Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/12/2013
01:39 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack

A rare inside look at how the defense contractor repelled an attack using its homegrown 'Cyber Kill Chain' framework

A few months after RSA had rocked the security world with news that it had been breached and its SecurID database exposed in a sophisticated attack, defense contractor Lockheed Martin discovered an intruder in its network using legitimate credentials.

"We almost missed it," says Steve Adegbite, director of cybersecurity for Lockheed Martin, of the intrusion sometime around May or early June 2011. "We thought at first it was a new person in the department ... but then it became really interesting."

The poser was using valid credentials of one of Lockheed's business partners, including the user's SecurID token. Adegbite says it soon became obvious that this user wasn't performing his or her normal operations. "They tripped a lot of alarms," he says. "They were trying to pull data in stages," and the attacker was going after data unrelated to the user's work he or she was impersonating, he says.

So Lockheed launched its homegrown Cyber Kill Chain framework, a process that basically tracks an intruder's movements and throws barriers in the way of each attempt to siphon data out of the network. Adegbite detailed this multimillion-dollar framework for stopping advanced persistent threat (APT) attackers last week at the Kaspersky Security Analyst Summit in San Juan, Puerto Rico. The Kill Chain aims to stop the attackers who get inside from taking anything with them on the way out.

Adegbite says the bad guys came up empty-handed in this post-RSA SecurID attack. "No information was lost. If not for this framework [Kill Chain], we would have had issues," Adegbite says. Lockheed's data leakage prevention system, which is one layer of the Kill Chain, also denies even authenticated users access to information if they don't have a valid reason to access it, he notes.

[Worries still linger of future attacks, but experts hope the event shook industry out of black-and-white security mentality. See Gauging The Long-Term Effects Of RSA's Breach. ]

The key to the Kill Chain framework is intelligence-driven defense. "We look at what they are trying to do and focus on whatever their objectives are ... and cut off their objectives," he says. "I can still defend the doors, but I'm not going to sit there and put all my efforts there."

Lockheed's network is huge: There are more than 3 million IP addresses and 123,000 employees across 570 locations in 60 countries, and it's obviously a juicy target for cyberespionage attacks. "We have had a lot of adversaries showing up at our door with a lot of resources. So we had to go from a SOC [security operations center] to become a security intelligence center," he says.

"It can be a canary in a coal mine when things are going wrong in the network," Adegbite says. "Or you can use it to justify investments in the network."

It's a battle of wits: Lockheed uses tools, analytics, and manpower to think like the attacker and to observe his movements. "An attacker only has one time to be right to get that information out of the network," Adegbite says.

These attackers typically operate in a half-dozen steps: reconnaissance, weaponization, delivery, exploitation, installation of malware, and command and control of the infected machine or machines, he says. "The goal of the Kill Chain is to make sure they don't get to step 7 and exfiltrate," he says.

Most of these targeted attacks are not isolated, of course: They are typically waged in campaigns, he says. "If you see them all in a comprehensive way, that helps," Adegbite says. "These guys are human: They take off holidays. You can use that information -- that human intelligence" in the Kill Chain, as well, he says. Certain groups operate during certain times of year, for instance, so Lockheed can plan its defense resources accordingly, based on that type of intelligence.

And Lockheed flexed its procurement muscle to get security vendors on board to enhance their products for the Kill Chain requirements, according to Adegbite.

But the Cyber Kill Chain framework isn't for everyone. "We have a multimillion-dollar investment in this technology. It's only if you have the profile for an APT" type attack, he says.

Lockheed suffered at least one other attempted attack around the same time, in the wake of the big RSA hack. Some security experts attributed that one to the fallout from RSA's SecurID breach. RSA later offered replacement SecurID tokens to its customers as a precaution, but Lockheed never confirmed that it was a result of the RSA breach, according to Adegbite.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SLovellSecureGuy
50%
50%
SLovellSecureGuy,
User Rank: Apprentice
9/26/2013 | 6:57:01 PM
re: How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack
Verdasys Managed Service for Cyber Kill Chain Model : https://www.verdasys.com/solut...
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
2/14/2013 | 5:09:46 AM
re: How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack
I'm curious about whether other organizations can make use of the Kill Chain concept. How big/deep-pocketed do you have to be to make this work?
--Tim Wilson, editor, Dark Reading
mikk0j
50%
50%
mikk0j,
User Rank: Apprentice
2/13/2013 | 1:17:46 PM
re: How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack
Well, the only reason why Lockheed-Martin succeed on the task among its one of the primary contractor for USG is that they knew their tactical depth well enough. They knew what should be in place and what should not be, they had adequate amount of resources (human) to work with the incident and most of all - whilst there is outsourcing companions, LMCO maneuvered their security REALLY by themselves.

However, the story lack a few details. The adversary whom was on the move to obtain data - was not really making counterin movements against LMCOs tasks to blockade their effort. The adversary part kept doing the business as normal and moved along the their pre-selected path. Mistake.

Why did not adversary burned a house to verify what countermeasures are against them? Why did they sacrifice the pear tree, instead of rotten plum tree and then pushed dormant mode on?

Time and speed are equally important, not the same.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5118
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
CVE-2019-12422
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2012-4441
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
CVE-2019-10764
PUBLISHED: 2019-11-18
In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which m...
CVE-2019-19117
PUBLISHED: 2019-11-18
/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter.