Introduction

In Part 1 we looked at cyber attack models and discussed some of the pros and cons of different variants.  This time we’ll walk through a fictitious attack as it traverses the middle phases that most attack models have in common: Delivery, Exploitation, Installation, and Command & Control (C2 or CnC).  Along the way, we’ll look at ways your network architecture can help make life more difficult for attackers, what types of monitoring controls you might wish to consider for these phases, and finally examine some indicators that you may not have considered. Before we begin, let’s discuss two subjects: indicators and how network architecture can aid in cyber defense.

(more…)

Cyber Attack Models: What are they?

Attack models describe the structure of an attack in phases.   They provide a means to conceptualize the different aspects of an attack.  However, it is important to understand that not all attacks must complete all phases to be successful.  In fact, many attacks iterate recursively through the phases of an attack model.  Kill Chain is a military term used to describe the structure (or phases) of an attack.  In a military context, the process is described as find, fix, track, target, engage, assess (F2T2EA): find adversary targets suitable for engagement; fix their location; track and observe; target with suitable weapon or asset to create desired effects; engage adversary; assess effects.  Scientists at Lockheed Martin used this concept to develop the Cyber Kill Chain.   It was described in a paper presented in 2011 at the 6th Annual International Conference on Information Warfare and Security (Intelligence-Driven Computer Network Defense…).  Some people love it — others, not so much.  Regardless, it has become an almost standard framework which others have altered or extended in different ways.  Let’s do a high-level fly-over, examine some of the criticisms, and then take a look at a couple of variants! (more…)

When organizations consider outsourcing applications or processes to cloud providers, there are many areas to evaluate carefully. Security is always near, or at the top of the list.  Of the many facets of security to evaluate when selecting cloud providers, asking for disclosure of relationships to other cloud providers or third parties of interest is one not to forget.  Let’s examine a simple scenario where this could impact your ability to meet compliance and/or regulatory requirements. (more…)

The time has arrived!  Malware Monday, as some have labeled it.  The FBI has shut off the DNS servers it maintained to allow those infected with the malware to continue to operate and provide additional time for cleanup.  The malware re-directed web site requests to sites where the its authors could make money off of advertising — so called “click hijacking.”  And make money they did — supposedly about $14 million USD. (more…)

With millions of passwords stolen from LinkedIn, eHarmony and Lastfm.com in the past few weeks, it is a good idea to re-think your password strategy.  It should certainly make it clear that re-using one or even several passwords across many web sites can be dangerous.  But creating and remembering individual passwords for the ever-growing collection of web sites that comprise our digital lives can be daunting.  What should you do? (more…)

Networks, like the enterprises they support, evolve over time.  It is extremely rare that one has the opportunity to re-evaluate the underlying assumptions behind a logical network design and the IP address schema, and with the advantage of hindsight, make course corrections that can provide flexibility and accommodate the security controls needed now and into the future.  Such an opportunity may only come along once a decade or more.  Most corporate enterprises did not connect to the Internet until the late 1990’s or early 2000’s, and their experience with TCP/IP was limited, but many are still living with the choices made long ago.  If you could re-design your enterprise network IP address space today, what would you change?  The example that follows provides one such way for a large private network.  Of course you have to have a driver for undertaking such a project and the creation of security zones is a good one! (more…)

Establishing isolated security zones within an enterprise network is an effective strategy for reducing many types of risk, and this is especially obvious when one considers how permeable networks are today.  The old perimeter defense model is no longer sufficient.  Some would argue it is no longer necessary — that de-perimeterization is inevitable, we should prepare for a future of blended networks without clear boundaries and security should be moved inward.  Ultimately, all security is about protecting a valuable asset – data – but that protection involves a defense-in-depth strategy that includes all layers. (more…)

Follow

Get every new post delivered to your Inbox.