The Kill Chain…the Real Horror Story

problem-449364_1280Halloween happens to be one of my favorite holidays.  As a kid, I loved to dress up in costumes, collect candy from the neighbors on Halloween night, carve pumpkins, and mostly go to haunted houses.  For the most part I still enjoy all of these things, just in different ways.  I am sure that there are psychological reasons why I enjoy getting scared at haunted houses.  It may seem strange to people that know me, because I am not a risk taker.  I do not like surprises, and I am certainly not one to put myself in a situation where the outcome is unpredictable.  But for the 31 days in October, I like to be scared.  Haunted Houses got me thinking…an advanced threat is a lot like a haunted house.  Your business, or network rather, becomes the haunted house.  And the costumes that these threats wear are masks to look like good traffic.  It is the Stepford Wives of horror stories for businesses, and these haunted houses happen year-round, and often last longer than 31 days…on average they last 192 days until they are even discovered to be scary.

In our recently posted webinar titled What Happens Next: Detecting and Understanding Lateral Movement, we take a look at Stage 4 of the Kill Chain (Lateral Movement), and discuss why traditional methodologies like SIEMs and Log Management take too long to detect advanced threats.  We also walk through what can happen during that period of time between the delivery and installation of the attack into your environment and when the threat begins to infiltrate other hosts within the network…scary!

At this stage of the game, you have two significant problems.  First is trying to determine where your security posture failed in order to let the threat exploit your network and install the attack. Second, you now have to locate the threat and follow its actions to see where it has gone, and what it has done.  Traditional technologies actually make these steps more difficult and require more time to resolve these issues.

This webinar walks you through the steps organizations take when monitoring, detecting and mitigating an advanced threat attack.  It also shows you how breaches can move within your environment, and how traditional technologies work, or actually not work enough.  Advanced threat technologies are unlike discrete and next generation solutions in that they are not discrete nor do they attempt to do a handful of things at once.  Advanced threat technologies are more about analysis and precision.  They provide an opportunity for you to look for threats before massive harm occurs, and should help you see clearly what activities these threats have acted on during the lateral movement stage of a kill chain, and helps you answer the following questions quickly:

  • Was the recon stage part of a larger concerted effort?
  • Did it identify a service?
  • Was there a compromise?
  • Was this compromise used by others?
  • What backchannels have been established or C&C used?
  • Was there lateral movement?
  • Can we track all activities resulting from lateral movement?

By having answers to these questions, you are better able to understand the impact of the compromise.  This visibility can provide faster time to resolving the attack, minimizing the risk of a full-on breach from occurring, and determine root causes of the attack to create security protocols that prevent similar threats.

An advanced threat solution would certainly make a haunted house just a house, it does help you keep your fears in check at the office/SOC/NOC, and also enables you to enjoy the holidays to come…Trick or Treat!