Another Sunday Funday come and gone and I am now only 35 blog posts away from my year! This week I am happy to reveal our winning answer as I believe the answer really presents the itself in a well organized fashion that will help many people get a handle on the killchain as it is.
Explain the 'Kill Chain' we specific DFIR examples of artifacts you
would look for and remediation steps for each part of the process.
The
cyber kill chain was first coined by Lockheed Martin’s Eric Hutchins,
Michael Cloppert, and Rohan Amin in 2011. Their paper,
“Intelligence-Drive
Computer Network Defense Informed by Analysis of Adversary Campaigns and
Intrusion Kill Chains” has a wonderfully long title, and is an
informative look into cyber threats. More information on this paper can
be found in the ‘Further Information’ section, located
at the bottom of this submission.
When
examining where digital forensics and the cyber kill chain intersect,
it’s important to understand each step of the kill chain and the
forensic
artifacts that may be applicable. Let’s take a walk through the kill
chain, some relevant DFIR artifacts, and potential
remediation/prevention steps:
1) Reconnaissance
a. Step
Overview
The
first step of the cyber kill chain highlights the research that an
adversary may perform either to identify a potential target, or on a
specific, pre-selected
target. In either matter, reconnaissance may involve profiling an
organization’s web presence, searching for employees and pertinent
details, and/or gaining insight into other technologies an organization
may use.
b. DFIR
Artifacts
· Network
logs
would be artifacts of interest here, including firewall and web logs.
Other outward-facing (aka DMZ) device logs would be useful as well. Data
analytics can assist analysts
in identifying suspicious traffic, such as scanning activity or
connections from questionable locations. Correlations over time can help
determine what is the “hum of the Internet” vs what may be repeated
attempts to profile a network.
· The
identification
of reconnaissance is also going to depend on the attacker’s objectives
or capabilities. If employees are too open about their personal details
on LinkedIn/Facebook/Twitter/FourSquare, an adversary may be able to
profile an entire C-Suite without
ever pinging an organization’s IP block.
c. Remediation/Prevention
Steps
· Firewall
ACLs can be utilized to block traffic from unwanted locations, or reaching sensitive areas.
· To
address reconnaissance using social networking sites, employee training can go a long
way to help preventing too much information being released.
2) Weaponize
a. Step
Overview
The
second step of the cyber kill chain is an action of the attacker to
take a payload, such as a Trojan or backdoor, and craft it into “weapon
form”. By weapon form, the
attacker needs a method with which to deliver the payload. These methods
may include malicious document files, such as PDFs or MS Office
documents, or malicious web sites set to execute code upon page loads.
b. DFIR
Artifacts
· Artifacts
of interest from step 2 would be the weaponized payloads
that may be left on a compromised
host. Artifacts of this type may include malicious PDFs, Office
documents, compressed files, or actual executables delivered via step
3’s mechanism. Granted, Step 3 will be required to get these artifacts
on the machine, but once on there, may provide a wealth
of information. These artifacts will be utilized in subsequent steps as
well.
c. Remediation/Prevention
Steps
· As
step
2 covers the weaponizing of a payload, remediation would be best
efforts to prevent the execution of said weapon. This is more in line
with step 4.
· In
an effort to catch weaponized malware, NIDS or NIPS tools may be used.
3) Deliver
a. Step
Overview: While
step 2 focused on the weaponization of a payload, step 3 is the actual
delivery of said weapon. Methods of delivery may include an email with
an attachment
from step 2, a maliciously crafted website, or a strategically placed
USB drive.
b. DFIR
Artifacts
· The
artifacts
an analyst might be interested in from Step 3 will be dependent on the
method of delivery. For a spear phishing email, analysts will want to
analyze the email messages, including headers, attachments, source, etc.
For malicious websites, collecting
internet history artifacts, including cached HTML files, scripts,
cookies, etc. will be important. If the delivery mechanism is something
physical, such as a USB drive with AutoRun malware, then forensically
preserving the drive becomes an artifact itself.
c. Remediation/Prevention
Steps
· Employee
training is
a valuable step in preventing delivery of malware. While this is a pipe
dream for some organizations, educating employees to be cautious of
emails containing
suspicious attachments or originating from unknown sources. Users should
also be cautious when browsing the web, although sometimes even
mainstream sites can be hit with vulnerabilities
· Depending
on the delivery vector, there are a multitude of technologies that can help. Endpoint USB protection
can help prevent executables from running, and/or disabling Windows features such as AutoRun.
