System State Intelligence and the Intrusion Kill Chain

Dwayne Melancon, Chief Technical Officer, Tripwire

Synopsis: In kill chain analysis, an attacker has to progress through stages before they achieve their objective, and it takes just one successful mitigation effort to thwart the attacker. SSI can increase the timeliness and accuracy of security incident detection efforts and increase the overall effectiveness of all network security tools.

The time has come to examine how System State Intelligence (SSI) relates to the “kill chain” – also known as the “intrusion kill chain,” or the “cyber kill chain”. Why? Because in most enterprises there is a bias toward the network-centric and event-centric elements of intrusion detection, and there needs to be better integration of the state-centric security elements in order to ultimately improve security effectiveness.

What is the Intrusion Kill Chain?
The kill chain concept is based on work conducted by Lockheed Martin’s Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin, Ph.D which is detailed in a paper titled, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.” In a nutshell, the intrusion kill chain is a model that describes the order of events during an attack, and provides a method to segment, analyze, and mitigate the offensive.

The Lockheed paper defines a kill chain as “the structure of the intrusion, and the corresponding model [which] guides analysis to inform actionable security intelligence.” In other words, rather than trying to look at network security events in isolation as a separate population of data, they should be integrated by grouping them according to the attack vectors.

The intrusion kill chain can be thought of as “supply chain management” for cyber attacks, and the end game is to produce an objective model for dealing with attacks as early in the process chain as possible by aligning responses to the stage and severity level of an attack.

A core assumption in any kill chain analysis is that an attacker has to progress through each stage of the chain before they achieve their objective, and it takes just one successful mitigation effort to disrupt this progress and thwart the attacker.

System State Intelligence (SSI)
System State Intelligence (SSI) is an approach to security that is designed to identify the leading indicators of any security compromise, to reduce the number of false positives, and in the end increase the accuracy of network incident detection.

Effective SSI requires the presence of several key capabilities.First of all, it must provide full awareness of the state of your network systems, including how they are configured and whether that configuration corresponds to policies. This level of awareness anchors system states to a recognizable baseline –a “known and trusted state.”

Secondly, SSI must include continuous monitoring of those systems for any changes or deviations from the baseline or the configuration policies, and must use this awareness to detect any unwarranted events in order to foster security-based context and prioritizations. SSI lets you continuously know what the state of your systems was, what it should be, and how it’s changing in real time.

How Does System State Intelligence Strengthen the Intrusion Kill Chain?

SSI contributes to the intrusion kill chain in most of the phases of an attack. The following table provides some examples:

This is not a comprehensive list, but should provide some food for thought about how SSI is involved in the intrusion kill chain.

SSI Can Improve the Effectiveness of Other Security Tools and Processes

In addition to the examples in the table above, SSI can also increase the timeliness and accuracy of security incident detection efforts, as well as increase the overall effectiveness of other network security tools. For example, it can reduce false positives because suspicious changes to the system state are really good initial indications of attack, and SSI alerts are typically free of false positives.

SSI can also find evidence of a compromise faster, because once SSI has identified a suspicious change to a group of systems that knowledge enables a more targeted investigation to ensue.

If you typically perform full-packet captures of data on your network, you end up with an overwhelming amount of data, which can be an obstacle when you are conducting an incident investigation. With SSI, you can begin the investigation by looking for something specific, such as the traffic that interacted with specific (compromised) systems at a certain time and which are associated with specific user accounts.

The Bottom Line
In short, using SSI to determine your starting points enables a more efficient, focused investigation, which enhances the value of your full-packet capture systems and increases the effectiveness of your Security staff. We are just barely scratching the surface here, but hopefully you can see that System State Intelligence is a core capability that will serve to strengthen your intrusion kill chain.

Tripwire is exhibiting at Infosecurity Europe 2013, the No. 1 industry event in Europe held on 23rd – 25th April 2013 at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk