foiling the 'cyber kill chain' - mitigation strategies for

marcumtechnology.com

Foiling the “Cyber Kill Chain” –Mitigation Strategies

for Cyber DefenseSeptember 22, 2020

marcumtechnology.com0920054N

2

Marcum Technology has prepared these materials as part of an educational program. The information contained herein is of a general nature and is not

intended to address the circumstances of any particular individual, entity or case.

While every effort has been made to offer current and accurate information, errors can occur. Furthermore, laws and regulations referred to in this program

may change over time and should be interpreted only in light of particular circumstances.

The information presented here should not be construed as legal, tax, accounting or valuation advice. No one should act on such information without appropriate

professional advice after a thorough examination of the particular situation.


Today’s Speakers

3

Jeff BernsteinDirector, Cybersecurity and

Data Privacy

Jaike HornreichDirector,

Cybersecurity and Data Privacy

Peter CampbellSenior Strategic

Consultant

Kevin BakerDirector,

Digital Forensics

Fred Johnson Vice President,

Cybersecurity and Digital Forensics

Chad HudsonDirector,

Cybersecurity and Data Privacy


Today’s Agenda

► Introduction and Presenters

► What is a Kill Chain?

► What Have We Seen

► Compromise Costs

► Mitigating the Threat with an Effective Security Program

► Training

► Response

4

► Assurance

► Compliance

► Filling the Gaps with Specialized Staff Augmentation

► Other Considerations and Best Practice

► Marcum Technology

► Q&A

What is a Kill Chain?


Kill Chain

► The term kill chain was originally used as a military concept related to the structure of an attack; consisting of:► Target identification

► Force dispatch to target

► Decision and order to attack the target

► Destruction or compromise of the target.

6

► The idea of "breaking" an opponent's kill chain is a method of defense or preemptive action. More recently, Lockheed Martin adapted this concept to information security, using it as a method for modeling intrusions on a computer network.► The cyber kill chain model has seen

some adoption in the information security community. It should be noted that acceptance of the concept is not universal, with critics pointing to what they believe are fundamental flaws in the model.

SOURCE: Wikipedia


Type of Attacks

► Website Defacements

► Anonymous disparagement of key personnel on the Internet

► Theft of funds and leakages of Data (client, personnel, IP and research)

► Malware outbreaks

► Ransomware attacks

► Stealing algorithms

► Wiping and/or corrupting data and crippling trade process

7

► Extortion and ransomware cases

► Denial of Service (DoS) Attacks

► Malicious insider attacks and IP exfiltration

► Various instances of fraud

► Crypto mining schemes

► Mobile application compromises

► Third-party partner compromises and exposures

► Physical attacks resulting in compromise

Social Engineering still dominates and the ease of use of tools available is ridiculous.


Cost of a Cyber Compromise

► Data Breach Risk Claims

8SOURCE: Risk Strategies

Breaking the Kill Chain –TRAC


Training

10

Consequences of Human Error


Training

11

Education

► Influence Good User Behavior and Digital Hygiene

► Training► General Audience

► C-Suite

► Role

► Regulatory

► Development

► Customize for your unique situation

► Table Top Gaming Exercises► Incident and Event Response

► BC/DR

► Test Staff


Training

12


Response

► Breaking the cyber kill chain requires a quick response

► On average companies take 197 days to detect a breach and 69 days to contain it*

13

* 2020 Cost of a Data Breach Report (https://www.ibm.com/security/data-breach)

► Early Detection and Response Prevents:► Lateral Movement

► Privilege Escalation

► Persistent Access

► Data Exfiltration

► Destruction of Evidence

► Attacks are routinely multifaceted anddevelop over time


Response

14

Identify

Collect

Analyze

NIST1. Preparation

2. Detection and Analysis

3. Containment, Eradication, and Recovery

4. Post-Incident Activity

SANS1. Preparation

2. Identification

3. Containment

4. Eradication

5. Recovery

6. Lessons Learned

Incident Response Steps


Response

► Identification► Interviews

► System Logs

► Alerts

► Analysis

► Data preservation► Device imaging (servers, desktops, laptops, cell phones)

► Log file collection and extraction

► Online data collection (Microsoft 365, GSuite/Gmail, AWS, Azure)

► Forensically sound handling ensures admissibility

15

Digital Forensics


Response

► Analysis► Timeline

► Root Cause/Source

► Impacted Data

► Target Identification

► Exploit Identification

► Reporting► Provides stakeholders a plain English understanding of the incident

► Actionable items and recommendations

► Often times required by insurance companies

► Basis for referral to law enforcement and for expert testimony

16

Digital Forensics


Assurance

17

► Network Security► External

► Internal

► Wireless

► Segmentation validation

► Application Security► Web application / Frontend

► API/REST services / Backend

► GraphQL

► Mobile applications (iOS/Android)

