NG-OPS Advanced Defense – Part 1

NG-OPS Advanced Defense – Part 1: Identifying Defense Gaps & Improving Visibility

NG-OPS Strategy Guide
Advanced Defense Posture Assessment
NG-OPS Advanced Defense – Part 2

Today’s cyber security paradigm is a reactive cycle: when a threat is exposed, it is analyzed and a counter-solution is designed. The trouble is that attackers can easily reuse pieces of previous malware, modify them, and create a brand new threat, bypassing the newly updated security measures [1].

NG-OPS Advanced Defense

There are too many APT entry points in today’s virtual enterprise, too many individual endpoint security solutions triggering alerts, too much security threat intelligence to process in real-time. More importantly, there are too few trained personnel who can spot and respond to advanced threats. The pain points all cry out for a common holistic solution: NG-OPS Advanced Defense.

APT Prevalent Dangerous

The APT Conundrum and Challenges

Many organizations suffer from a lack of detection capability and precision, holistic situational awareness and behavioral anomaly detection, i.e., visibility. There is  too broad an attack surface, gaps in defense and, integration issues that together lead to reduction in the ability to detect, contain and respond to targeted attacks.

The typical challenges include, as follows:

  • Focus on prevention approach to address threat landscape
    • Fails to address increasing attack complexity and persistence with enough efficacy
  • Investments in protection model out of balance with today’s threat landscape
    • Technologies that don’t work together
  • Uncoordinated monitoring and compilation of security events & threats
    • Flood of unmanageable data = “Loss of visibility”
  • Organizations lack visibility into defense gaps, to enhance detection capability and precision
  • Organizations have not fully leveraged the kill chain life cycle approach
    • Reason why attackers are continuing to be so successful.
  • Common security architectures and compliance regimes are not prioritizing methods to address the kill chain

Reallocate Security Spend

Re-allocate Budget to Advanced Security Capabilities

The Changing Threat Environment

There is a growing need and urgency to evolve towards Advanced Security with a continually improving Detection, Containment and Response Capability. This is fundamentally due to cybercriminals doing their homework on organizations and waging a fierce, persistent campaign to find any possible way to get a foothold. Attackers have a fine tuned malware development process that is increasing in efficiency.

  • Evolving Malware Development Process
    • Create Malicious Tool (x 1)
    • Obfuscate Malware, Create Permutations (x 10,000)
    • Test against Detection Engines (OK)
    • Deploy Un-Detected Samples
  • Availability of Malware Tools
    • Results in high degree of Attack Automation
    • From systematic identification of targets to fully automated exploitation
  • Leads to increase in opportunistic attacks
    • Attacker no longer needs expertise or special skills

Malware Development

Malware Development Increases in Efficiency

Detection is the Weakest Link

Common intrusion detection methods are lacking in their ability to detect multi-step blended and targeted attacks.

Breach Detection Timespans

The Signature of an APT

A targeted attack aka advanced persistent threat (APT) is a targeted effort to obtain or change information by means that are difficult to discover, difficult to remove and difficult to attribute.

APT Attack Kill Chain 2

First – the bad guys get in. Always. It doesn’t matter if it’s social engineering, phishing, or some contractor organizations didn’t watch closely enough.  Sooner or later they find the weak spot and they exploit it – despite all of the best plans to keep them out. Target retail stores learned this the hard way. Who would have guessed that an HVAC system could be a point of weakness?

Case Study: The Target Attack Step-by-Step

In December 2013 – Target announced that it had been breached by attackers who had gotten away with 70M customers’ Personal Identifiable Information (PII) and 40M credit cards, financial damages currently stand at $148M, and are estimated to reach $1B. A high-level summary of the steps taken mapped to the kill chain are:

Target Kill Chain

  • Install malware to steal credentials from Target’s HVAC vendor.
  • Connect using stolen credentials, enables access to Target’s application dedicated to vendors.
  • Exploit a web application vulnerability on Target’s Web interface enables the attackers to execute code on Web application server.
  • Search relevant targets for propagation by LDAP querying Active Directory from the Web application’s server.
  • Steal access token from Domain Admin of the previously connected Domain Admin from the memory of application server.
  • Create new Domain Admin account using the stolen token in AD.
  • Propagate to computers using the new Domain Admin credentials
  • Steal 70M PII. Do not find credit cards, data is extracted using SQL
  • Steal 40M Credit Cards. The data is extracted by the Kaptoxa malware from the memory of the POS system.
  • Send stolen data to an FTP server in Target’s internal network.
  • Send stolen data via FTP to attackers-controlled FTP server.