· Email
traffic monitoring,
either via inline malware detection or endpoint detection, may help to
find malicious files within emails. Also, these tools may be used to
· Utilizing
web proxies may help prevent users from visiting malicious sites. Proxies that ingest
data sources like trusted sites and blacklisted IPs are a step closer to prevention.
4) Exploit
a. Step
Overview: Steps
2 and 3 weaponized and delivered malicious code: Step 4 is the
exploitation that allows the malicious code to run. If the delivery
mechanism was a PDF, the
exploitation may be a vulnerability that allows for JavaScript files to
be run and subsequently download a Trojan.
b. DFIR
Artifacts
· Artifacts
of
forensic interest for step 4 are going to be similar to step 2 and 3,
and will involve the actual weaponized payload itself. Whether it’s a
Java, Windows, Internet Explorer, Office, or Adobe exploit (to name some
amongst many,
many others), performing analysis on the malware may help determine information about the specific exploit(s) used.
· Step
4 is also where an analyst may want to begin looking at system artifacts. While step 4 does not yet cover a full installation
of the malware, system artifacts may yield information such as time of
infection or steps that the user took to get infected (unknowingly, we
hope). A timeline using a wide range of Windows artifacts (MFT,
registry, internet histories, etc.) would be able to
identify the time when the email arrived or USB drive was plugged in,
and actions that occurred within the seconds (or milliseconds)
afterwards.
· Specific
browser artifacts, including pages visited and/or downloads, may also yield information
about the exploit.
· The
Windows registry hives (system, sam, software, security, ntuser, and usrclass files) may
also provide unique information, such as data on removable drives, recent executables/files.
· Link
(lnk) and prefetch files may provide more information about executables around the time of exploit.
· A
forensic analyst may also, at this point, find themselves accessing logs on various servers
– again, dependent on the method of delivery. Web-based exploits would
have valuable information in web logs, proxy logs, and/or firewall logs.
If the delivery method was email, the analyst may want to pull email
information from the central mail server(s)
to trace the source of the delivery.
c. Remediation/Prevention
Steps
· A
myriad of steps can help prevent against weapons successfully exploiting
on a target host. Keeping software up to date, for example, is
important given the number of vulnerabilities that exist in third-party
software tools or document…readers.
· Utilizing
host-based
intrusion detection and prevention tools, such as HIDS, HIPS, and/or
anti-virus can help to protect against exploitation. These tools will
also help remediate Step 5, which is the installation of the malware.
Note that keeping these endpoint solutions
up to date is also extremely important – anti-virus is only as useful as
the signatures it knows!
5) Install
a. Step
Overview: Step 5 focuses on the installation of the weapon from Step 2 via the exploit in Step 4.
b. DFIR
Artifacts
· Now
that
the weaponized payload has been installed on the host, the file(s)
discussed in steps 2-4 will now certainly be of importance. The analyst
should try to capture any remnants
of the malware, including executables and other dropped files. Sandboxing or reversing the malware can help analysts determine other artifacts to look for, as well as begin
crafting countermeasures for Step 6.
· More
so than step 4, system- and disk-level artifacts are going to be valuable at this point in time.
o The
MFT can help paint when the malware was installed, and other artifacts that may have
been Modified/Accessed/Changed/Born. The USN journal will also yield information about
changes made to the volume.
o Windows
Event Logs may provide information about the install, and any Windows events that may have been triggered.
o The
components of the Windows registry are going to provide information about application
install, keys created/changed/deleted, and persistence mechanisms. UserAssist, ShimCache, and MRU
may also be valuable here, although not all will be affected by every malware.
o Similar
to Step 4, link and prefetch files may yield information about the executable(s) run
to support the installation.
o File
(file://) entries in the index.dat will also provide local and remote file access.
