See All Posts

Credential Dumping

Attack Paths and Kill Chains – AttackIQ Contributions to the Verizon 2019 DBIR Report

Published June 17, 2019

AttackIQ Contributions “The Verizon Data Breach Investigations Report (DBIR) provides you with crucial perspectives on threats that organizations like yours face. The 12th DBIR is built on real-world data from 41,686 security incidents and 2,013 data breaches provided by 73 data sources, both public and private entities, spanning 86… Read More

AttackIQ Contributions

“The Verizon Data Breach Investigations Report (DBIR) provides you with crucial perspectives on threats that organizations like yours face. The 12th DBIR is built on real-world data from 41,686 security incidents and 2,013 data breaches provided by 73 data sources, both public and private entities, spanning 86 countries worldwide.” – Source: Verizon 2019 Data Breach Investigations Report

AttackIQ is proud to be a continued contributor and supporter of this year’s report. The DBIR report is based on a data-driven methodology of data collection from 41,686 security incidents — of which 2,013 were confirmed data breaches — as well as industry experts like AttackIQ to deduct commonalities and classification patterns so that organizations can use this intelligence to drive a more strategic, resilient security program.

For the second year in a row, AttackIQ’s observations and analytics have provided the Verizon DBIR team a redacted dataset from our cloud analytics to help find common patterns and observations from emulated attack behavior. Last year, we contributed to a section of the Verizon 2018 Data Breach Investigations Report called “Beaten paths,” where we provided redacted data on what phase in the attack chain most security controls stop the attacker. This year our contributions were again related to attacker paths, but this year the section is called “Unbroken chains,” related to observations of attack paths and event chaining. This is a relatively new section in the DBIR report, and new support has been added to the Verizon VERIS schema that now helps describe this behavior. For those of you not familiar with Verizon VERIS: The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner.

Observations and Commentary

1. Verizon 2019 Data Breach Investigations Report Observation:

Decide where you want to focus your kill shots within the kill chain and attack path: start, middle or end. (Discussed on Pages 20 and 21, Figures 29 and 30)

AttackIQ Commentary: The most efficient and effective security program is the one where the security budget balances the risk to the business. Business risk is tied directly to the assets you are trying to protect from attackers. To best mitigate the impact of an attacker, pick where in the kill chain you want to focus your security investments to meet the attacker within the attack path. Decide if it is more beneficial to mitigate the first actions, the ending actions, or something in the middle.  All that matters, in the end, is minimizing the impact, and that the overall attack path fails.

2. Verizon 2019 Data Breach Investigations Report Observation:

Make the attack path for an attacker long and expensive (Discussed on Pages 16-22, Figures 29 and 34)

AttackIQ Commentary: The discussion of increasing the attacker cost both from a monetary perspective as well as time perspective has been talked about for decades e.g. Dr. Dobbs Journal – Attack Trees, Bruce Schneier. Longer attack paths are less appealing to the attacker and more likely to fail. If you can make the attacker take more actions (even if they have a moderate or good chance of succeeding), you strengthen the probability of your defenses succeeding. This is true of your ability to prevent, detect, or respond to an alert and/or remediate an incident. As you look at building out your security program, whether you look at the Cyber Kill Chain® or the MITRE ATT&CK Framework, the more effective defenses you have for each phase of an attack from Persistence to Impact (MITRE ATT&CK), the more steps an attacker has to go through to reach their intended goal, the more mistakes they can make, and the more likely your defenses will thwart their efforts. Remember, sophisticated attackers run like a business and have deadlines, where the inability to meet deadlines can cause stress and mistakes. As a defender, exploit that fact.

3. Verizon 2019 Data Breach Investigations Report Observation:

Use what you already know, to determine attack phases you should expect. (Discussed on Page 22, Figures 31 to 33)

AttackIQ Commentary: Within your security program, you have your known threats and your unknown threats. For known threats, you have hopefully put in the appropriate and relevant controls, but what do you do about your unknown threats? How can you forecast what those might be? Part of that answer comes from deducting what phases of an attack you have seen and looking at the probability of phases that are related to those phases. As an example, if you have credential dumping malware on a corporate user’s system, there is a high probability that the malware in question originating from a successful phishing attack. Phishing rarely ends an attack.  You can then discuss with your team the probability that the attack started with phishing, then led to the downloading of malware that dumped credentials. Referencing either the Lockheed Martin Cyber Kill Chain® or the MITRE ATT&CK Framework, you can start to predict the probability of other actions you aren’t seeing in your environment that are most likely occurring or have occurred and put in controls that cover those specific phases. There is a great presentation by Andy Applebaum from MITRE, titled “Finding Related ATT&CK Techniques” that I highly recommend checking out for more on this subject.

Conclusion

The data we contributed to the Verizon DBIR team and Verizon 2019 Data Breach Investigations Report resulted in three main observations:

  1. Decide where you want to focus your kill shots within the kill chain and attack path: start, middle or end. (All that matters, in the end, is that the attack path fails.)
  2. Make the attack path for an attacker long and expensive.
  3. Use what you already know, to determine attack phases you should expect.

We hope our contributions, Verizon’s observations, and our commentary helps you review your security investments and capabilities with the goal being to build a more resilient cyber defense and mature security program. If you have any questions, please feel to reach out to our team at [email protected].

Additional thank you to AttackIQ team members who helped provide input: Albert Lopez, Keith Wilson, and Andrea Swaney.

TAGS:

Collection , Credential Dumping , Google , Impact , Persistence , Security Controls

About the Author

  • Stephan Chenette
    Stephan Chenette
    Stephan Chenette, Co-Founder & CTO, AttackIQ, is a 20 year veteran of information security, servicing clients ranging from startups to multinational corporations as a pentester, security and risk consultant, solutions architect and head of research and development. He has presented at numerous conferences including RSA, Blackhat, ToorCon, BSides, CanSecWest, RECon, AusCERT, SecTor, SOURCE and PacSec. Learn More