Disrupting the Cyber Kill Chain with Microsoft Solutions

By Todd Bey| September 11, 2017

The framework of the Cyber Kill Chain was developed by Lockheed Martin Corporation in 2011. Since then, organizations of all sizes have been referencing this model to manage their information security. The framework is focused on protecting against Advanced Persistent Threats (APTs). This is a class of adversaries using advanced tools and techniques designed to defeat most conventional computer network defense mechanisms such as Anti-Virus and firewalls.

The Microsoft Global Incident Response and Recovery (GIRR) Team and Microsoft’s managed cyber threat detection service known as Enterprise Threat Detection Service identify and respond to thousands of targeted attacks per year. Based on Microsoft’s experience, the image below illustrates how most targeted cyber intrusions occur today.

Disrupting Cyber Kill Chain

How Most Targeted Cyber Intrusions Occur

  • Compromised Machine: 91% of Cyberattacks start with a phishing email, according to a study done by phishing defense company PhishMe in 2016. Targeted phishing attacks are crafted after hours of external recon of public information on the Internet. Phishing links can leverage vulnerabilities in unpatched browsers to gain remote access to a company’s internal computers.
  • Internal Recon: From there, an Advanced Persistent Threat starts is internal recon and attempts to pivot around the network while leveraging privilege escalation. An APT lives in an environment an average of 200 days before being discovered.
  • Domain Dominance: Local admin, then domain admin rights, is the last step before finding the Holy Grail (sensitive information valuable on the black market). This allows a hacker to usually fully recon the environment looking for sensitive assets and data if not isolated. Remote Code Execution (RCE) is trivial with Domain Admin privileges. An APT may stay in the environment indefinitely until caught.

Microsoft Secure and Productive Enterprise

The Microsoft Secure and Productive Enterprise is a suite of product offerings that have been purposely built to disrupt this cyber attack kill chain while still ensuring an organization’s employees remain productive. Each of these technologies included in the solution is described below:

  • Office 365 Advanced Threat Protection: This technology is designed to disrupt the “initial compromise” stage and raise the cost of successfully using phishing attacks. Sandboxing is used to detonate attachments and URLs to prevent phishing emails and virus from reaching users’ mailboxes.
  • Windows 10: This technology disrupts the compromised machine and lateral movement stages by raising the difficulty of successfully compromising and retaining control of a user’s PC. It also protects the accounts and credentials stored and used locally. For example, Windows Device Guard ensures that only trusted programs are loaded and run preventing the execution of malicious programs.
  • Microsoft Advanced Threat Analytics: This technology disrupts the lateral movement phase by detecting lateral movement attack techniques early, allowing for rapid response. This is an on-premises software which leverages the existing domain controllers and user-based analytics to detect and alert on anomalies of user account activity. Microsoft ATA can detect internal recon attempts such as DNS enumeration, use of compromised credentials like access attempts during abnormal times, lateral movement (Pass-the-Ticket, Pass-the-Hash, etc.), privilege escalation (forged PAC), and domain dominance activities (skeleton key malware, golden tickets, remote execution). This is included in the Enterprise Mobility + Security (EMS) E3 licensing suite.
  • Azure Security Center: While Microsoft ATA detects cyberattacks occurring within an organization’s data centers, Azure Security Center extends this level of protection into the cloud.

Each of the above listed technologies is designed to work seamlessly together and provide security teams with visibility across the entire kill chain, as shown in Microsoft’s image below.

Microsoft ATP

In addition to leveraging advanced security technology, proper governance and security best practices must be in place to further reduce the chance of the cyber kill chain completing in your environment.

Contact BDO Digital today to discuss how Microsoft solutions can help improve your security posture.

Teams security and compliance demo