Exploit Mitigation Kill Chain

28 Apr 2013

tl;dr: Click on the diagram below to see the defenses involved in a content exploit.

The Lockheed Martin Cyber Kill Chain paper ("Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains") is often referenced in the cyber (ie. US gov infosec) community and it's main purpose is to advocate sharing IOC's (Indicators of Compromise) via a continuous feedback loop to make life more difficult for attackers by outing their TTPs (Techniques, Tactics, and Procedures). The concept is that it is very costly to completely recreate all aspects of an operation, so some will always be re-used in new attacks. These may be the IPs, exploits, malware, or some aspect of the malware (packer, mutexes, etc.). If you can detect various aspects of an attack, then detecting only one aspect of a new attack in the future allows you to deny the new attack in it's entirety. This motivates the concept of moving the asymmetry in cyber from the attacker (usually viewed as only needing to win once) to the defender, who only needs to detect one aspect of an attack to win.

Although I will not be discussing IOC's here, I would like to discuss the "kill chain" of content exploits, which are those exploits contained within pdf files, web pages, and Office documents. There are many defenses that exist to deny and disrupt various phases of an attack, and I've tried to diagram these, but this is a lot to try to cover with some exceptions depending on the type of software used in the defense, the exploit, and other variables. I also sacrificed some clarity for brevity. Sorry.

My attack scenario involves convincing a Windows user to open a content file (.pdf, .doc) or browse to a site (Java, Flash, or browser exploit) such that Adobe Reader, Microsoft Office, Google Chrome, Mozilla Firefox, or Microsoft Internet Explorer are exploited. All of these (with the exception of Firefox) now run within a sandbox that is implemented using Windows Integrity levels.

Trying to understand where in the kill chain a security product sits can be confusing. Although defense in-depth is important, you probably don't need two products that protect at the same level. Most security vendors should be able to point to a place near the top or bottom where their product sits to either deny the malicious content from getting to the user to begin with (the top), or to deny what the attack is able to accomplish once it obtains code execution (the bottom). This is only one attack scenario, and so some security products are more focused on other types of attacks.

Red circles are actions the attacker can make, blue are "accomplishments" he has achieved, and green are the defenses that may exist. The attack moves from the top to bottom.

PDF version: exploit_mitigation_kill_chain.pdf

For a copy of the Visio file or for corrections, enhancements, etc. contact me at 0xdabbad00 on gmail and twitter.