网络杀伤链 一种全新的网络安全策略基础 - Network Kill Chain Chinese Use Of Same to Defeat Cyber Adversaries
2012-3-08 11:28 来源：搜狐网
2012-3-08 11:28 来源：搜狐网
要理解对手，首先需要对不同的威胁拥有不同的策略有个正确评价，将最阴险的攻击者群体分类为高级持久威胁（Advanced Persistent Threats，简称 APT）。其次，基于对当前攻击模式的分析，我们要区别对待 APT 侵扰。每个回合并非偶然性事件，都是有预谋行动的某个过程。每次侵扰，在他们达到最终目标之前，入侵者都需要通过连续的步骤进行。
引起重视的是考虑攻击的指数级增长。安全软件的领先开发者——赛门铁克公司在《全球互联网安全威胁报告》第 15 卷中指出，2009年就有大约300万新的有署名的恶意代码出现，超过之前15年的总和。这些数据表明未知威胁多于已知威胁，今天的许多网络安全解决方案偏向于用防堵法来解决已知威胁——完全不需要查清楚根本原因。
通用识别对于防御来说，还是不可或缺的重要部分。已退休的国家安全局信息查证科主任迪克?斯查夫（Dick Schaeffer）曾谈到，在业界最佳实践下，我们能——当然是措施得当——成功抵住来自网络访问节点上约80%的网络攻击。这是因为大多数攻击发起者——尽管他们也与时俱进，变得更加诡计多端——在本质上仍然主要是机会主义者，目的是破坏一下网络就离开，或者窃取个人数据。他们依靠大量的试探，希望能进入未设防护的或防护不足的系统中。实现最佳实践并接近一体化防务之后，各组织能反制大多数此类攻击。能管制现存情况的解决方案和程序正在被许多前瞻性机构使用，每个组织自身必须找到利用这些（解决方案和程序）的最佳方式。80%攻击之外的是什么概念？这就是网络安全团体面对的强大挑战。未知威胁和 APT ，理论上归于这 20% 部分，我们相信我们有能力预测并反制这部分。
高级持久威胁（APT）由于现在的 IT 资产均具有高价值，我们对手的意图也改变了，所以也有了他们的策略。我们发现我们今天面临的对手，包括有组织犯罪、恐怖分子和单一民族国家在搜寻经济、政治或军事机密时更有威胁且更强大。这些目的性很强且资金充裕的组织和个人更有隐秘性、忍耐性、持久性。他们意图不是“破坏和窃取”，而是在目标网络中建立深度存在，以便在不惊动受害者的情形下随意进出“数据”战场，并能长期如此。他们可称之为网络中的间谍鼹鼠。
此类 APT 不能用部署更大更多的防御盾的传统方法来阻拦。对方经常使用社会工程战略，目标在于将特定的个人作为入口点——这个实际做法名为“长矛刺探”——他们有资源来开发定制化的“致病件”和“零日”，规避补丁（程序）和反病毒软件检测或降低暴露可能性。总而言之，这些现象将持久存在。一旦他们对外部防御的“弹幕射击”获得成功，就在网络本体这放置一把“长矛”（即刺探性扫描软件），他们不断地探察，寻找（网络系统）弱点，以使他们能从内部肆意妄为，在外部看来防御已无实效。因此，APT 干扰并非孤立或离散事件，但一场神不知鬼不觉的战役能跨越数年。持久威胁适应了保卫者，达成企图之后再次评估并选择分头活动和结束战役。
Rough Mandarin Chinese Translation:
Network kill chain: A new network security policy foundation
In network security in some areas of the world, traditional knowledge is extremely important IT assets defenders locked in asymmetric warfare the enemy enjoy unlimited advantage in a very unfavorable position. Defenders deployed "shield" (ie, protective measures or facilities), opponents invention can be hundreds or even thousands of new weapons or crack the surgery be breakdown. The rivals the number of millions offensive success once, will be able to penetrate the defense "shield", at the same time, the defender can only face the unpredictable situation can not prevent various attacks.
