- This is the third in a series of blogs that examine how Software Defined Perimeters (SDPs) can significantly improve security and reduce risk associated with the Cyber Kill Chain (or seven phases of attack). This week we will look at the impact of an SDP on “Delivery, Exploitation and Installation” the third, fourth, and fifth phases of an attack.
Before going further, check out part 1 here to ensure context for Part 3.
Delivery, Exploitation and Installation
In Part 2 we looked at how the SDP provides countermeasures to “Weaponization” (stage 2 of the Cyber Kill Chain) which refers to how the intruder creates remote access malware weapons, such as a virus or worm, tailored to one or more vulnerabilities. In this case, SDP prevents weaponization with the automation of action that blocks all connections from this bad actor to any other areas of the infrastructure to spread malware payloads.
Today we will look at phases 3, 4, and 5 — Delivery, Exploitation and Installation — which refers to how the intruder 1) enables transmission (or delivery) of a weapon to target, 2) how the weapon’s code is triggered to exploit vulnerabilities, and 3) how the intruder installs a backdoor on the target’s system allowing persistent access.
In these three phases, SDP prevents Delivery with the automation of action that blocks all connections from the bad actor to any other areas of the infrastructure to spread malware payloads. If an organization is using SDP, Delivery cannot occur and any Exploitation and Installation phases would have to be enacted by an internal bad actor.
To thwart this internal threat, SDP provides countermeasures by providing rapid discovery and intervention based on the fact that every connection – from whom, from where, and to what, is known. Any others are not authenticated, unwanted, and rapidly disallowed as they are considered an attack..
In addition to stopping exploitation and installation from an internal threat actor, SDP’s rapid discovery capabilities allows you to quickly identify where the threat originated internally. And this extends to future network-based exploitation and delivery mechanisms are also protected based on the rapid discovery capabilities of SDP
The coming impact of Software Defined Perimeters and a paradigm shift in cyber security cannot be understated. Currently, organizations are faced with manual analysis of network logs that takes time for incident detection and can allow malware can get in undetected. The organizations are spending too much time trying understand who the bad actors are and who the authorized users are. SDP automates this analysis to instantly identify authorized users since all the bad packets are dropped and not able to make additional connections – thereby making incident detection and response less log management-specific. Because each connection is understood and verified, automated action such as dropping connections to thwart weaponization of attacks is possible.
Over-focus on the Cyber Kill Chain can actually be detrimental to network security. The Cyber Kill Chain, as cool as it sounds, reinforces old-school, perimeter-focused, malware-prevention thinking. And the fact is that intrusion prevention solutions cannot provide 100% protection. A persistent, highly determined, and highly skilled attacker will always find a way in. And once the attacker is past your perimeter, traditional Cyber Kill Chain-style prevention solutions like firewalls, sandboxes, and antivirus can’t help. Once they’ve bypassed these solutions, attackers are free to operate in your network unobstructed. With SDP, they cannot see, and therefore cannot know where to go, no matter how determined they might be.
Check back next week when we examine the relationship between step 6 of the Cyber Kill Chain — Command & Control – how and outside server communicates with a weapon inside the target system.