Presentation on theme: "Breaking Kill Chains A “How To” Guide for SecurityCenter."— Presentation transcript:
Breaking Kill Chains A “How To” Guide for SecurityCenter
Breaking Kill Chains “cyber kill chain®”The “cyber kill chain®” framework was originally created by Lockheed Martin to describe the process of exploitation of information systems o Based on the military concept of a “kill chain,” the model details each step of a cybercriminal’s operation, from reconnaissance through delivery to command and control and ultimately action o If a link in the chain can be eliminated, the path is destroyed
Identifying Weakest Links To simplify the work of isolating and stopping kill chains, an organization must first track metrics that identify the most vulnerable points—the weakest links—in the chains o Armed with this data, the organization can identify the weakest exploitable links and prioritize the critical vulnerabilities to be plugged, patched, and mitigated kills the attack! o Breaking just one link in the chain kills the attack!
Identifying Weakest Links three metricsAs Ron Gula explains in his blog post, “Identifying the Weakest Links in Cyber Kill Chains®”, there are three metrics that are important to monitor to simplify breaking kill chains: 1. Identify exploitable Internet-facing systems 2. Identify systems that access the Internet with exploitable web clients (vulnerable or unsupported browsers, etc.) 3. Identify exploitable systems that have internal trusted connections to other systems on the network
Identifying Weakest Links Tenable’s SecurityCenter Research Team has created three new dashboards to assist organizations in monitoring these three metrics: 1. Internet Facing Exploits 2. Breaking Kill Chains Clients 3. Exploiting Internal Trust These new dashboards make use of assets; the purpose of this presentation is to describe how to set up these assets and dashboards
Adding an Asset To add an asset from the SecurityCenter app store feed, within SecurityCenter select Support > Assets Click the “Add” button Select the desired asset and click “Add It Now”; Repeat to add more assets Click the “Finished” button
Add Assets Add the following dynamic assets: o Internet Facing Assets o Internet Browsing Systems o Exploitable (Generic) Add the following Device Behavior dynamic assets: o Hosts with Internal Connections FROM Other Hosts o Hosts with Internal Connections TO Other Hosts o Social Network Activity o YouTube Access
Add Assets Add the following Client Applications dynamic assets: o Client FTP o Client HTTP o Client IMAP o Client IRC o Client P2P o Chrome Web Browsers o Firefox Web Browsers o Internet Explorer o Opera Web Browsers o Safari Web Browsers o Skype
Combination Assets Combination assets (assets of assets) are used to locate systems that belong to both one group AND another group, or that belong to one group OR another group o For example, the “Internet Browsing Systems” asset could be combined with the “Hosts with Internal Connections TO Other Hosts” asset to find systems that both browse the Internet and also connect to other internal hosts Combination assets are dynamically updated, so any new vulnerabilities or network changes will be immediately reflected
Create Combination Assets To create a Combination Asset, within SecurityCenter select Support > Assets Click the “Add” button Click “Create Custom Asset” Set Type to “Combination” Add existing assets combined using logical operators in Combination Parameters…
Create Combination Assets Attacker Entry PointsCreate Attacker Entry Points combination asset: o All systems that connect to Internet, have exploitable vulnerabilities, and connect to other systems
Create Combination Assets Exploitable ServersCreate Exploitable Servers combination asset: o All systems that have exploitable vulnerabilities and other systems connect to them
Create Combination Assets Breaking Kill Chains ClientsCreate Breaking Kill Chains Clients combination asset: o All systems that have web client applications
Consider DMZ Systems Assets Consider also creating static asset(s) that enumerate those systems on the network known to interact with the Internet or be Internet-facing, such as systems in the DMZ o This enables identification of outward facing systems even if PVS is not available to scan for such systems o Add these asset(s) to the created combination assets
Internet Facing Exploits Dashboard Internet Facing ExploitsInternet Facing Exploits dashboard is located in the SecurityCenter feed under Security Industry Trends Click “Add It Now” “Add It Now” will change to “Configure Now” for about 10 seconds before the dashboard is added Click “Configure Now”…
Internet Facing Exploits Dashboard Internet Facing Assets…and select the asset Internet Facing Assets Click the “Save” button Click the “Finished” button to add the dashboard The asset will be added to all the dashboard components
Internet Facing Exploits Dashboard Note that this dashboard uses a pre-defined dynamic asset, not a created combination asset Therefore, if using a static DMZ Systems asset as described earlier is desired, then a combination asset combining “Internet Facing Systems” and DMZ Systems asset(s) will need to be created and applied to this dashboard
Internet Facing Exploits Dashboard Note: By default, dashboard components update daily; to achieve more continuous monitoring, consider setting them to update every few hours or even hourly Edit each component by clicking the drop menu arrow on the top right of the component and selecting “Edit Component” Set the “Update Frequency” Click the “Submit” button to finish editing the component
Internet Facing Exploits Dashboard For matrix components, the update frequency is set in each column of the matrix Note: If desired, the update frequency can be adjusted for the components in the following dashboards as well.
Breaking Kill Chains Clients Dashboard Breaking Kill Chains ClientsBreaking Kill Chains Clients dashboard is located in the SecurityCenter feed under Security Industry Trends Click “Add It Now” “Add It Now” will change to “Configure Now” for about 10 seconds before the dashboard is added Click “Configure Now”…
Breaking Kill Chains Clients Dashboard Breaking Kill Chains Clients…and select the asset Breaking Kill Chains Clients Click the “Save” button Click the “Finished” button to add the dashboard The asset will be added to all the dashboard components
Exploiting Internal Trust Dashboard Exploiting Internal TrustExploiting Internal Trust dashboard is located in the SecurityCenter feed under Security Industry Trends Click “Add It Now” Note: This dashboard uses two different assets, so it cannot be configured using “Configure Now”, as done previously; each dashboard component will need to be configured individually.
Exploiting Internal Trust Dashboard Attacker Entry PointsThe four dashboard components on the left require the Attacker Entry Points asset: o Attacker Entry Points o Attacker Entry Points with Most Connections to Other Hosts o Top Remediations for Attacker Entry Points o Attacker Entry Point Vulnerabilities by Asset Group Exploitable ServersThe four dashboard components on the right require the Exploitable Servers asset: o Exploitable Servers o Exploitable Servers with Most Connections from Other Hosts o Top Remediations for Exploitable Servers o Exploitable Server Vulnerabilities by Asset Group
Exploiting Internal Trust Dashboard Edit each component by clicking the drop menu arrow on the top right of the component and selecting “Edit Component” Click the “Edit Filters” button Under Target Filters, select the proper asset Click the “Apply Filters” button Click the “Submit” button to finish editing the component
Conclusion Now that these assets and dashboards have been properly set up, they can be used to continuously monitor for the weakest links and prioritize the critical vulnerabilities to be mitigated kills the attack!Breaking just one link in the chain kills the attack!
For Questions Contact Tenable Customer Support Portal