Such situations are very common, the traditional view, however, is fundamentally a bit exaggerated. Indeed, from the enemy's point of view, this form of fighting asymmetric, but the offensive is not always an advantage, unless we allow the other acts recklessly. Every wise commanders know to control the battlefield - select combat the place, time and method - to ensure that the strategic advantage and ultimately defeat the enemy, this is the most basic. Enemies in cyberspace have plenty of time to choose a way of fighting. Now is the time to change. Given the value of network assets in the United States , it is not only the defense aspects, including critical infrastructure, such as energy and health care information technology services - a new network security concept is inappropriate, and the stakes. Preventive programs are also indicative of the enemies also have this advantage. If the defenders to change the viewing angle (to deal with this problem), this advantage is not static. We can win, that means that we can stop the intruder to achieve its purpose, it is necessary to understand how opponents control, it is necessary to adjust the precautions stuck their offensive ways. Our industry has many tools and disposal methods to detect and ban network intruders, and we are training our staff and the development of new technologies and procedures to fill the existing gap. Network security community as a whole has not yet formed, but we still have quite a few opportunities to use and sharing of the enemy of the endless stream of tactical understanding to develop new operational concepts.
To understand the opponent, you first need to have a different strategy for different threats have a correct evaluation of the most insidious attacks by groups classified as advanced persistent threats (Advanced Persistent Threats, APT). Secondly, based on the analysis of the current attack mode, we have to distinguish between the APT intrusion. Each round is not a chance event, is a premeditated action of a process. Each intrusion, the intruder through successive steps before they reach the ultimate goal.
An aggressive anti-chain in this way look attack can be drawn from a new security strategy roadmap. The defender can trick enemy, one step will be able to interrupt the invasion, the attacker must be in all the steps to be successful. Defender can further gain strategic advantage, ie, slowing down all the steps in the kill chain. Then, the enemy to be successful must be step by step to change the method. Finally, today, no tools or disposal methods to accomplish this level of intelligence analysis; skilled analysts and others to cooperate, share (Suppression) invasion experience such a successful strategy. Unlike rocket science (as can be made leaps and bounds in today's network security, counter-threat), need more brainstorming, step-by-step implementation, and support through improved training, practices and ideas.
The extreme importance of the safety of the importance of network security is available in two words to sum up: mission flexibility (resiliency). Sensitive data, defense systems, or public and private infrastructure, the most important systems and assets must be in all conditions even remain operational state interference. The battlefield, the task elasticity depends on anytime, anywhere to quickly and easily access trusted information necessary to report to the commander of the correct situational awareness intelligence and freedom to perform battlefield plan, even in the enemy's decision-making within the ring may. As we all know, the implementation of major tasks generally rely on information technology - across defense, government and industrial sectors - to win the the network war with their as important as in the field of land, sea and air days.
We perform a diverse range of tasks is increasingly dependent on information technology, so our opponents also begun to impact the network. Understand the nature of the shocks and the intent of the behind-the-scenes manipulation by the basis of the design of effective network security strategy.
Attention is considering the exponential growth of the attack. A leading developer of security software - Symantec Global Internet Security Threat Report Volume 15, 2009, there are approximately 300 million new signature malicious code, the sum of more than 15 years before. These data suggest that the unknown threat than known threats, many of today's network security solutions biased in favor of attempts to prevent the law to solve the known threats - no need to check the root cause.
Universal recognition for the defense, or an indispensable part. Information to verify, director of the National Security Agency has retired Dick? Sri Lanka Cha husband (Dick Schaeffer) talked about the best practices in the industry, we can - of course - successfully withstood the proper measures from network access node on about 80 % of network attacks. This is the initiator - even though they are also the times, because most of the attacks become more crafty - in essence still opportunists to destroy the network on the left, or to steal personal data. They rely on a lot of temptation, hoping to enter an unguarded or inadequately protected systems. Best practices and close integration of defense, organizations can counter most of these attacks. Solutions and procedures for the control of the existing situation are many forward-looking organizations, each organization must find the best way to use these (solutions and procedures). 80% of attacks outside the concept? This is the the powerful challenges faced by the network security community. Unknown threats and APT, theoretically attributed to the 20% part, we believe we have the ability to anticipate and counter this part.
Advanced persistent threats (APT) has a high-value IT assets now, our opponent's intentions has changed, so has also been their strategy. We found that the opponents we face today, including organized crime, terrorists, and nation-state in search of economic, political or military secrets more threatening and more powerful. Purpose highly-funded organizations and individuals are more secretive, patience and persistence. Their intention is not to "undermine and steal" to establish the depth of existence, but the target network, in order not to disturb the circumstances of the victim at random out of the "data" battlefield, and the long-term case. They called network spy Mole.
