Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
- An evolution in network protection is required to counteract a more advanced method of attack - APT.
- APT's (Adnvanced Persistent Threat) are conducted by highly skilled individuals over a long period of time with the tools to bypass conventional network defences in order to gain access to essential systems and sensitive data.
- Defence actors can utilise the long-winded process to evaluate incoming threat techniques, and enhance mitigating actions for better success in future attacks.
- The kill chain model can be used to follow the bread crumbs of attackers to build a big picture view of their objectives.
- Succesful ATP attacks on highly classified entities proved a necessity to create more robust defensive measures compared to traditional blockades on automated attacks.
- An intelligence-driven approach is needed to combat sophisticated ATP attacks.
- The kill chain model represents each phase an attacker must go through to complete their objective succesfully, and preventing them in any one of the steps can greatly alleviate the probablity of success.
- Phase based defensive models are a common tool in developing and assesing counter measures.
- The US military forces apply a kill chain model for situational scenarios, and the US Department of Defence classifies their kill chain phase based model to include the steps: find, fix, track, target, engage, and assess.
- Intelligence-driven CND requires understanding of the adversary along with following the overall goal if intrusion attempts rather than focusing on one-time attacks.
- APT's are essentially defended with the same or higher level persistance.
- Indicators are an essential part in locating intrusions and harnessing them to locate more.
- Indicators are divided into three types:
- Atomic - A basic form of data that retains its essence such as an IP address.
- Computed - Genterated types of data such as hash values.
- Behavioral - A combination of the two former types of data that an attacker utilises to further their objective.
- Indicators seem like a very small part of the defencive action, but they are a vital part in helping to build a adaptable strong defence in the long run.
- Keyword "Chain" aptly describes this phase based model as failure in any one link will cause the whole process to cease.
- The intrusion kill chain includes seven steps:
- Reconnaissance - Researching openly available infromation on target.
- Weaponization - Create deliverable malware.
- Delivery - Dispatch weapon to target with e.g. email attatchment.
- Exploitation - Code triggers in target system attacking vulnerabilities.
- Installation - Install means for remote access for steady control of in target system.
- Command & control (C2) - Gain hands on keyboard access through an establsihed server connection.
- Actions & Objectives - Fulfill original mission and extract data or move laterally within target system. -As mentioned in the lesson, the final part of the kill chain is also the first part as you must have an objective before starting any other steps.
- Having a perceptive understanding of the adversary and their objectives allows for effective targeted defencive action.
- Each phase of the intrusion kill chain has a correlating phase in the courses of action matrix designed to promote resiliant defence versus persistant attack, and force adverseries to sink more cost into their objective.
- Courses of action matrix consits of detect, deny, disrupt, degrade, deceive, and destroy.
- Full understanding and abilty to reproduce a succesfully mitigated attack is an integral part of building a proactive defencive strategy for future intrusions.
- Campaign analysis is about studying long-term attacks and connecting the dots between similarities to get better insight on the adversary's intents and capabilities.
- Ananlysis can provide information on existing campaigns or open the door for investigation to a new campaign.
- Three similar intrusion attempts were made in a two-week period where attackers sent a weaponized attachment to a limited amount of individuals via email. The sending address was disguised as a legitimate employee to invoke authenticity.
- The attacker's objective was to install a backdoor from the attachment, and open a connection to a C2 server.
- The first two had many commonalities which defenders leveraged to thwart the intrusion.
- The third intrusion attempt differed from the first two, but was found out due to small similarities in key indicators.
- This case study is a testament to how effective careful analysis of each indicator and step of the intrusion kill chain can prove fruitful for network defence.
I'm using a MacBook Air with an M1 processor, therefore I followed the instructions made by Teemu Laine https://github.com/HortTemppa/horttemppa.github.io/blob/main/h1.md
-
Instead of VirtualBox, I downloaded UTM virtualisation software here: https://mac.getutm.app/
-
After downloading and confirming installation, UTM opened to this screen:
- I selected "Browse UTM Gallery" which opened the gallery in my browser.
- I picked Debian 12, and selected "Open in UTM". UTM asked to confirm the choise and installed Debian 12.
- If expected time for installation is over 1h, I recommend in deleting and reinstalling UTM & Debian.
- Debin 12 was now visible on the left side where I right-clicked it to open the system preferences (Edit)
- In "System" I increased the RAM to 4GB pictured below.
- Resizing over 4GB resulted in the VM not working!
-
In "Network" I switched Network mode to "Bridged".
-
Under "Drives" -> "VirtIO" -> Resize -> Make sure size it at minimum 64GB.
-
Finally I clicked save and pressed play on the virtual machine.
-
Boot process was quite long, patience is needed.
-
After boot, I logged in with default username (debian) and password (debian).
- Logging in takes a while as well.
-
UTM uses a lot of CPU, but after a while it stabilizes and performance is better.
- Performance can dip every now and then, and sometimes the machine crashes.
- Try to avoid killing the VM to ensure progress and changes are saved.
-
I opened "Activities" -> "Settings" -> "Users", and changed username and password to my own.
- Username and password can also be changed in command line terminal, also found under "Activities".
- Note: Username stayed as 'debian' for me, but password change was succesful.
- I opened the terminal and used "sudo apt-get update" to update available software.
- This later succeeded completely when opening VM for the second time.