Cybersecurity threat vectors are paths that malefactors use to gain access to computing assets, such as devices or networks of devices, in order to acquire command and control of such assets and thereby advance nefarious objectives. Threat vectors, for instance, exploit misconfigured firewalls, unsecured wireless routers, wired modems, infected laptops located elsewhere that can access the network behind the firewall, infected USB keys, or known or unknown vulnerabilities in software running on computing assets.
Often there are a number of vulnerabilities in computing asset defenses. Given a set of vulnerabilities associated with a computing asset, a threat vector can be conceptualized as being drawn through some subset of the vulnerabilities, with the threat vector exploiting each of the vulnerabilities in the subset in a sequential ordered process. For instance, a first such vulnerability of the computing asset may be exploited to deliver a weapon. Then, a second such vulnerability may be exploited to install the weapon on the computing asset. A third such vulnerability of the computing asset may then be exploited to obtain command and control over the computing asset in order to achieve a nefarious objective. In this example, the threat vector encompasses the three vulnerabilities of the computing asset and exploits them in a sequential ordered process.
In some instances, multiple different threat vectors are applied against a computing asset in a brute force attack. That is, system vulnerabilities are discovered and exploited rapidly in a brute force manner. In other instances, a single threat vector, from among all the theoretically possible threat vectors, is implemented over a long period of time in order to obviate discovery of the breach in security of the computing asset. In any event, in modern computing assets, it is typically the case that the security of the computing asset is breached by the execution of a chain of events, and this chain of events is termed a threat vector.
In some situations, vulnerabilities that may form the basis for a threat vector are discovered through reconnaissance. Attempts are then made to exploit each of the vulnerabilities, often by firing off automated exploit attempts to see which one of the vulnerabilities can be successfully exploited in order to compromise the computing asset defenses and gain access to an interior environment of the computing asset. Once access to an interior environment is reached, attempts are made to use the interior environment as a jump point, thereby creating several different chains of attack, known as fish bones. That is, the jump points are used to find more vulnerabilities deeper in the interior of the computing asset until enough of the computing asset is compromised to exploit and compromise the computing asset (e.g., obtain command and control of the computing asset in order to shut a process down, implement a foreign process, alter a process, destroy computer code, steal data or computer code, etc.). The successive exploitation of vulnerabilities within the computer defenses constitutes a threat vector. Associated with the threat vector is a velocity with which the attack can be done, the velocity with which data or computer code can be taken out (in instances where the threat vector is designed to acquire data or compute code), and the route that it takes.
To protect computing assets against threat vectors, threat vector analysis is done. Such an analysis starts by evaluating each of the possible vulnerabilities of a computing asset. For instance, in the case where the computing asset is a networked system, all the exterior systems of the networked system are evaluated, all the ports on such exterior systems are evaluated, and so forth. Then, for specific threat vectors, very specific preventive actions, known as kill chain actions are developed. Kill chains implement specific controls or methods that break the chain of a corresponding threat vector in as many places as possible. The more places where the chain of vulnerabilities that constitutes a threat vector are blocked, the more effective the kill chain. For higher value computing assets, kill chains are designed that break every link in the vulnerabilities that constitute a corresponding threat vector. For instance, a kill chain may put some control in place to make sure that certain events can't happen.
In the art, kill chains are preemptive. That is, they implement a safeguard strategy that prevents certain events from happening on protected computing assets. There are many types of preemptive kill chain tools. For instance, network filters can be used to filter out illegitimate traffic, such as traffic to TCP port 445 in instances where such traffic is undesirable. Network intrusion prevention systems can be used to scan embedded data of legitimate network traffic for signatures of known attacks. Network connections or packets containing recognized attacks can be dropped and only clean data delivered to the computing assets. If an attack is not recognized and stopped by the network filters or the network intrusion prevention systems and thus reaches an application running on the computing asset, then a host intrusion prevention system can be used to proactively detect attempts to exploit vulnerabilities in code to execute guarded system calls. Examples of such vulnerabilities, of which there are many, include vulnerability CVE-2009-0658 in the Adobe Acrobat Portable Document Format (PDF), documented by ADOBE on Feb. 19, 2009 and patched Mar. 10, 2009, and CVE-2009-0556 in MICROSOFT POWERPOINT, which was discovered Mar. 23, 2009 and patched on May 12, 2009. See Hutchins et al., 2011, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” Leading Issues in Information Warfare and Security Research 1, ed. Julie Ryan, Good New Digital Books, which is hereby incorporated by reference.
Further still, if the above identified preemptive defenses are not successful then behavior blocking can be enacted to prevent various types of threat vectors by detecting dangerous anomalies in application behavior such as launching unrelated external executable files, tampering with the content of executable files, or discovering processes that are commanding excessive computer resources. Products that have incorporated multiple such preemptive defenses have been marketed, and include Kerio ServerFirewall, Kerio Technologies, 2005.
However, what are lacking in the art are satisfactory methods for enacting automated kill chains that include countermeasures. While the above-described safeguards are general safeguard measures to apply in order to protect against threat vectors, countermeasures specifically counter specific threats. That is, a countermeasure breaks the chain of vulnerabilities exploited by a threat vector in real time or near real time upon detection of an explicit threat associated with the threat vector. As such, countermeasures are more effective against threat vectors then safeguards. Countermeasures are not found in automated kill chains because system administrators are adverse to the collateral damage often associated with automated countermeasures. For instance, consider a computing asset that is a web service used by customers. If there is an automated countermeasure system or an intrusion-prevention system that is in place, an intelligent attacker can actually leverage that countermeasure automation against the computing asset. For instance, the hacker can find out who all the best customers are and craft an attack that causes the countermeasure to block all the best customers from getting to the web service. This would force the system administrator to have to unwind the countermeasure, and in all likelihood, cause a significant loss in revenue. This example provides a simple demonstration of why defenses that fire automated countermeasures against detected threat vectors have been found to be unsatisfactory to system administrators.
Thus, given the above background, what is need in the art are satisfactory kill chain procedures that can launch automated kill chains that include countermeasures in response to specific threats.