Enabling Advanced Defense

Second – once they are in, organizations better figure out how to spot them. Developing, tuning, optimizing and evolving situational awareness and behavioral analysis allows network anomalies to be used to detect the different stages of APTs using various indicators.

  • Factors associated with APT attacks include the following:
    • Sudden increases in network traffic, outbound transfers
    • Unusual patterns of activity, such as large transfers of data outside normal office hours or to unusual locations
    • Repeated queries to dynamic DNS names
    • Unusual searches of directories and files of interest to an attacker, e.g., searches of source code repositories
    • Unrecognized, large outbound files that have been compressed, encrypted password-protected
    • Detection of communications to/from bogus IP addresses
    • External accesses that do not use local proxies or requests containing API calls
    • Unexplained changes in the configurations of platforms, routers or firewalls
    • Increased volume of IDS events/alerts

Attacker Defender View

Proactive Defensive Measures to Address Unknown Threats

Coming Soon

In NG-OPS Advanced Defense – Part 2  we will further develop the concept of developing and evolving an Advanced Defense security posture that identifies any gaps, improves detection capability and precision, enables proactive defensive measures to address unknown threats and — holistically integrates and operates continuous intelligence, detection and, response.

NG-OPS Ecosystem

In order to help organizations reduce operational overhead the NG-OPS Strategy Series will also include the following blog articles (although topics will be added as the theme develops and evolves):

  • NG-OPS SOC Version 2.0: Build a Next Generation Security Operations Center to protect critical assets
  • NG-OPS Evolving a SOC Team: Building, Nurturing and Evolving Security Operations Staff
  • NG-OPS Operational Maturity: Migrating from Reactive to Dynamic Defense and Cyber Resilience
  • NG-OPS Automation & Orchestration: The Next Big Thing: Automation and Orchestration
  • NG-OPS Threat Modeling: Manage complex systems using a structured methodical framework
  • NG-OPS Risk Management 2.0: Shifting focus from technical assets to critical business processes
  • NG-OPS Smart Telemetry: Leveraging 3 levels of telemetry: End-point, Gateway and, Infrastructure
  • NG-OPS Security DevOps: The critical convergence of security and IT operations with DevOps 

This new NG-OPS Strategy Guide builds upon and enhances the current APT Strategy Guide and Security Architecture Series Guide introducing a whole new set of topics into the framework.

Nige the Security Guy Bio


Nigel is a Chief Security Architect with 30 years of international experience in Security Operations, Management, Research, Development and Security Services. He started his career as an assembler programmer who was contracted by the US DoD to develop secure operating systems with multi-level security and preclude covert channels. Nigel is a passionate evangelist who loves working with organizations to share thought leadership and practical strategy to help defend against advanced targeted threats.


[1] Why cyber criminals are winning: The secret weapon of the black hats

[2] ISMG Advanced Persistent Threats Survey: New Strategies to Detect, Prevent, and Defend

Thanks for your interest!

Nige the Security Guy.


Defensible Security Posture

Defensible Security Posture – Part 1

Defensible Security Posture – Part 2

The purveyors of Fear, Uncertainty and Doubt (FUD) assert that preventing today’s advanced threats is unrealistic, internal compromise is inevitable and – that FUD factor is reinforced by more and more reports of malware and advanced attacks penetrating insufficient security controls. However, it’s not all doom and gloom. Although the experts concede that stopping 100% of attacks is a technical impossibility, there are ways for organizations to avoid becoming the next devastated victim.


Unfortunately ‘secure‘ is still the target of many CISOs and company leadership. From painful experience many security practitioners collectively know that ‘secure‘ is a mythical goal and doesn’t actually exist. The leap in logic proposed by this blog is that we move to something that’s ‘defensible‘.

The basic idea of a Defensible Security Posture is that you aren’t striving for an absolute, but rather for a position (or posture) that is able to be defended even when it’s infiltrated. The analogy that I like to use is the human immune system since security and advanced attacks are organic in nature and can come from various sources of infection. There are a few basic things we need to understand:

  1. Defensible does not mean secure
  2. There are more things to defend than there are resources to defend
  3. Sometimes your defenses can become your weakness
  4. Defensibility requires deep understanding of what critical assets you’re defending
  5. Defensibility focuses on what, why, how, when and from whom

Advanced Persistent Threats

The US National Institute of Standards and Technology (NIST) defines that an APT is:

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.

Attacks from APTs are growing in scope,  increasing in frequency and, improving in effectiveness – to establish an insider base camp and cover tracks. Current strategies are not well-suited to mitigating prolonged and determined attackers leveraging a growing collection of stealthy techniques. The traditional perimeter and prevention response to threats is no longer realistic. Organizational resources need to shift the focus instead onto – Detection, Containment, Eradication and Recovery.

Defensible Logo

There is no silver bullet or single solution. Most organizations continue to focus on defending against zero-day exploits by relying on commercial security products to block bad sites and software and by patching systems to correct vulnerabilities in installed software. While these approaches are effective against some threats, they fail to stop the advanced attacks and provide no knowledge of what an adversary does once the network is penetrated.

APT attackers continually demonstrate their capability to compromise systems by using social engineering techniques, customized malware, and zero-day exploits that intrusion detection, anti-virus and patching cannot always detect or mitigate. Responses to APT intrusions require an evolution in analysis, process, visibility and technology. This blog describes an intelligence-driven, threat-focused approach.

Intelligence-driven Network Defense

Organizations may use a number of active techniques to detect attacks that can circumvent passive defenses. One approach uses honeypots to attract adversaries and look for patterns of behavior. Organizations may employ a number of active defense techniques within their own enterprises to detect and track adversaries as they explore networks. If a honeypot is set up with a number of different types of documents, organizations can watch to see which documents the adversary chooses to try to ex-filtrate.

Intelligence-driven Network Defense is a risk management strategy that addresses the threat component of risk, incorporating analysis of adversaries, their capabilities, objectives, doctrine and limitations. This is necessarily a continuous process, leveraging indicators to discover new activity. It requires a new understanding of the intrusions themselves, not as singular events, but rather as phased progression.

The benefit of Intelligence-driven Network Defense is a more resilient security posture. After all, APT attackers are persistent and attempt intrusion after intrusion, adjusting their operations based on the success or failure of each attempt. Once a compromise is achieved then the APT attacker deploys backdoors for contingency and covers any tracks.

The Signature of an APT

In any Advanced Persistent Threat (APT) attack there are typically a pre-defined set of phases that act as a signature, as follows:

APT Evolution

The importance is not that this is a linear flow – some phases may occur in parallel, and the order of earlier phases can be interchanged – but rather how far along an adversary has progressed in his or her attack, the corresponding damage, and investigation that must be performed.

APT Attack Kill Chain 2

  • Reconnaissance – Research, identification and selection of targets, often represented as crawling Internet websites such as social networks, organizational conferences and mailing lists for email addresses, social relationships, or information on specific technologies.
  • Weaponization – Coupling a remote access trojan with an exploit into a deliverable payload. Increasingly, application data files such as PDFs or Microsoft Office documents serve as the weaponized deliverable.
  • Delivery – Transmission of the weapon to the targeted environment via, for example, email attachments, websites, and USB removable media.
  • Exploitation – After payload delivery to victim host, exploitation triggers intruders’ code. Exploitation targets an application or operating system vulnerability or leverages an operating system feature that auto-executes code.
  • Installation – Installation of a remote access trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment.
  • Command and Control – APT malware typically establishes remote command and control channels so that intruders have “hands on the keyboard” access inside the target environment.
  • Actions on Targets – Typically the prime objective is data exfiltration which involves collecting, encrypting and extracting information from the victim environment. Intruders may only seek access to victim box for use as a jump point to compromise additional systems and move laterally inside the network or attack other partner organizations.

