Attacks/Breaches
2/12/2013
01:39 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack

A rare inside look at how the defense contractor repelled an attack using its homegrown 'Cyber Kill Chain' framework

A few months after RSA had rocked the security world with news that it had been breached and its SecurID database exposed in a sophisticated attack, defense contractor Lockheed Martin discovered an intruder in its network using legitimate credentials.

"We almost missed it," says Steve Adegbite, director of cybersecurity for Lockheed Martin, of the intrusion sometime around May or early June 2011. "We thought at first it was a new person in the department ... but then it became really interesting."

The poser was using valid credentials of one of Lockheed's business partners, including the user's SecurID token. Adegbite says it soon became obvious that this user wasn't performing his or her normal operations. "They tripped a lot of alarms," he says. "They were trying to pull data in stages," and the attacker was going after data unrelated to the user's work he or she was impersonating, he says.

So Lockheed launched its homegrown Cyber Kill Chain framework, a process that basically tracks an intruder's movements and throws barriers in the way of each attempt to siphon data out of the network. Adegbite detailed this multimillion-dollar framework for stopping advanced persistent threat (APT) attackers last week at the Kaspersky Security Analyst Summit in San Juan, Puerto Rico. The Kill Chain aims to stop the attackers who get inside from taking anything with them on the way out.

Adegbite says the bad guys came up empty-handed in this post-RSA SecurID attack. "No information was lost. If not for this framework [Kill Chain], we would have had issues," Adegbite says. Lockheed's data leakage prevention system, which is one layer of the Kill Chain, also denies even authenticated users access to information if they don't have a valid reason to access it, he notes.

[Worries still linger of future attacks, but experts hope the event shook industry out of black-and-white security mentality. See Gauging The Long-Term Effects Of RSA's Breach. ]

The key to the Kill Chain framework is intelligence-driven defense. "We look at what they are trying to do and focus on whatever their objectives are ... and cut off their objectives," he says. "I can still defend the doors, but I'm not going to sit there and put all my efforts there."

Lockheed's network is huge: There are more than 3 million IP addresses and 123,000 employees across 570 locations in 60 countries, and it's obviously a juicy target for cyberespionage attacks. "We have had a lot of adversaries showing up at our door with a lot of resources. So we had to go from a SOC [security operations center] to become a security intelligence center," he says.

"It can be a canary in a coal mine when things are going wrong in the network," Adegbite says. "Or you can use it to justify investments in the network."

It's a battle of wits: Lockheed uses tools, analytics, and manpower to think like the attacker and to observe his movements. "An attacker only has one time to be right to get that information out of the network," Adegbite says.

These attackers typically operate in a half-dozen steps: reconnaissance, weaponization, delivery, exploitation, installation of malware, and command and control of the infected machine or machines, he says. "The goal of the Kill Chain is to make sure they don't get to step 7 and exfiltrate," he says.

Most of these targeted attacks are not isolated, of course: They are typically waged in campaigns, he says. "If you see them all in a comprehensive way, that helps," Adegbite says. "These guys are human: They take off holidays. You can use that information -- that human intelligence" in the Kill Chain, as well, he says. Certain groups operate during certain times of year, for instance, so Lockheed can plan its defense resources accordingly, based on that type of intelligence.

And Lockheed flexed its procurement muscle to get security vendors on board to enhance their products for the Kill Chain requirements, according to Adegbite.

But the Cyber Kill Chain framework isn't for everyone. "We have a multimillion-dollar investment in this technology. It's only if you have the profile for an APT" type attack, he says.

Lockheed suffered at least one other attempted attack around the same time, in the wake of the big RSA hack. Some security experts attributed that one to the fallout from RSA's SecurID breach. RSA later offered replacement SecurID tokens to its customers as a precaution, but Lockheed never confirmed that it was a result of the RSA breach, according to Adegbite.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SLovellSecureGuy
50%
50%
SLovellSecureGuy,
User Rank: Apprentice
9/26/2013 | 6:57:01 PM
re: How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack
Verdasys Managed Service for Cyber Kill Chain Model : https://www.verdasys.com/solut...
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
2/14/2013 | 5:09:46 AM
re: How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack
I'm curious about whether other organizations can make use of the Kill Chain concept. How big/deep-pocketed do you have to be to make this work?
--Tim Wilson, editor, Dark Reading
mikk0j
50%
50%
mikk0j,
User Rank: Apprentice
2/13/2013 | 1:17:46 PM
re: How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack
Well, the only reason why Lockheed-Martin succeed on the task among its one of the primary contractor for USG is that they knew their tactical depth well enough. They knew what should be in place and what should not be, they had adequate amount of resources (human) to work with the incident and most of all - whilst there is outsourcing companions, LMCO maneuvered their security REALLY by themselves.

However, the story lack a few details. The adversary whom was on the move to obtain data - was not really making counterin movements against LMCOs tasks to blockade their effort. The adversary part kept doing the business as normal and moved along the their pre-selected path. Mistake.

Why did not adversary burned a house to verify what countermeasures are against them? Why did they sacrifice the pear tree, instead of rotten plum tree and then pushed dormant mode on?

Time and speed are equally important, not the same.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web