Such APT cannot deploy more traditional defense shield to block. Other frequently used social engineering strategies, objectives - a practice called "spear fishing expeditions" - they have the resources to develop customized pathogenic pieces "and" zero-day ", to avoid that particular individual as the entry point patch (program), and anti-virus software to detect or reduce exposure potential. Taken together, these phenomena will be persistent. Once they are on the external defense of the "barrage" to be successful on the Web Ontology This placed a "spear" (ie spying scanning software), they constantly detectors to find the weakness of the (network), in order to enable them to from internal acts recklessly, seems that defense is no longer in the external effectiveness. Therefore, APT interference is not an isolated or discrete event, but a God, I do not know hesitate campaign spanning several years. The persistent threat adapt to defend reached attempt again to evaluate and select separately, and the end of the Battle of APTs.
在保卫者赢得对APT作战胜利之前，他们必须理解对手如何操作。在洛克希德?马丁公司（Lockheed Martin），我们分析过 APT 感染，并鉴定了这个过程的七大步骤及各步骤特征，我们用防务学术界的说法称之为“杀伤链”。我们每天都用此方法保卫我们的企业网络。对于保卫者来说，杀伤链最重要的课题是在敌人达成其期望目标之前要洞悉敌人从每一步成功进入下一步的详情；仅需一次反制即可打断链条并击败敌方。保卫者在整个链条上反制措施越多，国防系统就变得越有弹力（resilient）。杀伤链各部分如下所示：
2、“武器”准备。通常用私自开发的自动工具连接一个远程访问木马进入一个可传递（信息）的负载系统中。逐渐地，像微软 Office 文档或 Adobe PDF 文件等数据文件等都可作为“武器”传递“设备”。
6、指挥与控制（C2）。最常见的做法是利用一个连入互联网服务器的国外设备完成建立C2通道的目标。这种连接提供手动的“键盘控制”访问，这也是大多数 APT 恶意件必定提供的功能。
例如，敌人发送刺探邮件给某组织中的某个人进行“零日”（zero day，一个着名网络窥探组织）式的探察。这种探察手段不会被网关或工作站中的反病毒软件发现，但邮件投送包括众所周知的 APT 战役相关迹象，而入侵在投送步骤就被阻断了。这种恶意代码经调试已被识别为一个“零日”式探查，在国防工业界内已共享（此类信息）了。敌人有新的探查方式，但不会改变投送机制；如果他们做了，最可能的是指挥与控制（C2）通道，会与其一直用的方式相同，入侵行为于此即可被抓获。这个实现方式可让保卫者更有效地开发弹性反制（软件等）并用于预防，而不是进行抓捕活动、优先投资新技术和新程序。
Rough Mandarin Chinese Translation:
What is more, APT not only targeting the placement has been good network and systems may also be utilized as a supply chain, once installed in the target environment, you can insert malicious code or other threats "carriers" (Control) hardware, in order to establish a command and control channel. We must implement electronic systems manufacturing visibility and audit mechanisms, we cannot control physical devices to consider the application of the anti-tampering technology.
Defender to win the the before the APT combat victory, they must understand how to operate the opponents. Lockheed? Martin Corporation (Lockheed Martin), we analyze the APT infection, and identified seven steps and each step of the process characteristics with the argument of the defense academia, we call it the "kill chain". Every day we use this method to defend our corporate network. For defenders, the kill chain is the most important issue is to achieve their desired goals in the enemy before insight into the enemy from every step successfully into the details of the next; only a counter to interrupt the chain and defeat the enemy. More defenders in the entire chain countermeasures defense system becomes more elastic (resilient). The anti chain is as follows:
1, for investigation. Target judgments identified and selected usually in the form of technology-specific search on the Internet website E-mail or information.
2, "weapons" ready. Usually privately developed automated tools to connect to a remote access Trojan horse into a transfer system (information) load. Gradually, such as Microsoft Office documents, Adobe PDF files, such as data files can be used as "weapons" pass "device."
3, passed. "Weapon" passed to the target (network or system). The most common "weapons carrier" send objects (vector) is the e-mail, Web sites and USB removable media.
4 detectors. Trigger the attacker's code. The most common way is exploratory application or operating system vulnerabilities. Simple exploratory way to persuade the user to open the the mail brought executable attachments, or take advantage of the characteristics of the operating system automatically performs code.
