

How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack - sp332
http://www.darkreading.com/authentication/167901072/security/attacks-breaches/240148399/how-lockheed-martin-s-kill-chain-stopped-securid-attack.html

======
ceautery
That article was one big euphemism, and I am no closer to knowing what a "Kill
Chain" is or how it could stop an attack than I was 30 minutes ago.

~~~
MichaelGG
Yea it's obviously a fluff piece. At the same time, what kind of details would
you expect? As with any anti-fraud it's going to contain a lot of heuristics
and stuff that needs to stay secret in order to be effective. So they could
probably provide details about how all access is audited, but the real neat
parts of what makes it work wouldn't be disclosed anyways.

It's also not clear how Kill Chain helped at all. If they discovered the user,
then they could have deactivated his credentials, right? Or are they alluding
to that they use live user activity as a sorta honeypot to see if there are
other compromised users?

This quote was pretty funny: "An attacker only has one time to be right to get
that information out of the network" -- really? Cause I thought usually we
think of it the other way around: the defenders have to only mess up once to
lose.

~~~
peterwwillis
The way they described it, they used user auditing to track what the user was
doing on the network and where, and compared it against the user's role.

There's lots of commercial software that will help you do this. First you have
network appliances throughout your network that monitor traffic. Then you
create rules and policies on the device that tracks the user, its defined
role, what it should have access to, and what it is attempting to access. Then
you define actions (logging, dropping the packet, ignoring it, etc) based on
the rules/policies.

You can do this using open source software, too, but it takes a bit more glue
code usually. A long set of iptables rules (along with free tools like Snort)
could tag traffic based on the user, layer 7 protocol, and network access, and
alerts could be mailed to the admins when a user over-reaches in their access.

------
xm1994
I've been out of the security space for a while but what I would love to see
(and perhaps it already exists) is a threat "counter" for every authenticated
user on my network. Data could be fed from various sources IDS and audit logs
and actions like simultaneous logins, port scans or attempts to access files
and apps that the user doesn't have access to would increase their threat
counter. You could add weight to events e.g someone from marketing tryign to
access a SQL server, router, or RDP to an accounting server, etc.
Unauthenticated hits could be associated with an anonymous user. Once the
entity has reached a certain threshold an analyst is alerted to investigate.
You could even tie this to the support center - "Hello Mr. Rogers, I see
you're having trouble logging on to the reporting site, would you like us to
reset your password?"

~~~
knowaveragejoe
I forget the term, but there is a similar value assigned to users for
marketing purposes which is sourced from a variety of systems. The higher the
value, the more likely the person would be interested in converting/making a
purchase. Something similar surely exists for security purposes. With that
said, the last thing you mentioned must be used with great caution, as it
could easily be exploited.

~~~
mkmk
'Lead Score'?

~~~
knowaveragejoe
Yep, that's it.

------
chayesfss
It's too bad that RSA was hacked but what was inexcusable was how they
responded. Basically they wouldn't tell anyone what happened unless you signed
some NDA or something. Then they said they'd replace your current one's with
new free one's. Yea the keys to the kingdom were stolen, let me get some more
of that please!

------
swalberg
It reminds me of a high tech version of "The Cuckoo's Egg" by Clifford Stoll.
In his case, he shorted out wires to cause transmission errors and made up
fake data for the cracker to download.

------
DigitalSea
This article barely explains anything about the "Kill Chain" which to me
sounds like part firewall, part network monitoring software and part credit
card fraud detection algorithm. From what I know and took from the article,
the "Kill Chain" is nothing more than a software perhaps even hardware layer
that can detect suspicious activity and throw up restrictions without actually
alerting the user they're detected but rather make them leave out of
frustration once they work out they're not getting anything.

One part of the article in which they reveal that the system can detect
attackers using legitimate authentication details basically only when they are
trying to access data that they're not entitled too makes me wonder if an
attacker were to get the credentials of someone higher up with more access to
a wider set of data than a regular employee, would they be able to detect
that? Seems like the chink in the armour if you ask me.

Interesting, but I would have loved a bit more detail and explanation about
this heavily over-glorified firewall and humanised monitoring network.

------
superuser2
Using an IPS to identify users accessing information inconsistent with their
role in the organization is better than doing nothing, I guess, by why did
those credentials access network shares or databases the intended user wasn't
supposed to access in the first place?

If their detection system is useful at all, then the principle of least
privilege is definitely not being followed.

------
victoknight
There was very little "How" in that article.

~~~
sp332
Instead of trying to fix the key system, or implement extra methods of
authentication, they decided to distrust _authenticated_ users if their
accounts were acting suspiciously.

------
rocky1138
Who was the adversary that broke into their network?

------
kbar13
why is this article pulled to the left

