The Insider Threat Kill Chain – Obfuscation
In cybersecurity, the kill chain refers to the sequential steps an adversary must complete in a successful attack. Stopping the attack at any point in the kill chain is equally effective in blocking the loss of sensitive information.
In this series of posts we’ve covered reconnaissance, circumvention, and aggregation. Once a malicious insider has located the data he wants, tested the organizations defensive measures, and collected the data, the next step is to disguise their intent to avoid detection – obfuscation.
Few malicious insiders want the organization to know they have been breached. Persistent inside threats want to continue their attacks and disgruntled employees or flight risks know that the organization has legal tools to fight back if they learn of the attack. Concealing the attack is a critical step in a successful attack.
Malicious intent is often easier to distinguish in the obfuscation phase, as many of the activities have no business benefit. These can include:
- Changing file extensions – disguising a spreadsheet, database, or document as an image file can bypass filters looking only at the named extension
- Off-network activity and circumventing organizational VPN to hide web browsing activity. This can include clearing cookies and event viewer logs, or unusual use of browser “stealth” settings like Incognito mode
- Unusual rates of file renaming, especially when not simply changing a version number
- Use of steganography applications, based on name, product, or vendor ID — even through the browser — as well as steganography carried out through command line interfaces
Detecting obfuscation is important when combatting insider threats. When accompanied by an evidence-grade audit trail it is also a critical step when proving malicious intent.