5, is installed. Install a remote access Trojans or backdoors in the infected system, allowing the attacker to affect all users of the system, and still maintain there is in the system reboots.
6, command and control (C2). The most common approach is to use a foreign equipment connected to the Internet server to complete the goal of establishing C2 channel. This connection provides manual keyboard control access, which is most APT malware must provide functionality.
7, the target activity. The final step must be commenced after the success of the invasion. The most common goal is to steal data, as well as to collect, encrypt and steal information system-threatening. Attacker might try to destroy data integrity and availability. Other purpose may be from the IT environment of the victims lateral transfer, to launch a new anti-chain in the later target.
Attack reorganization and comprehensive proven from the enemy's perspective and understanding of anti-chain process, analyze its intent is quite valuable guidance in the detection of their invasion. Detection usually provides the characteristics of the single-step attack time is very limited, but further analysis can reveal many other features and offers a variety of options to prevent such activities. In addition, in a step to check an invasion allows defenders to track the course of the attack, to identify not detected before the successful implementation of the steps. Early invasion of steps can be used to analyze and to gather information, which helps to advance cutting anti chain subsequent attacks.
Analysis started the beginning of the invasion (invasion) process to undetected along its large ones can conclude as important. Through a comprehensive analysis of what has happened, the defender can identify the attacker planned deployment method in the follow-up steps, such as installing backdoors.
For example, the enemy sent the spying mail to someone in an organization "zero" (zero day, a famous network snoop organization), exploratory. This exploratory means not the gateway or workstation anti-virus software, but the e-mail delivery, including the well-known Battle of APT signs invasion delivery steps blocked. This malicious code after debugging has been identified as a "zero-day" type exploration, has shared in the defense industry (such information). There are new ways of probing enemy, but will not change the delivery mechanism; if they do, most likely channel of command and control (C2), the same way it’s been used, the intrusion here can be captured. This implementation allows defenders more effectively develop flexibility counter (software) for the prevention, instead of arrest activities, give priority to investment in new technology and new procedures.
集成方案支柱通常接近由分散的信息技术组织单独部署的优秀的商业产品，无需多少协调。单点方案就能有效达到其所拥有的特定能力，但其本身不是一个全面的防御（方案）。这些方案需要无缝集成到一个安全组织内，这将横跨所有的软硬件企业。其他技术，如多系统中的端对端系统也可例证分析师们并不能仅仅是使用单个工具或技术的专家，相反，必须是具备多学科知识的专家，用新的途径将数据联系起来，解决迫在眉睫的挑战。集成方案的其他重要方面是性能指标。例如，攻击检测与抵御等传统指标，对摆脱实际的网络数据泄露等尴尬困境几乎没有体现。度量此事的糟糕程度以提供安全方面的一个负面感觉，必须用一组更成熟的指标来代替。最近，政府和业界网络防御专家提出20项网络控制——称为共识审计准则（Consensus Audit Guidelines ，简称CAG）——帮助各类组织更有效认识他们需要防范什么以及如何做好防范工作。CAG文件鉴别出由各种控制所能抵消的攻击，列举了自动控制的最佳实践方法，并确定了有效实现各种控制的测试方法。作为集成方案的一部分，CAG能作为连续测度网络安全和确保审核合格的基准线，确实能解决80%的网络攻击。
我们（美国军方）已经与业界联手，准备组建一个网络安全技术联盟。参与联盟的有思科（Cisco）、因特尔（Intel）、McAfee、微软、赛门铁克、Juniper 网络公司、EMC、RSA、VMWare、NetApp、CA科技、戴尔、惠普和APC等。这些合作伙伴向我们的新一代网络创新与技术中心（Next-Gen Cyber Innovation and Technology Center）都提交了有它们专家支持的最新方案。它们正在高速互联的全球网络范围内测试现实的、仿真的客户方案。这些方案提供了一个安全的端对端基础，能有效保护（系统）不受已知的和未知的威胁（危害），构建出一个用于了解敌人进攻策略的环境，这反过来又让我们了解（如何）通过全球网络保卫自己。该联盟利用测试环境进行反复的高级练习，用当前的入侵技巧让保卫者加速学习应对复杂攻击。
手工技巧及方法不足以应付这种严重型威胁。恢复速度相当重要，当我们执行耗时的操作时就会体现出来。这意味着施行自动恢复——机器对机器的交互，能在入侵发生的同时就能对威胁做出快速响应。数据库（libraries of data，指收集和保存的各种数据，并非指专业意义上实现表状化存储的database）同化（Assimilation，对现有数据进行分门别类整理，使之符合某种规范且便于管理）、多源情报与网络作战数据熔合、行动科目选择和跨全球网络行动的实现需要比现有更高级的自动指挥与控制网络。自动恢复的一个方法是是自修复系统，软件和硬件能自己修复或恢复到受信任状态，在受到攻击的同时还能持续运行。
Rough Mandarin Chinese Translation:
Enterprise network defense related knowledge in our enemy strategy armed, to defend in order to ensure that the task of elasticity, how has the knowledge to develop a strong defense system to cope with the ever-changing interference? The answer is to reconfigure the network defense programs, trained staff to use mature program, with advanced tools to deal with the threat of the highest priority. Otherwise work closely with partners to share more information allows the network security community to offset the attacker's advantage. The nature of this program is the method that overall control of network security, rather than fragmented set of functions - from network access control and data leak prevention system audit and forensic test (forensic analysis) - sort of narrow view -traditional practices. This new approach is built on three pillars: integrated programs, initiatives and anti-disaster system.
