Battling APTs with the Kill Chain Method

Recently I had the privilege of presenting to a monthly meeting of the Raleigh, NC chapter of the ISSA. My presentation focused on educating the audience of security professionals on advanced persistent threats (APTs) and how they can use the kill chain method to battle them. I’d like to share some of the key points and highlights here in an effort to help readers better defend themselves against motivated attackers.

There are 3 main points about APTs that must be established before we dive into the kill chain method itself, namely:

1)    Unlike automated, technology-driven attacks of years past, APTs are driven by a combination of people, processes, and technology. APTs are therefore goal-oriented (financial, political, etc.), human-directed, coordinated, and dynamic. This largely explains the consist success APTs have against their victims.

2)    In the past, security professionals have tried to combat threats with a heavy emphasis on technology-driven solutions: firewalls, AV/antimalware, IDS/IPS, etc.  To combat modern APTs, security organizations need to focus not only on technology, but also on people and process. This includes analyzing all relevant data within its environmental and behavioral context, relying on rapid learning loops, leveraging threat intelligence and indicators of compromise, and working together in a coordinated and collaborative fashion.

3)    It is very effective to visualize attacks associated with APTs as multi-stage, 2-way transactions, just like placing an order through an online merchant. The attack, like the online transaction, is initiated by human activity, must travel through a chain or pipeline of interdependent steps, and results in the attacker/initiator receiving something back.

So now that we’ve established that, let’s define the kill chain. The basic idea is that the round trip transaction of the attack follows a certain pattern. An attacker generally has to complete each of these steps in order for the attack to be successful. Defenders can therefore understand the full scope of the attack by looking across the layers of the kill chain, and also more effectively defend and break off the attack with a more complete understanding of its pieces.

Imagine that an attacker looks for ways get into your corporate website by looking for weaknesses in your environment.  They search (sometimes called reconnaissance) and find a vulnerable extranet server that stores corporate documents in various forms, including PDF files. The attacker downloads a PDF file, and using a discovered vulnerability embeds malware in it (of course ensuring that the malware is undetectable to most AVs).  This step is often called weaponizing the attack. The attacker then uses his knowledge of the organization – gained by experimenting with emails to the company, professional affiliation or social engineering – to spear phish a few internal users with the infected document attached to an official looking email. An employee that opens the infected attachment will unpack the malware that then overwrites normal programs such as calc.exe and spawns innocuous looking processes like svchost.exe. The “normal looking” processes would establish communications with the attacker who then controls the system, downloads additional tools to establish persistence (say, a rootkit), and explores the victim’s network from the inside. From there it’s a small leap to discover the target data (e.g. state secrets, financial data, or sensitive customer records) and exfiltrate it through encrypted channels.


APT Transaction

APT Transaction


So what can you do about it and how can Splunk help? Splunk, when fed sufficient data from security and IT devices within the environment – firewalls, IDS/IPS, network devices, servers, proxies, antimalware tools, application logs, etc. – provides security professionals with the ability to hunt for APTs. You’ll notice that “hunt” is a very active word. Rigid, rules-based SIEM tools can’t provide the flexibility of Splunk for discovering evidence of a sophisticated attack, nor the ability to chase it through the various stages of the attack transaction.

To continue with our example above, imagine that you use Splunk (via proxy logs and threat lists) to discover that one of your systems had encrypted communications to an IP address that was later discovered to be part of a command and control network. You could then look at endpoint security tools to see what processes made those connections, and which processes spawned or created those processes. By following it back the original infected PDF, you could trace it through your mail server logs to discover the source of the phishing messages. You could also see who has downloaded that PDF from your website by analyzing web server logs and understand the reconnaissance that initiated the attack. You will then have discovered quite a bit of information about the attacker, and be well equipped to stop this particular attack and other future attacks.

While this just scratches the surface of how security professionals can use Splunk to hunt and destroy APTs up and down the kill chain, I hope it begins to open your mind to the possibilities. Happy hunting!

Andrew Dauria

Posted by