Cognitive Cybersecurity Approach
I think the writer has brought up some valid points. I do agree that Cybersecurity in comparison is still stuck in the stone ages. Cyber Kill Chain sounds like something from military (i.e. Lockheed Martin was developed by ex. military consulting companies, thus the term). My whole point is if we continue to go down this path, without making radical disruptive changes, then we will continue to be violated at every level.
This is what I propose (since the gentleman stated earlier in the posts that we should provide solutions.
→ Continue to use hardening tools on various compute, network, and disk systems and subsystems (hold the vendor to the fire if their systems do not meet a set of hardened policy rules or give the user the ability to do it themselves using internal tools)
→ Change the IPv4 to a pure IPv6 addressing scheme with the ability to convert IPv4 packets (IPv6 uses ESP/AH - Encapsulated Security Payloads/Authenticated Headers, found in the protocol using TRILL/SPB and IPv6 IPSec AES256 ESP/AH VPN connections (IPv6 address range - trillion addresses /64). Companies have not totally moved to IPv6, they don't realize the security implications this protocol provides (go to the SAN's institute and lookup "IPv6 Security Capabilities")
→ Replace the existing firewall with a next generation firewall that has the ability to take command responses from your SIEM device and other devices on the network like switches/routers (i.e. Intelligence gained from triggers captured on the network).
→ Introduce cognitive tools from various companies like IBM (Watson Cybersecurity) and Extreme Networks (Netsight Atlas). These tools give you the ability process data at lightning speeds without human intervention (IPS - Intrusion prevention system helps admins to thwart/remediate attacks but it is limited in its ability to determine if the attempt is valid or nefarious). The firewalls should also be able to block countries as well, limit the amount of traffic, if you don't do business with a certain part of the world and you constantly being pinged, then enable that feature (e.g. PaloAlto, Sophos, even Snort provides that capability)
→ Introduce cognitive cyber-security tools from various companies like IBM (Watson Cybersecurity) and Extreme Networks (Netsight Atlas). These tools give you the ability process data at lightning speeds without human intervention. There needs to be a way where the systems are able to learn and make decisions even if we are not present, I think that is lacking in our overall cyber defense scheme.
→ Design applications using a CMMI and ESDLC (Enterprise Software Development Lifecycle) development model. Take the application through a battery of tests before introducing it on the network. Look at the model Google is using, they have identified numerous holes in applications by following techniques to hack into the system after it has been setup and deployed (they will provide a workflow mechanism to test the application to see if there are any inherent flaws (please visit youtube and lookup - "Google's Project Zero" or review their their bug list - "Project Zero Buglist")
→ Separate job duties from a network, security, and server perspective (we have not abided by that notion in a long time, we have started mixing job roles to save money)
→ Windows - when applications are installed, it opens a port, why not limit the amount of ports that are open from an application perspective, the vendor should give us that ability, limit the attack vector/surface (going back to the vendor sentiment above) by reducing the number of ports (the smaller the attack surface thus harder to determine method of attack should be used - deep relationships with vendors is needed)
→ Linux - SELinux (heightened security levels), Fail2ban (dynamic ACL list), chkrootkit (rootkit) are some tools that can be used to really harden down an OS. The Chinese are working with their own government to create a hardened OS where that OS is being used by all vendors (i.e. cars, refrigerators, printers, etc). That gives the manufacturer the information they need to make changes and apply updates when they see a problem
→ Remove total dependence on the end-user, make suggestions and provide insight on the screen (help them to make the right decision) if they choose a lower security option (make them accountable for their actions) and if they are hacked, there is an immutable file that provides information about their selection, good or not
→ Storage Perspective - yes we can encrypt the disks, encrypt the path to the disks (IPv6 IPSec tunnels) and encrypt the data on the other side. But once the data gets to the receiver, how do you determine if that person (not impersonating someone) is the right person who should receive that information. There is a thing in IPv6 called Authenticating Headers (AH), this provides the authentication and integrity that the user is looking for. I do recommend using AES 256 Encryption on the storage device with rotating keys but the source and endpoint, have to be verified and identified through this "chain" of communication
→ Employ the services of external third party companies like "Akamai" to help thwart the attack before it turns into a DDoS attack. 1st monitoring your communication from a global perspective similar to this, 2nd identify connections that are not part of your normal traffic especially to known ports like 22, 23, 69, 3389 and remote ports, especially from the outside the US (identify the attack and threat), validate if the communication is indeed valid, 3rd capture information from a historical perspective to help identify events that are perceived to be an anomaly (there should be Blacklist for the lack of a better word, where the DNS/IP addresses are captured and provided to companies who they identify as known hackers)
→ Optional - we need to start looking at using Quantum computing in the cyber landscape, this is happening in the not so distant future, please go online and review "China's Net Quantum Satellite"
Where there are interesting points about the "Cyber Kill Chain", I do agree that it is not comprehensive enough to address the areas needed such as identity management, application validation, IP obfuscation, multipath routing using r-bridges as a way to re-route traffic using internal routing policies, storage integration with authorized servers and encrypted storage systems, social attacks, etc.
I think he brought up some good points, because if we don't take heed to what he is saying, then we could be on the next page of a cyber attack (thank you for presenting this blog).
Everything You Need to Know About DNS AttacksIt's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask.
Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted.
Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Incident Readiness and Building Response Playbook
In this special report, learn the Xs and Os of any good security incident readiness and response playbook.
Tweet This
1 Comments
User Rank: Ninja
7/8/2019 | 6:49:09 PM
Besides, the Cyber-Kill-Chain (I think is flawed) but that is part of another conversation.
CKC - Cyber Kill Chain
CKC Mapped to Attack
I have also included an application for your review, it is provided for free by Mitre (the mapping of Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Execution, Collection, Exfiltration and Command & Control has been mapped to the elements of APTs/TTP, each element is under subject headers, you can see it work online using the application from Mitre, please see below):
Todd