Actionable Intelligence and the Intrusion Kill Chain

Cyber ‘kill chain’ methodology is the latest in a series of security strategies, targeted especially at APTs that are based on more of a proactive and visible model of real-time network monitoring, analysis, and mitigation. The formal concept of cyber ‘kill chain’ methodology was first developed by a group of scientists at Lockheed Martin in a paper titled, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains“.

The intrusion kill chain becomes a model for actionable intelligence where practitioners align organizational defensive capabilities to the specific processes an adversary undertakes to target that organization. The end goal of this is to analyze the data for patterns of attack methods, behaviors of distinct hostile actors, and other indicators which can inform the development of unique responses. Fundamentally, this approach is the essence of Intelligence-driven Network Defense security posture basing security decisions and measurements on a keen understanding of the adversary.

Defensible Actions Matrix

The following is an example of a table that depicts a course of action matrix using the actions of detect, deny, disrupt, degrade, deceive, and contain. Documenting the capabilities defenders can employ in this matrix as a tool enables the reader to assess their Defensible Security Posture as well as identify any gaps or needed compensating controls. The matrix includes traditional systems like network intrusion detection systems (NIDS) and Firewall access control lists (ACL), system hardening best practices like audit logging, but also vigilant users themselves who can detect suspicious activity.

Kill Chain Actions 2

Intelligence-driven Network Defense is a necessity in light of advanced persistent threats. As conventional, vulnerability-focused processes are insufficient, understanding the threat itself, its intent, capability, doctrine, and patterns of operation is required to establish resilience. The intrusion kill chain provides a structure to analyze intrusions, identify indicators and drive defensive courses of actions. This model prioritizes investment for capability gaps, and serves as a framework to measure the effectiveness of the defenders’ actions. When defenders consider the threat component of risk to build resilience against APTs, they can turn the persistence of these actors into a liability, decreasing the adversary’s likelihood of success with each intrusion attempt.

Evolving Towards a Defensive Posture

If your organization does not already have visibility with proactive monitoring built into your environment this may seem like a major challenge. Implementing an Intelligence-driven Network Defense with a Cyber Kill Chain should be based initially on a prototype then iterate approach to evolve in capability and sophistication. Start with a basic framework that you can comfortably build and operate then make progress from there.

Cyber Kill Chain

Perform a Security Health Check with a focus on the organization’s web presence and external perimeter to see what information it could give an attacker – or leverage a 3rd party professional. Implement layered security to decrease the possibility that threats will slip through unnoticed. Create a policy for dealing with malware events. Educate staff about what to do with unexpected, suspicious emails and attachments.

With each step taken, you’ll get more information about your environment. And the more information you have, the more likely you will be able to identify anomalous behavior.

Next Steps

In Defensible Security Posture – Part 2 we discuss a case study that leverages the Defensible Actions Matrix and provides some recommended APT-focused best-practices.

The Defensible Security Posture series using an Intelligence-driven Network Defense will be built upon in future blogs. In the APT Operational Maturity and APT Intelligent Operations blogs we will discuss the need for a continuously evolving next-generation SIEM, risk management processes and, network behavior anomaly detection that enable organizations to take security operations and situational awareness to the next level, depending upon various factors including threat/risk profile.

The defensible architecture foundation uses Adaptive Zone Defense to segment critical assets from general-purpose infrastructure to enable containment that includes Application Architecture Taxonomy to discusses the analysis, placement, policy and, controls for assets based upon classification and risk. There will also be a blog that takes a deeper dive in Risk Management Practices.

Thanks for your interest!

Nige the Security Guy.