Attacks/Breaches
2/12/2013
01:39 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack

A rare inside look at how the defense contractor repelled an attack using its homegrown 'Cyber Kill Chain' framework

A few months after RSA had rocked the security world with news that it had been breached and its SecurID database exposed in a sophisticated attack, defense contractor Lockheed Martin discovered an intruder in its network using legitimate credentials.

"We almost missed it," says Steve Adegbite, director of cybersecurity for Lockheed Martin, of the intrusion sometime around May or early June 2011. "We thought at first it was a new person in the department ... but then it became really interesting."

The poser was using valid credentials of one of Lockheed's business partners, including the user's SecurID token. Adegbite says it soon became obvious that this user wasn't performing his or her normal operations. "They tripped a lot of alarms," he says. "They were trying to pull data in stages," and the attacker was going after data unrelated to the user's work he or she was impersonating, he says.

So Lockheed launched its homegrown Cyber Kill Chain framework, a process that basically tracks an intruder's movements and throws barriers in the way of each attempt to siphon data out of the network. Adegbite detailed this multimillion-dollar framework for stopping advanced persistent threat (APT) attackers last week at the Kaspersky Security Analyst Summit in San Juan, Puerto Rico. The Kill Chain aims to stop the attackers who get inside from taking anything with them on the way out.

Adegbite says the bad guys came up empty-handed in this post-RSA SecurID attack. "No information was lost. If not for this framework [Kill Chain], we would have had issues," Adegbite says. Lockheed's data leakage prevention system, which is one layer of the Kill Chain, also denies even authenticated users access to information if they don't have a valid reason to access it, he notes.

[Worries still linger of future attacks, but experts hope the event shook industry out of black-and-white security mentality. See Gauging The Long-Term Effects Of RSA's Breach. ]

The key to the Kill Chain framework is intelligence-driven defense. "We look at what they are trying to do and focus on whatever their objectives are ... and cut off their objectives," he says. "I can still defend the doors, but I'm not going to sit there and put all my efforts there."

Lockheed's network is huge: There are more than 3 million IP addresses and 123,000 employees across 570 locations in 60 countries, and it's obviously a juicy target for cyberespionage attacks. "We have had a lot of adversaries showing up at our door with a lot of resources. So we had to go from a SOC [security operations center] to become a security intelligence center," he says.

"It can be a canary in a coal mine when things are going wrong in the network," Adegbite says. "Or you can use it to justify investments in the network."

It's a battle of wits: Lockheed uses tools, analytics, and manpower to think like the attacker and to observe his movements. "An attacker only has one time to be right to get that information out of the network," Adegbite says.

These attackers typically operate in a half-dozen steps: reconnaissance, weaponization, delivery, exploitation, installation of malware, and command and control of the infected machine or machines, he says. "The goal of the Kill Chain is to make sure they don't get to step 7 and exfiltrate," he says.

Most of these targeted attacks are not isolated, of course: They are typically waged in campaigns, he says. "If you see them all in a comprehensive way, that helps," Adegbite says. "These guys are human: They take off holidays. You can use that information -- that human intelligence" in the Kill Chain, as well, he says. Certain groups operate during certain times of year, for instance, so Lockheed can plan its defense resources accordingly, based on that type of intelligence.

And Lockheed flexed its procurement muscle to get security vendors on board to enhance their products for the Kill Chain requirements, according to Adegbite.

But the Cyber Kill Chain framework isn't for everyone. "We have a multimillion-dollar investment in this technology. It's only if you have the profile for an APT" type attack, he says.

Lockheed suffered at least one other attempted attack around the same time, in the wake of the big RSA hack. Some security experts attributed that one to the fallout from RSA's SecurID breach. RSA later offered replacement SecurID tokens to its customers as a precaution, but Lockheed never confirmed that it was a result of the RSA breach, according to Adegbite.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SLovellSecureGuy
50%
50%
SLovellSecureGuy,
User Rank: Apprentice
9/26/2013 | 6:57:01 PM
re: How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack
Verdasys Managed Service for Cyber Kill Chain Model : https://www.verdasys.com/solut...
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
2/14/2013 | 5:09:46 AM
re: How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack
I'm curious about whether other organizations can make use of the Kill Chain concept. How big/deep-pocketed do you have to be to make this work?
--Tim Wilson, editor, Dark Reading
mikk0j
50%
50%
mikk0j,
User Rank: Apprentice
2/13/2013 | 1:17:46 PM
re: How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack
Well, the only reason why Lockheed-Martin succeed on the task among its one of the primary contractor for USG is that they knew their tactical depth well enough. They knew what should be in place and what should not be, they had adequate amount of resources (human) to work with the incident and most of all - whilst there is outsourcing companions, LMCO maneuvered their security REALLY by themselves.

However, the story lack a few details. The adversary whom was on the move to obtain data - was not really making counterin movements against LMCOs tasks to blockade their effort. The adversary part kept doing the business as normal and moved along the their pre-selected path. Mistake.

Why did not adversary burned a house to verify what countermeasures are against them? Why did they sacrifice the pear tree, instead of rotten plum tree and then pushed dormant mode on?

Time and speed are equally important, not the same.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant