Monday, October 31, 2016

The Cyber Kill Chain Has Killed Your Defensive Strategy

From the latest ActiveDefense report, which gets its own post later today. :)

So much writing from defensive strategists focuses on these sorts of abstraction levels and includes some version of this exact picture. This is because if you do not run operations or penetration testing teams, you need something to grasp onto to start modeling the kinds of problems you are having. This multi-stage approach seems to work, mentally, so you go with that.

Then you end up with "Breaking the cyber kill chain" and various other things.

Just to critique this one particular chart: What is "Malware Weaponization"? Also, is this chart deliminating types of access, or an attacker's progression through time. Because I may not create malware until I have done decent internal reconnaissance of a target network. In fact, I may never establish command and control at all. I may do these things in different orders, or skip a bunch of them, or have it all automated so it all is basically one step, or any number of things.

What I'm saying is this: Like in OverWatch, there is a meta-game. If you build your strategy statically, assuming attackers haven't built theirs specifically to defeat you, I'm not sure how you think you can succeed.

Or in practical terms: We are all building Crowdstrike/Mandiant/Cylance/Endgame agent spoofers right now, right? The meta-game in hacking is quite simply "What we choose to build next".

Policy people quiz: WHO IS THIS FAMOUS HACKER? :)

Doing signature checks on all traffic at ISS in RealSecure? Here's ADMMutate Polymorphic shellcode generation, and so on forever. (Learning the meta-game requires you to invest in learning the technology though. Staying up to speed on the meta-game of hacking is a huge factor in the burn-out that results in most people leaving the technical aspect of security for management. :( )

That "Active Defense" paper deserves a real analysis, and it will get one in the next post.


No comments:

Post a Comment