A new article by Stan Engelbrecht, Director of D3’s Cyber Security Practice, is currently featured on SecurityWeek. Emerging technology is enabling incident response tools—including SOAR platforms like D3—to go beyond individual alerts and address complex attacks holistically. This welcome change requires security teams to take a “kill chain perspective” when analyzing alerts and security data, placing each data point in the context of a multi-stage timeline. In his new article, Stan explains why the kill chain is a key weapon in the fight against sophisticated adversaries.
In this excerpt, Stan uses the CARBANAK bank heists to illustrate how an advanced attack is likely to reflect the structure of a kill chain rather than a single discrete event:
For a great example of how a serious cyber attack is usually not a single event, but a series of steps towards a goal, we can take a quick detour to examine a prominent recent example of cyber crime: the bank heists by the FIN7 criminal organization using the CARBANAK backdoor.
This highly lucrative series of thefts were not simply a matter of gaining access to a bank’s network and extracting funds from ATMs. They were lengthy operations that sometimes lasted for multiple months. One 2018 attack against a European bank involved spear-phishing, vulnerability scanning, domain controller compromise, Cobalt Strike Beacon, host compromise, remote access, exfiltration to command servers, and more.
Throughout all these actions, the attackers expertly kept a low profile, making detection extremely difficult. They carried out most of their activities during business hours, so as to blend in with normal activity. But certain activities, such as data exfiltration, were done in the evenings and on weekends, and limited to short sessions to avoid traffic spikes that might be noticed by bank employees.
This article can be found in its entirety on SecurityWeek.
To learn more about how D3 has brought a kill chain perspective to its SOAR platform by embedding the entire MITRE ATT&CK matrix, read our whitepaper.