ComputerEmergencyResponseTeam(US-CERT)issuedtechnicalalertbulletinsdes - PDF document

ComputerEmergencyResponseTeam(US-CERT)issuedtechnicalalertbulletinsdescribingtargeted,socially-engineeredemailsdroppingtrojanstoexltratesensitiveinformation.Theseintrusionswereoverasignicantperiodoftime,evadedconventionalrewallandanti-viruscapabilities,andenabledadversariestoharvestsensitiveinformation(UK-NISCC,2005;US-CERT,2005).EpsteinandElgin(2008)ofBusinessWeekdescribednumerousintrusionsintoNASAandothergovernmentnetworkswhereAPTactorswereundetectedandsuccessfulinremovingsensitivehigh-performancerocketdesigninformation.InFebruary2010,iSecPartnersnotedthatcurrentapproachessuchasanti-virusandpatchingarenotsucient,endusersaredirectlytargeted,andthreatactorsareaftersensitiveintellectualproperty(Stamos,2010).BeforetheU.S.HouseArmedServicesCommitteeSubcommitteeonTerrorism,UnconventionalThreatsandCapabilities,JamesAndrewLewisoftheCenterforStrategicandInternationalStudiestestiedthatintrusionsoccurredatvariousgovernmentagenciesin2007,includingtheDepartmentofDefense,StateDepartmentandCommerceDepartment,withtheintentionofinformationcollection(Lewis,2008).WithspecicityaboutthenatureofcomputernetworkoperationsreportedlyemanatingfromChina,the2008and2009reportstoCongressoftheU.S.-ChinaEconomicandSecurityReviewCommissionsummarizedreportingoftargetedintrusionsagainstU.S.military,governmentandcontractorsystems.Again,adversariesweremotivatedbyadesiretocollectsensitiveinformation(U.S.-ChinaEconomicandSecurityReviewCommission,2008,2009).Finally,areportpreparedfortheU.S.-ChinaEconomicandSecurityReviewCommission,Krekel(2009)prolesanadvancedintrusionwithextensivedetaildemonstratingthepatienceandcalculatednatureofAPT.Advancesininfrastructuremanagementtoolshaveenabledbestpracticesofenterprise-widepatchingandhardening,reducingthemosteasilyaccessiblevulnerabilitiesinnetworkedservices.YetAPTactorscontinuallydemonstratethecapabilitytocompromisesystemsbyusingadvancedtools,customizedmalware,and\zero-day"exploitsthatanti-virusandpatchingcannotdetectormitigate.ResponsestoAPTintrusionsrequireanevolutioninanalysis,process,andtechnology;itispossibletoanticipateandmitigatefutureintrusionsbasedonknowledgeofthethreat.Thispaperdescribesanintelligence-driven,threat-focusedapproachtostudyintrusionsfromtheadversaries'perspective.Eachdiscretephaseoftheintrusionismappedtocoursesofactionfordetection,mitigationandresponse.Thephrase\killchain"describesthestructureoftheintrusion,andthecorrespondingmodelguidesanalysistoinformactionablesecurityintelligence.Throughthismodel,defenderscandevelopresilientmitigationsagainstintrudersandintelligentlyprioritizeinvestmentsinnewtechnologyorprocesses.Killchainanalysisillustratesthattheadversarymustprogresssuccessfullythrougheachstageofthechainbeforeitcanachieveitsdesiredobjective;justonemitigationdisruptsthechainandtheadversary.Throughintelligence-drivenresponse,thedefendercanachieveanadvantageovertheaggressorforAPTcaliberadversaries.Thispaperisorganizedasfollows:sectiontwoofthispaperdocumentsrelatedworkonphasebasedmodelsofdefenseandcountermeasurestrategy.Sectionthreeintroducesanintelligence-drivencomputernetworkdefensemodel(CND)thatincorporatesthreat-specicintrusionanalysisanddefensivemitigations.Sectionfourpresentsanapplicationofthisnewmodeltoarealcasestudy,andsectionvesummarizesthepaperandpresentssomethoughtsonfuturestudy.2RelatedWorkWhilethemodelingofAPTsandcorrespondingresponseusingkillchainsisunique,otherphasebasedmodelstodefensiveandcountermeasurestrategiesexist.AUnitedStatesDepartmentofDefenseJointStapublicationdescribesakillchainwithstagesnd,x,track,target,engage,andassess(U.S.DepartmentofDefense,2007).TheUnitedStatesAirForce(USAF)hasusedthisframeworktoidentifygapsinIntelligence,SurveillanceandReconnaissance(ISR)capabilityandtoprioritizethedevelopmentofneededsystems(Tirpak,2000).ThreatchainshavealsobeenusedtomodelImprovisedExplosiveDevice(IED)attacks(NationalResearchCouncil,2007).TheIEDdeliverychainmodelseverythingfromadversaryfundingtoattackexecution.CoordinatedintelligenceanddefensiveeortsfocusedoneachstageoftheIEDthreatchainastheidealwaytocountertheseattacks.Thisapproachalsoprovidesamodelforidenticationofbasicresearchneedsbymappingexistingcapabilitytothechain.Phasebasedmodelshavealsobeenusedforantiterrorismplanning.TheUnitedStatesArmydescribestheterroristoperationalplanningcycleasasevenstepprocessthatservesasabaselinetoassesstheintentandcapabilityofterroristorganizations(UnitedStatesArmyTraining2 