Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/12/2013
01:39 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack

A rare inside look at how the defense contractor repelled an attack using its homegrown 'Cyber Kill Chain' framework

A few months after RSA had rocked the security world with news that it had been breached and its SecurID database exposed in a sophisticated attack, defense contractor Lockheed Martin discovered an intruder in its network using legitimate credentials.

"We almost missed it," says Steve Adegbite, director of cybersecurity for Lockheed Martin, of the intrusion sometime around May or early June 2011. "We thought at first it was a new person in the department ... but then it became really interesting."

The poser was using valid credentials of one of Lockheed's business partners, including the user's SecurID token. Adegbite says it soon became obvious that this user wasn't performing his or her normal operations. "They tripped a lot of alarms," he says. "They were trying to pull data in stages," and the attacker was going after data unrelated to the user's work he or she was impersonating, he says.

So Lockheed launched its homegrown Cyber Kill Chain framework, a process that basically tracks an intruder's movements and throws barriers in the way of each attempt to siphon data out of the network. Adegbite detailed this multimillion-dollar framework for stopping advanced persistent threat (APT) attackers last week at the Kaspersky Security Analyst Summit in San Juan, Puerto Rico. The Kill Chain aims to stop the attackers who get inside from taking anything with them on the way out.

Adegbite says the bad guys came up empty-handed in this post-RSA SecurID attack. "No information was lost. If not for this framework [Kill Chain], we would have had issues," Adegbite says. Lockheed's data leakage prevention system, which is one layer of the Kill Chain, also denies even authenticated users access to information if they don't have a valid reason to access it, he notes.

[Worries still linger of future attacks, but experts hope the event shook industry out of black-and-white security mentality. See Gauging The Long-Term Effects Of RSA's Breach. ]

The key to the Kill Chain framework is intelligence-driven defense. "We look at what they are trying to do and focus on whatever their objectives are ... and cut off their objectives," he says. "I can still defend the doors, but I'm not going to sit there and put all my efforts there."

Lockheed's network is huge: There are more than 3 million IP addresses and 123,000 employees across 570 locations in 60 countries, and it's obviously a juicy target for cyberespionage attacks. "We have had a lot of adversaries showing up at our door with a lot of resources. So we had to go from a SOC [security operations center] to become a security intelligence center," he says.

"It can be a canary in a coal mine when things are going wrong in the network," Adegbite says. "Or you can use it to justify investments in the network."

It's a battle of wits: Lockheed uses tools, analytics, and manpower to think like the attacker and to observe his movements. "An attacker only has one time to be right to get that information out of the network," Adegbite says.

These attackers typically operate in a half-dozen steps: reconnaissance, weaponization, delivery, exploitation, installation of malware, and command and control of the infected machine or machines, he says. "The goal of the Kill Chain is to make sure they don't get to step 7 and exfiltrate," he says.

Most of these targeted attacks are not isolated, of course: They are typically waged in campaigns, he says. "If you see them all in a comprehensive way, that helps," Adegbite says. "These guys are human: They take off holidays. You can use that information -- that human intelligence" in the Kill Chain, as well, he says. Certain groups operate during certain times of year, for instance, so Lockheed can plan its defense resources accordingly, based on that type of intelligence.

And Lockheed flexed its procurement muscle to get security vendors on board to enhance their products for the Kill Chain requirements, according to Adegbite.

But the Cyber Kill Chain framework isn't for everyone. "We have a multimillion-dollar investment in this technology. It's only if you have the profile for an APT" type attack, he says.

Lockheed suffered at least one other attempted attack around the same time, in the wake of the big RSA hack. Some security experts attributed that one to the fallout from RSA's SecurID breach. RSA later offered replacement SecurID tokens to its customers as a precaution, but Lockheed never confirmed that it was a result of the RSA breach, according to Adegbite.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SLovellSecureGuy
50%
50%
SLovellSecureGuy,
User Rank: Apprentice
9/26/2013 | 6:57:01 PM
re: How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack
Verdasys Managed Service for Cyber Kill Chain Model : https://www.verdasys.com/solut...
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
2/14/2013 | 5:09:46 AM
re: How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack
I'm curious about whether other organizations can make use of the Kill Chain concept. How big/deep-pocketed do you have to be to make this work?
--Tim Wilson, editor, Dark Reading
mikk0j
50%
50%
mikk0j,
User Rank: Apprentice
2/13/2013 | 1:17:46 PM
re: How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack
Well, the only reason why Lockheed-Martin succeed on the task among its one of the primary contractor for USG is that they knew their tactical depth well enough. They knew what should be in place and what should not be, they had adequate amount of resources (human) to work with the incident and most of all - whilst there is outsourcing companions, LMCO maneuvered their security REALLY by themselves.

However, the story lack a few details. The adversary whom was on the move to obtain data - was not really making counterin movements against LMCOs tasks to blockade their effort. The adversary part kept doing the business as normal and moved along the their pre-selected path. Mistake.

Why did not adversary burned a house to verify what countermeasures are against them? Why did they sacrifice the pear tree, instead of rotten plum tree and then pushed dormant mode on?

Time and speed are equally important, not the same.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10287
PUBLISHED: 2020-07-15
The IRC5 family with UAS service enabled comes by default with credentials that can be found on publicly available manuals. ABB considers this a well documented functionality that helps customer set up however, out of our research, we found multiple production systems running these exact default cre...
CVE-2020-10288
PUBLISHED: 2020-07-15
IRC5 exposes an ftp server (port 21). Upon attempting to gain access you are challenged with a request of username and password, however you can input whatever you like. As long as the field isn't empty it will be accepted.
CVE-2020-15780
PUBLISHED: 2020-07-15
An issue was discovered in drivers/acpi/acpi_configfs.c in the Linux kernel before 5.7.7. Injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30.
CVE-2019-17639
PUBLISHED: 2020-07-15
In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling the System.arraycopy method with a length longer than the length of the source or destination array can, in certain specially crafted code patterns, cause the current method to return prematurely with an undefined return value. This...
CVE-2019-20908
PUBLISHED: 2020-07-15
An issue was discovered in drivers/firmware/efi/efi.c in the Linux kernel before 5.4. Incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032.