Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites.
Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. For avoidance of any doubts and to make it easier, you may consider any links to external websites as sponsored links. Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

System State Intelligence and the Intrusion Kill Chain

Dwayne Melancon, Chief Technical Officer, Tripwire

Dwayne-MelanconSynopsis: In kill chain analysis, an attacker has to progress through stages before they achieve their objective, and it takes just one successful mitigation effort to thwart the attacker. SSI can increase the timeliness and accuracy of security incident detection efforts and increase the overall effectiveness of all network security tools.

The time has come to examine how System State Intelligence (SSI) relates to the “kill chain” – also known as the “intrusion kill chain,” or the “cyber kill chain”. Why? Because in most enterprises there is a bias toward the network-centric and event-centric elements of intrusion detection, and there needs to be better integration of the state-centric security elements in order to ultimately improve security effectiveness.

What is the Intrusion Kill Chain?
The kill chain concept is based on work conducted by Lockheed Martin’s Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin, Ph.D which is detailed in a paper titled, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.” In a nutshell, the intrusion kill chain is a model that describes the order of events during an attack, and provides a method to segment, analyze, and mitigate the offensive.

The Lockheed paper defines a kill chain as “the structure of the intrusion, and the corresponding model [which] guides analysis to inform actionable security intelligence.” In other words, rather than trying to look at network security events in isolation as a separate population of data, they should be integrated by grouping them according to the attack vectors.

The intrusion kill chain can be thought of as “supply chain management” for cyber attacks, and the end game is to produce an objective model for dealing with attacks as early in the process chain as possible by aligning responses to the stage and severity level of an attack.

A core assumption in any kill chain analysis is that an attacker has to progress through each stage of the chain before they achieve their objective, and it takes just one successful mitigation effort to disrupt this progress and thwart the attacker.

System State Intelligence (SSI)
System State Intelligence (SSI) is an approach to security that is designed to identify the leading indicators of any security compromise, to reduce the number of false positives, and in the end increase the accuracy of network incident detection.

Effective SSI requires the presence of several key capabilities.First of all, it must provide full awareness of the state of your network systems, including how they are configured and whether that configuration corresponds to policies. This level of awareness anchors system states to a recognizable baseline –a “known and trusted state.”

Secondly, SSI must include continuous monitoring of those systems for any changes or deviations from the baseline or the configuration policies, and must use this awareness to detect any unwarranted events in order to foster security-based context and prioritizations. SSI lets you continuously know what the state of your systems was, what it should be, and how it’s changing in real time.

How Does System State Intelligence Strengthen the Intrusion Kill Chain?

SSI contributes to the intrusion kill chain in most of the phases of an attack. The following table provides some examples:

This is not a comprehensive list, but should provide some food for thought about how SSI is involved in the intrusion kill chain.

SSI Can Improve the Effectiveness of Other Security Tools and Processes

In addition to the examples in the table above, SSI can also increase the timeliness and accuracy of security incident detection efforts, as well as increase the overall effectiveness of other network security tools. For example, it can reduce false positives because suspicious changes to the system state are really good initial indications of attack, and SSI alerts are typically free of false positives.

SSI can also find evidence of a compromise faster, because once SSI has identified a suspicious change to a group of systems that knowledge enables a more targeted investigation to ensue.

If you typically perform full-packet captures of data on your network, you end up with an overwhelming amount of data, which can be an obstacle when you are conducting an incident investigation. With SSI, you can begin the investigation by looking for something specific, such as the traffic that interacted with specific (compromised) systems at a certain time and which are associated with specific user accounts.

The Bottom Line
In short, using SSI to determine your starting points enables a more efficient, focused investigation, which enhances the value of your full-packet capture systems and increases the effectiveness of your Security staff. We are just barely scratching the surface here, but hopefully you can see that System State Intelligence is a core capability that will serve to strengthen your intrusion kill chain.

Tripwire is exhibiting at Infosecurity Europe 2013, the No. 1 industry event in Europe held on 23rd – 25th April 2013 at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk