In reading the reports on the Lockheed Martin cyber kill chain framework, I was wondering what you recommend putting in place from a network perspective to stop data exfiltration versus stopping an intrusion altogether? Do you think this is a more intelligent way to protect sensitive data?
Ask the expert!
Have questions about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)
I'm a big admirer of Lockheed Martin's layered defense approach. Briefly, the cyber kill chain framework is unleashed once an intruder is detected within a given network. Algorithms are put in place that track what a user attempts to do and where a user attempts go within the network. If anomalies are detected, alarms are triggered and the kill chain goes into action by placing obstacles at every step the intruder attempts to take.
In a sense, Lockheed doesn't put all of its eggs in one cyber basket, and to answer your question, I do think this is a more intelligent way to go than trying to thwart every network intrusion. For years, the overarching security paradigm was to prevent intrusion altogether, but little was done in the way of mitigation once an intrusion took place. But it's become clear that network intrusions now happen so frequently that it's virtually impossible to stop them all. Instead, I recommend a strategy that emphasizes data exfiltration prevention, combining SSL decryption (which is growing in popularity) in conjunction with a properly configured firewall. Not all traffic is encrypted, so in this case, SSL decryption wouldn't provide you any additional value.
Referring back to the Lockheed Martin Cyber Kill Chain framework, my understanding is that Lockheed Martin has implemented a heuristic mechanism that allows for an intelligent defense of the network, and this goes hand in hand with some of the latest intrusion detection technology that has been released recently. Charting tendencies, recording statistical anomalies and taking a more comprehensive approach to network intrusions seems to be gaining in popularity.
In short, I recommend Lockheed's strategy. To adapt it for use in your organization, I would find a firewall device that has the ability to learn what is and is not normal network traffic, and augment this with an actual human being who can quickly and accurately perform log analysis. Furthermore, configure the firewall to conduct deep packet inspection on all data leaving your network. This part is crucial if you accept my earlier premise that completely stopping intrusions is virtually impossible. Assume that your network boundary has been breached, and carefully examine what is exiting your network.
This was first published in August 2013