Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/12/2013
01:39 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack

A rare inside look at how the defense contractor repelled an attack using its homegrown 'Cyber Kill Chain' framework

A few months after RSA had rocked the security world with news that it had been breached and its SecurID database exposed in a sophisticated attack, defense contractor Lockheed Martin discovered an intruder in its network using legitimate credentials.

"We almost missed it," says Steve Adegbite, director of cybersecurity for Lockheed Martin, of the intrusion sometime around May or early June 2011. "We thought at first it was a new person in the department ... but then it became really interesting."

The poser was using valid credentials of one of Lockheed's business partners, including the user's SecurID token. Adegbite says it soon became obvious that this user wasn't performing his or her normal operations. "They tripped a lot of alarms," he says. "They were trying to pull data in stages," and the attacker was going after data unrelated to the user's work he or she was impersonating, he says.

So Lockheed launched its homegrown Cyber Kill Chain framework, a process that basically tracks an intruder's movements and throws barriers in the way of each attempt to siphon data out of the network. Adegbite detailed this multimillion-dollar framework for stopping advanced persistent threat (APT) attackers last week at the Kaspersky Security Analyst Summit in San Juan, Puerto Rico. The Kill Chain aims to stop the attackers who get inside from taking anything with them on the way out.

Adegbite says the bad guys came up empty-handed in this post-RSA SecurID attack. "No information was lost. If not for this framework [Kill Chain], we would have had issues," Adegbite says. Lockheed's data leakage prevention system, which is one layer of the Kill Chain, also denies even authenticated users access to information if they don't have a valid reason to access it, he notes.

[Worries still linger of future attacks, but experts hope the event shook industry out of black-and-white security mentality. See Gauging The Long-Term Effects Of RSA's Breach. ]

The key to the Kill Chain framework is intelligence-driven defense. "We look at what they are trying to do and focus on whatever their objectives are ... and cut off their objectives," he says. "I can still defend the doors, but I'm not going to sit there and put all my efforts there."

Lockheed's network is huge: There are more than 3 million IP addresses and 123,000 employees across 570 locations in 60 countries, and it's obviously a juicy target for cyberespionage attacks. "We have had a lot of adversaries showing up at our door with a lot of resources. So we had to go from a SOC [security operations center] to become a security intelligence center," he says.

"It can be a canary in a coal mine when things are going wrong in the network," Adegbite says. "Or you can use it to justify investments in the network."

It's a battle of wits: Lockheed uses tools, analytics, and manpower to think like the attacker and to observe his movements. "An attacker only has one time to be right to get that information out of the network," Adegbite says.

These attackers typically operate in a half-dozen steps: reconnaissance, weaponization, delivery, exploitation, installation of malware, and command and control of the infected machine or machines, he says. "The goal of the Kill Chain is to make sure they don't get to step 7 and exfiltrate," he says.

Most of these targeted attacks are not isolated, of course: They are typically waged in campaigns, he says. "If you see them all in a comprehensive way, that helps," Adegbite says. "These guys are human: They take off holidays. You can use that information -- that human intelligence" in the Kill Chain, as well, he says. Certain groups operate during certain times of year, for instance, so Lockheed can plan its defense resources accordingly, based on that type of intelligence.

And Lockheed flexed its procurement muscle to get security vendors on board to enhance their products for the Kill Chain requirements, according to Adegbite.

But the Cyber Kill Chain framework isn't for everyone. "We have a multimillion-dollar investment in this technology. It's only if you have the profile for an APT" type attack, he says.

Lockheed suffered at least one other attempted attack around the same time, in the wake of the big RSA hack. Some security experts attributed that one to the fallout from RSA's SecurID breach. RSA later offered replacement SecurID tokens to its customers as a precaution, but Lockheed never confirmed that it was a result of the RSA breach, according to Adegbite.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SLovellSecureGuy
50%
50%
SLovellSecureGuy,
User Rank: Apprentice
9/26/2013 | 6:57:01 PM
re: How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack
Verdasys Managed Service for Cyber Kill Chain Model : https://www.verdasys.com/solut...
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
2/14/2013 | 5:09:46 AM
re: How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack
I'm curious about whether other organizations can make use of the Kill Chain concept. How big/deep-pocketed do you have to be to make this work?
--Tim Wilson, editor, Dark Reading
mikk0j
50%
50%
mikk0j,
User Rank: Apprentice
2/13/2013 | 1:17:46 PM
re: How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack
Well, the only reason why Lockheed-Martin succeed on the task among its one of the primary contractor for USG is that they knew their tactical depth well enough. They knew what should be in place and what should not be, they had adequate amount of resources (human) to work with the incident and most of all - whilst there is outsourcing companions, LMCO maneuvered their security REALLY by themselves.

However, the story lack a few details. The adversary whom was on the move to obtain data - was not really making counterin movements against LMCOs tasks to blockade their effort. The adversary part kept doing the business as normal and moved along the their pre-selected path. Mistake.

Why did not adversary burned a house to verify what countermeasures are against them? Why did they sacrifice the pear tree, instead of rotten plum tree and then pushed dormant mode on?

Time and speed are equally important, not the same.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
CVE-2020-25791
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
CVE-2020-25792
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
CVE-2020-25793
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.