Websense’s ‘kill chain’ model outlines seven stages of an attack to help organizations protect themselves
Hackers and cybercriminals are becoming savvier, with the bulk of their attacks now aimed at specific targets, according to a new report from security solutions provider Websense Inc.
Instead of launching Hail Mary-esque attacks and trying to snare people with pleas for help from Nigerian princes, many attackers are now reacting to organizations’ defenses and finding ways around them by using exploit kits or command and control servers.
Using Websense’s Threat Intelligence Cloud, researchers found about 85 per cent of malicious links in web or email attacks actually came from legitimate websites that had been compromised.
Hackers are also gearing their attacks towards specific populations by geographic region or political boundary, or going after people in specific groups or with particular business functions. And sometimes, they target just one person, going after him or her for that individual’s strategic value. All of this says hackers are becoming wiser about who they attack.
However, for this year’s report, Websense came up with a threat model called “the kill chain,” which outlines seven stages of an attack: recon, lure, redirect, exploit kit, dropper file, call home, and ultimately, data theft.
The goal of the model is to help organizations understand they can defend themselves at every stage.
The key is to tap into the psychology of a cybercriminal, says Charles Renert, vice-president of research and technology.
“The most important aspect of defeating threats is understanding how they are made, how they are achieving the attacker’s end, and therefore how to stop them based on those motivations,” says Renert, who co-authored the report.
“The kill chain views, from start to finish, not just the techniques that are used, but why they are used. And it is that understanding that future-proofs an organization against the next attack.”
For example, the first stage of the kill chain is recon, where hackers look for “lures” and try to infiltrate an organization’s network to get data, with the whole campaign basically being a reconnaissance exercise. One common way to trap victims is to send a phishing lure over social media. Later, hackers may stage more campaigns to get more personal or corporate data.
To stop an attack at this first stage, organizations need to ensure their employees are educated and are aware that hackers may be targeting them.
“The secret to fighting the later, more dangerous stages of the attack model is to catch the early warning signs that recon can reveal at the apparatus level. Paying attention to all security events and performing due diligence can expose the true intent of even the most seemingly basic events,” the researchers wrote in their report.
“Recognizing that attackers will achieve some level of success at every stage, aggressively monitoring such early-stage activity can help you determine whether a multi-stage attack might be forming.”
However, there are still stages where attackers are very hard to block – for example, the fourth stage focuses on exploit kits. Once users click on links to compromised websites, hackers will use exploit kits like Black Hole, Magnitude, or Neutrino to scan users’ systems and pull out data about known and zero-day vulnerabilities. Once they find a vulnerability, hackers can install malware, like key logging software, making it easier for them to pick up even more valuable data.
There’s also stage five, “dropper file,” where cybercriminals install command and control software to bypass traditional defenses created by security solutions providers. For example, they might evade defenses by installing use-time delays, so scanners don’t notice them until later, when they’ve already exhibited malicious behaviour. Or they might check for human interaction or clues this is a virtual environment, giving them more information about whether they’ve managed to actually get into an organization’s network.
Nor do traditional security solutions providers monitor enough of their outbound communications through the Secure Socket Layer (SSL), Renert says. Instead, most of them only scan inbound communications – which isn’t enough given today’s advanced persistent threats (APTs).
“Security is always a move and response phenomenon. When attackers try a technique, the security industry responds with a way to defeat it, which then promotes a new technique from the attackers,” Renert says. For example, he adds the security industry used to focus on signature-based approaches to stop attackers.
While that might have worked at one point, nowadays, it’s not enough to prevent APTs, he says. In fact, more than 90 per cent of the attacks Websense has detected are using other methods besides signature-based approaches.
It’s not easy to defend against hackers in the fifth and sixth stages of the kill chain, but organizations need to try to intercept them every chance they get, Renert says.
“At any point along the progression of an attack, it’s a moment to protect,” he says. “You need protection across all of the stages.”