Identifying the Cyber Kill Chain

When a cyberattack takes place, the defending side detects very few indications, some of which are random. The difficulty is connecting these indications into a single, consistent context. Special interview with the VP of the SecBI Company, established to provide a solution to this specific problem

Illustration: Bigstock

One of the main challenges in today's cybersecurity market is the quickest and most complete identification possible of the cyber kill chain of the attack against the organization. In many cases, when a cyberattack takes place, the defending side detects very few indications, some of which are random. The difficulty is connecting the individual indications into a single, consistent context. Such a context can provide a status picture that would lead to the conclusion that the organization is actually under attack, or at the very least – that the organization has sustained an attack. The founders of the SecBI Company established it in order to provide a solution to this specific need.

Originally, the founders of the SecBI Company established it to provide a support tool for analysts at SIEM/SOCs (Security Information & Event Management / Security Operations Centers). The tool the company developed enables the grouping of alerts into clusters according to a common context. In this way, for each suspected attack, the analyst has a cluster that groups together all of the alerts associated with that attack/event. Such a solution shortens the process of investigating the attack against the organization and enables the SIEM/SOC to operate effectively while employing a smaller workforce.

Identifying Reduced-Signature Attacks

"We take the information associated with the organizational sensors and work with or without a SIM, to assemble a complete picture of the attack at each and every stage. If we identified the attack, the information would be transferred to the analysts as well as to the response systems," explains Doron Davidson, SecBI's Co-Founder and VP Business Development. "In the event that the information already out is not enough to indicate an attack, we will provide the organization's people with an investigation system. The system searches for similar behavior patterns in events within the organization, based on information associated with the communication of the servers or the employees who communicate with external sources, or the various sensors deployed in the web. In the event that a context becomes available from external intelligence, we will be able to link the findings to a known attack and attach a set of possible responses to the results."

Davidson explains that it is impossible to identify some reduced-signature attacks in any other way. These are highly sophisticated attacks where very little information will emerge, only once every few days, in an irregular pattern, to a command server in the web that looks legitimate. In order to spot such attacks, the defending side should monitor repetitive behavior patterns.

"In addition to reduced-signature attacks, the system can provide an attack picture for attacks of which the organization is aware, but can only see a portion of the attack kill chain," explains Davidson. "This saves a significant amount of time for a novice analyst. Expert analysts with extensive experience may find the attacks faster, but in most cases, cyber SOCs do not have many such analysts. Another aspect of the system is automation. The system enables the execution of common tasks automatically, thereby minimizing the need to enter inquiries again and again."

Another question that arose during our interview with Davidson was whether EDR (Endpoint Detection & Response) systems, which provide a detection-response-investigation cycle, minimize the need for analytical solutions for cyber SOCs by providing automatic protection. According to Davidson, although these are, admittedly, cutting-edge systems, they can only perform a part of the analytical tasks. "We can perform network traffic analytics based on the logs of both directions, incoming and outgoing traffic. This information becomes a part of the information associated with the investigation of the event along with events from all of the organizational sensors. In this way, we can provide a picture that is broader than the picture an EDR system, operating on its own, can provide."

Cooperation with Palo Alto Networks

The SecBI Company has recently unveiled a cooperative alliance with the Palo Alto Networks Company around the app library of that company, which makes it easier to provide Palo Alto clients with additional security capabilities promptly and efficiently. The app library expands the capabilities of the Security Operating Platform by Palo Alto, using an API (Application Programming Interface) package the programmers may use to connect between innovative apps and extensive information, information regarding threats and enforcement points.

Davidson explains that a client of the Palo Alto Company may upload his logs to the Palo Alto cloud at the push of a button. Subsequently, an automatic Virtual Machine (VM) will kick in, and subject to client authorization, the system by SecBI will analyze the logs. "The process takes place within seconds. Identifying the time axis of the cyberattack depends on the wealth of information the client had uploaded to the Palo Alto cloud," explains Davidson.

A Primary Event Investigation Tool

Responding to the question of what the SecBI Company plans for the future, Davidson said that one of the directions involves the integration of cloud and CASB (Cloud Access Security Broker) elements. "We want to provide the most complete picture possible of cyberattacks based on the wealth of information coming from the organizational sensors. In today's reality, an organization is online with a diversified range of sensors in several environments, not just in perimeter products," explains Davidson. "If we can provide the full picture of how the attack against the organization takes place – we made it. The objective is to establish our product as the primary tool for investigating cyberattacks against the organization.

"Another thought involves connecting the system to organizational response tools capable of carrying out the necessary repairs. Prompt loop closure is the name of the game. If we recommend cleaning of workstations and servers, the objective will be to have the repair carried out at the push of a button or through an automatic policy."