• United States




IT audits must consider the cyber kill chain and much more!

Sep 30, 20166 mins
Advanced Persistent ThreatsApplication SecurityBotnets

IT Audits must mitigate real risk!

Cyber security breach attack on monitor with binary code
Credit: Thinkstock

Many articles have been written regarding the cyber kill chain as it pertains to threat intelligence. By understanding the cyber kill chain we have the chance to take defensive action against an adversary.

But first we need a solid network that is 100 percent in compliance with its mandatory IT controls. We often perform IT audits on client’s enterprise networks and see less than 100 percent compliance achieved. So I want to discuss how IT controls help us to have the proper framework in place to build that threat intelligence.

Compliance is static and backward looking, while security is dynamic, intelligent and proactive. IT audits must always look to mitigate risk and provide as much security recommendations as possible that is above and beyond pure compliance.

Notice in the cyber kill chain image below that we have the upper proactive (protection, detection) events of Recon, Weaponize and Deliver and in the lower area we have the Reactive (response, recovery) events of Install, Command & Control and Act on objectives.

Lockheed Martin’s Cyber Kill Chain.

Phase 1—Reconnaissance: Adversary identifies and selects a target(s).

Phase 2—Weaponize: Adversary packages an exploit into a payload designed to execute on the targeted computer/network.

Phase 3—Deliver: Adversary delivers the payload to the target system(s).

Exploit: Adversary code is executed on the target system(s).

Phase 4—Install: Adversary installs remote access software that provides a persistent presence within the targeted environment or system.

Phase 5—Command and Control: Adversary employs remote access mechanisms to establish a command and control channel with the compromised device.

Phase 6—Act on Objectives: Adversary pursues intended objectives (e.g., data exfiltration, lateral movement to other targets)

Protect and detect controls and technology

Let’s first look at Reconnaissance. To help deter recon success we need to make sure our web sites are not revealing too much about our company or its employees, we can educate employees to limit how much they post on social media. We can also monitor IPS and firewall logs as well as sandboxing technology alerts. We might even subscribe to a domain reputation service to see if our domain names are being hijacked.

To help prevent the weaponized phase we must have as a minimum the most up to date antivirus and dynamic threat intelligence to detect as many zero day exploits as possible. Comodo has a product out that claims to detect a zero day in 15 minutes to 3 hours. All the while you can view the file but you just can’t modify or share it until it’s determined to be safe.

If we are lagging in any single area of cyber kill chain, the exploits coming our way will likely slip through. To help mitigate successful Delivery phase we need to have end point protection and educate users about the dangers of phishing email as well as visiting and downloading multiple applications. If we fail on any of the above we will likely suffer an Exploit. But remember an Exploit is the mid point in the chain, the attacker still needs to complete three more phases to succeed. So we get six chances to stop the exploit.

Response and recovery controls and technology

To help mitigate the Install phase we need to prevent the running of unknown files, Turn off auto run, whitelisting is also a good solution here. Whitelisting says we only let approved software run, any new executables need to be approved before they are added to the white list. We have been using blacklisting for many years, this method says block all the bad stuff we know of and let everything else run, the problem is there is simply too much bad stuff in the wild including zero day exploits that we can’t always detect.

A response is necessary for the Command and Control phase, sandboxing like Fire eye and Fortinet technologies can often detect botnet command controls calling back out of your network and automatically stop them.

To mitigate the act on Objective/Data Exfiltration phase we must have some means of responding to unauthorized data flows. This is easier said than done. Data loss prevention (DLP) technologies are maturing and can be helpful here. Many email appliances can even be configured to alert and quarantine email when Social Security numbers or credit card numbers are detected in plain unencrypted emails.

As for email or VPN encryption if an attacker compromises your network they will use the encryption to hide their presence. Unfortunately any technology we apply to combat attackers can often be used against us. Ransomware is an example. Encryption is used by attackers to secure our own files from us and it’s the attacker that has the key and not us.

For other data types such as financials or other company confidential data, we need to look at the application and assure it’s in a segmented network. This prevents lateral movement by attackers should they get on your network. Hopefully it’s not a direct compromise of the financial network segment. This is another audit area that is often overlooked. You can’t protect data if you don’t know every place it resides. So we often ask for network diagrams and data flow diagrams as part of a good IT controls audit. Remember HIPAA is a law not a compliance framework, you must rely on NIST to accomplish real HIPAA compliance.

Finally if something happens you need to have a solid and tested incident response plan and team in place. I was just at ISC2 security congress in Orlando and saw an excellent presentation on live incident response testing with dynamic and challenging scenarios that management and IT staff worked on.

These live test scenarios were much more real and revealing than the standard tabletop exercises, they were as close to the real thing as possible. They took lots of time to plan but in the end the executive leadership favored them when they saw just how much everyone learned.

While an IT audit does not specifically address the cyber kill chain, if done right a comprehensive IT audit looks at real world threats, assets and vulnerabilities. It’s considering APTs and zero-day exploits, and the cyber kill chain. Why do an IT audit in a silo, one that does not consider real world consequences. In the end if we are ever to win in securing our critical data from global hackers, we must do 100 percent on compliance audits, then add security, data analytics to reveal indicators of compromise. The cyber kill chain is just one more tool that helps us to detect an advisory attempting to take advantage of our company and in the end our country!


A senior security and compliance specialist, George Grachis has over 25 years’ experience in the tech sector. Some of his experience includes over a decade supporting the Space Shuttle program for Computer Sciences Corporation & Grumman Aerospace, security management for CFE Federal Credit Union, IT auditing & consulting for Deloitte and serving as Chief Security Officer for Satcom Direct.

George holds both the CISSP, and CISA certifications. George received the ISSA fellow Designation in 2016 and is currently an active senior board member of ISSA. George has been interviewed by WFTV ABC TV and Fortune Magazine. When not working he enjoys spending time with family & friends, Big Brothers Big Sisters, Playing the Drums, motorcycling, fitness, and writing articles for his blog, Virtual CISO.

The opinions expressed in this blog are those of George Grachis and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.