What are we trying to protect?
In the previous post "The Best Offense is a Good Defense", we discussed having a defense in depth security posture protects our company at all levels of a potential attack. The more controls that we have in place at each level will act as the building blocks of protection within our company to avoid data theft. The focus of this post will be on securing compute resources through network and virtual machine controls. First, we should understand more about our attackers by reviewing the cyber-attack kill chain.
What is the cyber-attack kill chain?
There are many ways that an attacker attempts to access resources within the company. How they gain this access and what they attempt to accomplish once they gain access is the foundation of a cyber-attack. We look at each of these areas and how we protect them as the cyber-attack kill-chain. Figure 1 shows the stages of a cyber-attack in a linear format.
In many cases, an attacker is attempting to enter and do some level of damage at one of these stages. Sophisticated attackers may go through every one of these stages in order to gain full access of resources and increase the amount of damage that they can do to a company. Let's define each of these stages for further understanding.
1. Reconnaissance - this is the planning stage of the attack. The attacker is gathering information that they can find about the company, or companies, that they will be targeting. This may be through social media, websites, phishing, or social engineering of personnel within the company. Another aspect of this stage is port scanning known management ports, such as RDP port 3389 or SSH port 22. The goal at this stage is that they are attempting to find ways to access systems.
2. Intrusion - once the reconnaissance is successful, they have found a way to access a system or systems within the company network. Now they will use that knowledge to get into those systems. One type of intrusion is a brute force attack.
3. Exploitation - the attacker has gained access to a system on the company network, now they want to exploit that system. This is where the attacker begins to show malicious intent. They will begin to use this access to deliver malware across the network.
4. Privilege escalation - once the attacker has gain access to a system, they will want to gain an administrator level access to the current resource as well as additional resources on the network. If they have gained access to a virtual machine on the network, they could have administrative login privileges to other virtual machines and resources on the network.
5. Lateral movement - companies that use the same administrator username and password could allow the attacker to gain access to other systems across the network. This lateral movement could lead the attacker from a system without sensitive information to one that has extremely sensitive information.
6. Obfuscation/Anti-forensics - as is the case with any attack or crime, the person, or people, involved do not want to be found or traced. Therefore, they attempt to keep their access anonymous. If they have gained access through someone's credentials within the company, this could help to decrease their traceability.
7. Denial of Service - when an attacker cuts off access to resources, this is a denial of service. This may be through an attack such as syn flood where they send a large number of requests to a company's public IP address that cannot be processed fast enough. This flood of requests blocks legitimate requests from being able to access resources.
8. Exfiltration - the final aspect of the cyber-attack is exfiltration. This is where the attacker has gained access to sensitive information, and they are able to remove that information to do harm in some way. This could be banking information, personnel, or customer personal identifiable information (PII), and other valuable data.
The ability to protect against each of these aspects of the cyber-attack is our kill-chain. Having a strong defense in depth security posture addresses the areas of the kill-chain.