out the anomalies. In NetWitness training courses, we modify the “needle in the hay stack” analogy and refer to this concept as “removing hay until only needles remain”.

This information may include:

- How is my network laid out? What are my allowed paths out of the network?
- Where are my likely weak points, either from a lack of visibility or business needs that require a more relaxed security posture?
- Where is my data? If I have intellectual property, where is it stored and who has access to it?

Know Your People
Ultimately, the success of a modern attack often depends on the activities of the carbon-based unit between the keyboard and the chair. That is, the human being operating the computer and going about their daily business. While it is easy to get lost in the minutiae of the technical, the human operator is decisively the weakest point; as a result, the initial target of most attacks. The strategic objective may be financial data related to the person, or information that the person has access to, or maybe even just a tactical compromise of the computer that belongs to the person.

With this in mind, it’s important to understand a few concepts in the paradigm of your environment.

- Who in your environment has “enhanced access”, be it to critical information or intellectual property, or critical systems or pivotal locations on the network?
- Does your enterprise have a security policy that addresses common attack methodology? It could be as simple as an information security policy that is reviewed yearly, to as complex as common ideas on how to identify a spear-phishing attack. Policy is often looked at as a simple “box-check” for compliance reasons, but the ability to educate the end-user is one more layer in a defensive strategy.
- Who are my likely targets? Do I have employees that are commonly in the press, speak at conferences, or have a job that routinely entails receiving “cold” electronic correspondence from third-parties (e.g., HR, Marketing, Admin, etc). If I search for “” on Google, whose email addresses show up? How about LinkedIn?
- Am I continuously tracking employees that have been targeted or compromised in the past? Repeat attacks are common and employee behavior that is risky is likely to reoccur.

Alex Cox, MSIA, CISSP, GPEN, GSEC is a Senior Consultant and Security Researcher with RSA’s Advanced Threat Intelligence Research group. Alex has worked more than a decade in IT with a background in desktop architecture, emerging threat research, network forensics and behavioral malware analysis.

Alex Cox

As a Senior Manager of RSA FirstWatch, Alex Cox is responsible for the leadership and direction of a team of threat analysts and malware researchers focused on advanced and emergent threat tracking. Mr. Cox is an experienced technical security researcher with a background in network forensics and the study of criminal and nation-state malicious infrastructure. His personal research interest lies in botnet technology and infrastructure and he is a published author and frequent press contributor on these subjects. Prior to joining RSA, Mr. Cox was a Vice President and lead researcher on the emerging threats analysis and solution development team at the Wachovia Corporation and was responsible for forensics analysis and incident response for security events. He is a former Army Officer in the U.S. Army Military Police Corps, and a former Police Officer. Mr. Cox has a B.S in Administration of Justice from Virginia Commonwealth University, and an M.S in Information Assurance from Norwich University.