The Insider Kill Chain – Part 1
The “Kill Chain” is a warfare term for the process of targeting and destroying enemy forces in such a way as to make it most difficult for the enemy to continue in the battle. In information security, it refers to the sequential steps an adversary must complete in a successful attack.
Long gone are the days of preventing all attackers from gaining a foothold. Through stealing credentials in a phishing attack or exploiting known vulnerabilities in common software, security professionals expect attackers to breach their outermost defenses. Stopping the adversary at any point in the kill chain blocks the completion of the attack.
When thinking about external threats, the kill chain consists of seven steps:
- Reconnaissance – Gather information about the target’s infrastructure, key employees and their interests, email formats, social gatherings, etc.
- Weaponization – Craft the attack. This could be a phishing email to steal credentials and trick an employee into clicking on a malicious payload.
- Delivery – Sending the email, planting an infected USB stick, inviting a target to a malicious website, etc.
- ExploitationExecute the payload or log in using stolen credentials
- Installation – Install malicious code or advanced persistent threat
- Command and control – Establish communications between the exploited systems and the hacker.
- Actions on objectives – Attacker has control of the system and obtains the desired information.
In this example, organizations would use anti-malware systems to scan inbound email for malicious payloads, SIEM systems to correlate network logs, IPS devices inspecting inbound and outbound traffic, and SOC analysts investigating anomalous behavior.
This works well for outsider threats. When the threat is a malicious insider, however, the kill chain and required defenses are quite different. A malicious insider may have legitimate access to the targeted asset. Security teams need to anticipate attacks by looking for indicators of an insider’s suspicious activity.
Insider threats also need to be monitored without alerting the individual. The first reason for this is that you want to have sufficient evidence prior to taking disciplinary and/or legal action. Just as importantly, organizations need to balance security monitoring with employee trust. A “surveillance state” atmosphere can quickly harm employee morale and trust in the organization.
In subsequent posts we will discuss the steps in the Insider Threat Kill Chain and how organizations can balance security with respect for their employees.