The CISO’s Guide to Advanced Attackers: Breaking the Kill Chain

By Mike Rothman

In our last post in the CISO’s Guide to Advanced Attacks, you verified the alert, so it’s time to spring into action. This is what you get paid for – and to be candid your longevity in the CISO role directly correlates to your ability to contain the damage and recover from the attacks as quickly and efficiently as possible. But no pressure, right? So let’s work through the steps involved in breaking the kill chain, disrupting the attackers, taking counter measures, and/or getting law enforcement involved.

Incident response needs to be a structured and conditioned response. Work to avoid setting policies during firefights, even though it’s not possible to model every potential threat or gain consensus on every possible countermeasure. But try to define the most likely scenarios and get everyone on board with appropriate tactics for containment and remediation. Those scenarios provide a basis for making decisions in scenarios that don’t quite match your models. Then at least you can spin why you made certain decisions in the heat of battle.

Contain the Damage

As we described in Incident Response Fundamentals, containment can be challenging because you don’t exactly know what’s going on but you need to intervene as quickly as practical. The first requirement is very clear: do not make things worse. Make sure you provide the best opportunity for your investigators (both internal and external) to isolate and study the incident. Be careful not to destroy data by turning off and/or unplugging machines without first taking appropriate forensic images.

Keeping the discussion high-level, containment typically involves two main parts:

  1. Quarantine the device: Isolate the device quickly so it doesn’t continue to perform reconnaissance, move laterally within your network, infect other devices, or progress toward completing its mission and stealing your data. You may monitor the device as you figure out exactly what you are doing but make sure it doesn’t cause any more harm.
  2. Protect critical data: One reason to quarantine the device is to ensure that it cannot continue to mine your network and possibly exfiltrate data. But you also can’t assume the compromised device you identified is the only one. So go back to the potential targets you outlined when you sized up the adversary, and take extra care to protect the critical data most interesting to your adversary.

One thing we know about advanced attackers is that they generally have multiple paths to accomplish their mission. You may have discovered one (the compromised device), but there are likely more. So be a little extra diligence with monitoring data access and egress points, to help disrupt the kill chain in case of multiple compromises.

Investigate and Mitigate

Your next step is to identify the attack vectors and determine appropriate remediation paths. As mentioned above you want to be sure to gather just as much information as you need to mitigate the problem (stop the bad guys) and collect it in a way that doesn’t preclude subsequent legal (or other) action at some point. For more details on malware investigation techniques, we point you again to Malware Analysis Quant for a very granular attack investigation process.

When it comes to mitigation you will set a series of discreet achievable goals and assign resources to handle them. Just like any other project, right? But when dealing with advanced attackers you have a few remediation paths to consider:

  1. Clean: People also also call this the Big Bang approach because you need to do it quickly and completely. Because if you leave the attacker with any foothold in your environment you will start all over again sooner than later. Most organizations opt for this approach – the sooner you clean your environment the better.
  2. Observe: In certain instances, such as when you are dealing with an inside job or law enforcement is involved, you may be asked not to clean all the compromised machines. But as described above, you need to take extra care to ensure you don’t suffer further losses while observing the attackers. That involves deep monitoring (likely network full packet capture and memory forensics) on traffic in and out of critical data stores – as well as tightening controls on egress filters and/or DLP gateways.
  3. Disinformation: Another less common alternative is to actively provide disinformation to adversaries. That might involve dummy bids, incorrect schematics, or files with tracking data which might help identify the attacker. This is a very advanced tactic, generally performed with the guidance of law enforcement or a very select third-party incident response firm.

Executing the Big Bang

To get rid an advanced attacker you need to find all compromised devices. We have been talking about how to do that by searching for indicators of compromise but you cannot assume you have seen and profiled all the malware in use. Those pesky advanced attackers may be throwing 0-day attacks at you. This, again, is where threat intelligence comes in to look for patterns others have seen (though not likely your specific files). Once you have identified all the affected devices (and we mean all of them), they need to go dark at the same time. You cannot leave the adversary with an opportunity to compromise other devices or execute a contingency plan to retain a foothold while you work through your machines during cleanup. This probably entails wiping the machines down to bare metal – even if that means losing data. Given the capabilities of advanced attackers, you cannot be sure of totally eliminating the device compromise any other way.

When the affected devices are wiped and rebuilt you need to monitor them and capture egress traffic during a burn-in period to make sure you didn’t miss anything. That means scrutinizing all configuration changes for indications that the attacker is breaking back in or finding new victims, as well as looking for command and control indicators. The moment the adversary is blown out they will start working double-time to get back in. You are never done. So you need to ensure your defenses have evolved to deal with these kinds of attacks. And no – you won’t be perfect. At some point an advanced adversary will get back in – your job is to make sure they have to work for it.

Advanced Attacker Complications

Incident response is hard enough. But when you factor in the reality of a well-funded, capable, and advanced attacker, things get a bit more complicated. The first realization is that many decisions relating to mitigation, remediation, and potential prosecution of perpetrators are not security’s decision. These are executive decisions – the impact could ripple throughout the organization and might involve disclosure. This is why having a team approach, involving all the important stakeholders, is so important.

But that doesn’t mean you shouldn’t offer recommendations and build a case to support your line of thinking. When deciding between cleaning the affected devices or observing the attackers, factor in the cost and probability of complete and total cleanup. Many organizations (and senior executives) prefer to clean up, but keep in mind that it is very difficult to keep an advanced attacker out forever, so you are likely have to be doing the same dance again sooner than later. If you do push for cleanup make sure you have details about what is involved, know which business operations might be disrupted, and have a realistic timeline for eradication.

Another area that is complicated by advanced attackers is disclosure. If sensitive data was lost you will likely to need to make a best-effort full cleanup. It is hard to explain a decision to let attackers remain in your environment after they have stolen sensitive data. As with most security situations, the involvement of PII (Personally Identifiable Information) changes everything.

So the key issues in Breaking the Kill Chain involve figuring out how to most effectively disrupt the attackers, and then to getting everyone on board with your plan. We will wrap up in the next post, by talking about how to build all these distinct functions into a repeatable program to ensure you are ready to deal with advanced attackers.

No Related Posts

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.