► Human Security► Social engineering (phishing,

vishing, SMShing)

► USB drops, USPS delivery, piggybacking

► Trusted relationships

► Fraudulent domains

► Dumpster diving

Penetration Testing – Offensive Security Exercises


Assurance

18

► Reconnaissance/Weaponization – Identify sensitive data in the public domain and map attack plan► Search engines, DNS, WHOIS, social media, news/blogs, file

metadata, vulnerability scanning, surveying

► Help to sanitize external footprint of the organization

► Delivery – Determine the effectiveness of human and border defenses► Phishing, web application flaws, vulnerable network services,

account brute force, piggybacking, wardriving

► Identify areas for retraining, remediation, patching, and hardening



19

► Exploitation – Determine the effectiveness of endpoint protections and security controls► Execution of a malicious payloads, SQL injection, cross-site scripting,

physical network patching, USB data exfiltration or rogue access point creation

► Identify solutions to identify and mitigate attacks, through the use of tools and implementation of operational controls

► Installation/Command & Control – Can the attacker gain persistence?► Establish a network agent, creation of user accounts, modify boot

records

► Identify solutions to limit administrative access, spot abnormal behavior or traffic, reduce the impact of an attacker, and prevent data exfiltration

Assurance



20

► Action on Objectives – Understand the severity of a compromise and operational weaknesses► Controlled attack simulation to abuse or bypass network/access

controls: escalate privileges, inappropriately access or exfiltrate data, attempt to move laterally and pivot into secured environments

► Identify opportunities to implement stricter access control/segmentation of data, solutions to security key services/systems, and processes for securely backing up and storing data

Assurance



Compliance

Key to foiling the kill chain is anticipating the attacks. Compliance frameworks offer a well-rounded approach to securing every facet of your operation.

► Attackers often look for the easy targets. If they quickly determine that you have a comprehensive security plan, they might move on and find someone easier to hack.

► Adopting a framework is the first step. Frameworks describe the controls that should be in place to keep you protected.

► Institutionalizing the compliance, so that security awareness and oversight is a facet of organizational culture, is the ultimate goal.

21


Compliance

► There are many frameworks, some of which you are required to implement, depending on your business, such as:► Sarbanes-Oxley (corporate, financial)

► ISO-27001 (corporate, banking)

► HIPAA (health information)

► PCI-DSS (credit card and payments)

► NIST, FISMA (government)

► GDPR (and similar privacy regulations)

► And some that you can voluntarily adopt, such as Microsoft’s framework

► Most frameworks cover similar territory and overlap, so picking a base framework and addressing any specific additional regulatory requirements keeps you covered

22


Compliance

► Compliance frameworks address threats by identifying all areas where risk must be mitigated:

► Maintaining a comprehensive security plan and regularly evaluating your protective measures against it, while staying informed about the latest threats and best practices, stops the chain in it’s tracks

23

Access Control Media Protection

Awareness and Training Personnel Security

Audit and Accountability Physical Protection

Configuration Management Risk Assessment

Identification and Authentication Security Assessment

Incident Response System and Communications Protection

Maintenance System and Information Integrity


Specialized Staff Augmentation

► Diverse backgrounds and capabilities► Ability to integrate efficiently and offer immediate value► Project-based and long-term offerings

► Security administration: readiness assessments for various frameworks, system configuration, testing and patching

► Security operations: environment monitoring, looking for and responding to anomalies

► Security architecture: identity and access management, end-point security software, firewall design

► Malware analysis and remediation

► Security leadership: Virtual CISO services, Board and executive guidance, program development and strategy

► Internal resource training and development► Reduced administrative overhead► Custom tailored program for your organization

24


Partnering with Marcum to Break the Kill Chain

► Training and Education

► Response

► Assurance

► Compliance

► Staff Augmentation

► Security Technology Solutions

► Managed Services

25


Questions?

26

Jeff BernsteinDirector, Cybersecurity and Data [email protected]

Peter CampbellSenior Strategic [email protected]

Kevin BakerDirector, Digital [email protected]

Chad HudsonDirector, Cybersecurity and Data [email protected]

Jaike HornreichDirector, Cybersecurity and Data [email protected]

Fred Johnson Vice President, Cybersecurity and Digital [email protected]

foiling the 'cyber kill chain' - mitigation strategies for

Documents