· A
memory capture of an infected host may yield more information about the malware. Of
course, it’s difficult to trigger a memory capture as soon as malware is installed on
a host, however there is valuable data in the memory of an infected host.
c. Remediation/Prevention
Steps
· By
this
point in time, the malware has successfully been executed on a host and
has successfully “passed through” the intended exploit. HIDS/HIPS
may be useful in prevention/detection, allowing the malware to get as
far as attempting to install on the disk or make registry changes before
it’s blocked.
· If
the malware is known, anti-virus software
may succeed in stopping the infection at this
point. It’s also possible that the malware went undetected up to this
point, but a dropped executable or DLL file triggered a Quarantine.
· Application
whitelisting may also be useful at this level, preventing untrusted executables from running.
6) Command
and Control (C2)
a. Step
Overview:
Perhaps the sign that many DFIR analysts are familiar with, Step 6
focuses on the beaconing of a compromised host to a C2 server. Once
Steps 1-5 have been executed,
the host is now likely compromised, and relays back to its C2
infrastructure for next steps.
b. DFIR
Artifacts
· Artifacts
from
Step 5 are still going to be useful in this stage, especially if a host
is actively beaconing the source of that beaconing has yet to be
identified. Finding what is causing
the beaconing should be a top priority.
· If
identified,
the source of the beaconing should be captured and analyzed. Malware
may have multiple C2 servers embedded and MD5 hash values may allude to
other intel.
c. Remediation/Prevention
Steps
· As
with other steps, NIDS/NIPS solutions
installed in an environment may be able to alert
and detect or prevent against suspicious traffic. Other steps in the
kill chain may have been successful thus far, however NIDS/NIPS may
prevent C2 communications from reaching outbound.
· If
intel is gathered about C2 domains/IPs, firewall ACLs can be put into place to prevent
outbound or inbound communication.
7) Act
on Objectives
a. Step
Overview
The
final step of the cyber kill chain identifies that once an attacker has
gained a foothold into an organization, their true objectives come to
light. If an attacker compromised
the laptop of a CFO, and the original target was next quarter’s
financials, then this step represents the exfiltration of said data.
Another type of objective may have been to infiltrate an entry point,
and then move laterally throughout a network.
b. DFIR
Artifacts
· Step
7
is not a fun place to be in the cyber kill chain, however from a
forensic analyst’s point of view, it is sometimes the most fruitful. It
may also be the most common. A large majority of artifacts discussed in
previous steps can be useful at this step. Of
course, understanding the motives of the attackers will denote how
useful each one will be.
· If
the attacker was hoping to compromise an initial host and move throughout an environment, lateral movement artifacts will
be useful at this step. This may include:
o Remote
Desktop Protocol (RDP) history
o Windows
Event Logs to identify failed/successful logins, logon types (remote, local, etc.), and other events
o Windows
Registry Hives to check for new Windows user accounts, user activity. Shellbags may
also highlight lateral movement.
· If
the
attacker was seeking to exfiltrate data, then a forensic analyst will
want to look for evidence of files being removed from the system, or
creation of new compressed files.
o Newly-created,
and oddly named compressed files such as RARs or ZIPs may differ from user behavior and resemble attacker exfiltration.
o MFT
entries may show new compressed files created
o Prefetch
and/or LNK files may show compression tools being utilized
· An
analyst
will also want to again consult network logs available to detect
outbound information. Network device logs may allude to exfiltration
IPs/hosts, or even provide bytes out to determine how much data left the
environment.
c. Remediation/Prevention
Steps
· Again,
remediation/prevention
is going to depend on the attacker’s objectives. An unprotected system
in a poorly-maintained environment is going to leak data without
detection. That being said, maintaining proper network intrusion
prevention/detection, host-based
intrusion prevention/detection, anti-virus, and a responsive DFIR team
will be useful.
· More
specifically, to block outbound communications, firewall ACLs can again be utilized
to block communication.
· User
access controls and permissions can be useful in preventing damaging lateral movement.
Note that the preceding is, by no means,
an exhaustive list. To pretend that infosec is the same as it was five
minutes ago is a dream, and analysts should be prepared to be nimble.
There is no single “do it all” tool that offers “push button” forensics
and information security. But the right tools,
when combined in the right environment, and with the right people, can
go a long way in helping an organization keep its data where it should
be.
Further Information:
Posts