time-consumingandproblematicifsucienttrackingisn'tinplace,thusitisimperativethatindicatorssubjecttotheseprocessesarevalidandapplicabletotheproblemsetinquestion.Ifattentionisnotpaidtothispoint,analystsmayndthemselvesapplyingthesetechniquestothreatactorsforwhichtheywerenotdesigned,ortobenignactivityaltogether. Figure1:Indicatorlifecyclestatesandtransitions3.2IntrusionKillChainAkillchainisasystematicprocesstotargetandengageanadversarytocreatedesiredeects.U.S.militarytargetingdoctrinedenesthestepsofthisprocessasnd,x,track,target,engage,assess(F2T2EA):ndadversarytargetssuitableforengagement;xtheirlocation;trackandobserve;targetwithsuitableweaponorassettocreatedesiredeects;engageadversary;assesseects(U.S.DepartmentofDefense,2007).Thisisanintegrated,end-to-endprocessdescribedasa\chain"becauseanyonedeciencywillinterrupttheentireprocess.Expandingonthisconcept,thispaperpresentsanewkillchainmodel,onespecicallyforintrusions.Theessenceofanintrusionisthattheaggressormustdevelopapayloadtobreachatrustedboundary,establishapresenceinsideatrustedenvironment,andfromthatpresence,takeactionstowardstheirobjectives,betheymovinglaterallyinsidetheenvironmentorviolatingthecondentiality,integrity,oravailabilityofasystemintheenvironment.Theintrusionkillchainisdenedasreconnaissance,weaponization,delivery,exploitation,installation,commandandcontrol(C2),andactionsonobjectives.Withrespecttocomputernetworkattack(CNA)orcomputernetworkespionage(CNE),thedenitionsforthesekillchainphasesareasfollows:1.Reconnaissance-Research,identicationandselectionoftargets,oftenrepresentedascrawlingInternetwebsitessuchasconferenceproceedingsandmailinglistsforemailaddresses,socialrelationships,orinformationonspecictechnologies.2.Weaponization-Couplingaremoteaccesstrojanwithanexploitintoadeliverablepayload,typicallybymeansofanautomatedtool(weaponizer).Increasingly,clientapplicationdatalessuchasAdobePortableDocumentFormat(PDF)orMicrosoftOcedocumentsserveastheweaponizeddeliverable.3.Delivery-Transmissionoftheweapontothetargetedenvironment.ThethreemostprevalentdeliveryvectorsforweaponizedpayloadsbyAPTactors,asobservedbytheLockheedMartinComputerIncidentResponseTeam(LM-CIRT)fortheyears2004-2010,areemailattachments,websites,andUSBremovablemedia.4.Exploitation-Aftertheweaponisdeliveredtovictimhost,exploitationtriggersintruders'code.Mostoften,exploitationtargetsanapplicationoroperatingsystemvulnerability,butitcouldalsomoresimplyexploittheusersthemselvesorleverageanoperatingsystemfeaturethatauto-executescode.4 Table2:IntrusionAttempt1Indicators 4.2IntrusionAttempt2Onedaylater,anotherTMEintrusionattemptwasexecuted.Analystswouldidentifysubstantiallysimilarcharacteristicsandlinkthisandthepreviousday'sattempttoacommoncampaign,butanalystsalsonotedanumberofdierences.Therepeatedcharacteristicsenableddefenderstoblockthisactivity,whilethenewcharacteristicsprovidedanalystsadditionalintelligencetobuildresiliencywithfurtherdetectionandmitigationcoursesofaction.Received:(qmail97721invokedbyuid60001);4Mar200914:35:22-0000Message-ID:唦 .9;版&#x.qm@;&#xweb5;㐑&#x.mai;&#xl.re;.ya;&#xhoo.;om0;Received:from[216.abc.xyz.76]byweb53411.mail.re2.yahoo.comviaHTTP;Wed,04Mar200906:35:20PSTX-Mailer:YahooMailWebService/0.7.289.1Date:Wed,4Mar200906:35:20-0800(PST)From:AnneE... n..;&#x.ett;&#xo@ya;&#xhoo.;om0;Reply-To:dn...etto@yahoo.comSubject:7thAnnualU.S.MissileDefenseConferenceTo:[REDACTED]MIME-Version:1.0Content-Type:multipart/mixed;boundary="0-760892832-1236177320=:97248"Welcometothe7thAnnualU.S.MissileDefenseConferenceThesendingemailaddresswascommontoboththeMarch3andMarch4activity,butthesubjectmatter,recipientlist,attachmentname,andmostimportantly,thedownstreamIPaddress(216.abc.xyz.76)dif-fered.AnalysisoftheattachedPDF,MDA_Prelim_2.pdf,revealedanidenticalweaponizationencryptionalgorithmandkey,aswellasidenticalshellcodetoexploitthesamevulnerability.ThePEinstallerinthePDFwasidenticaltothatusedthepreviousday,andthebenignPDFwasonceagainanidenticalcopyofaleonAIAA'swebsite(http://www.aiaa.org/events/missiledefense/MDA_Prelim_09.pdf).Theadversarynevertookactionstowardsitsobjectives,thereforethatphaseisagainmarked"N/A."AsummaryofindicatorsfromthersttwointrusionattemptsisprovidedinTable3.10 U.S.-ChinaEconomicandSecurityReviewCommission.2009ReporttoCongressoftheU.S.-ChinaEconomicandSecurityReviewCommission,November2009.URLhttp://www.uscc.gov/annual_report/2009/annual_report_full_09.pdf.U.S.DepartmentofDefense.JointPublication3-13InformationOperations,February2006.URLhttp://www.dtic.mil/doctrine/new_pubs/jp3_13.pdf.U.S.DepartmentofDefense.JointPublication3-60JointTargeting,April2007.URLhttp://www.dtic.mil/doctrine/new_pubs/jp3_60.pdf.RobertWillisonandMikkoSiponen.Overcomingtheinsider:reducingemployeecomputercrimethroughSituationalCrimePrevention.CommunicationsoftheACM,52(9):133{137,2009.doi:http://doi.acm.org/10.1145/1562164.1562198.14