The backbone of the integrated solution is usually close to the decentralized IT organizations to deploy a separate outstanding commercial products, without the number of co-ordination. A single point of the program will be able to effectively achieve the specific capacity it has, but in itself is not a comprehensive defense (program). These programs need to be seamlessly integrated into a security organization, which will be across all hardware and software companies. Other technologies, such as multi-system end-to-end system can also exemplifies analysts can not just use a single tool or technology experts, on the contrary, must have knowledge of multidisciplinary experts, new ways to link data solve the looming challenges. The other important aspect of the integration program performance indicators. For example, attack detection, and resist traditional indicators, to get rid of the predicament of the actual network data leakage almost no expression. To provide a negative feeling of security, and must be replaced with a more mature set of indicators to measure the matter worse. Recently, 20 experts from government and industry network defense network control - called consensus audit guidelines (Consensus Audit Guidelines, referred CAG) - to help all types of organizations to more effectively recognize that they need to guard against what and how to do preventive work. CAG files identified can be offset by the various control attacks, cited the best practice methods of automatic control, and determine effective test various control methods. As part of the integrated program, CAG baseline as a continuous measure of network security and ensure that the audit qualified can really solve 80% of network attacks.
With an appropriate integration scheme, the two pillars of the corporate approach - active service can provide technical solutions, as well as plan to solve the known and unknown threats. Development and integration of the best IT security products is a team sport, through public / private partners, R & D laboratories and universities, defense Goes cooperation. If we're going to go in front of the enemy, this teamwork is essential.
We ( the U.S. military) has teamed up with the industry, ready to set up a network security technology alliance. Cisco (Cisco), Intel (Intel), of McAfee, Microsoft, Symantec, Juniper Networks, EMC, RSA, VMWare, NetApp, CA Technology, Dell, HP and APC, etc. involved in the Union. These partners to our new generation of Network Innovation and Technology Center (Next-Gen Cyber Innovation and Technology Center) have submitted them expert support latest program. Customers they are testing within the global network of high-speed Internet reality simulation program. These programs provide a secure end-to-end (system), can effectively protect against known and unknown threats (hazards), to build an environment for understanding of the enemy offensive strategy, which, in turn, brings us understand (How to) through a global network to defend itself. The Alliance test environment repeatedly advanced practice accelerated learning to deal with complex attack the defender with the current invasion of skills.
At the same time, coalition partners, national laboratories and major universities R & D cooperation to solve the (program) to deal with known serious challenge, and weaken the threat of the unknown. These programs have been tested, and integrated into the customer's environment can effectively ensure the identity.
This study and the purpose of the experiment is as far in advance as possible to identify dangerous (points) and eliminate the unpredictable part. Before the enemy to achieve its purpose, the amount of data that has instructions and cautionary visibility of the potential dangers of invasion. Analysis of attacker behavior patterns can help predict serious incidents and take preventive measures before a real invasion, and thus can be used as the defenders indicator and alarm bell. The third pillar of the enterprise - anti-disaster system to solve the system may occur anything, no matter how good has more or less vulnerability system precautions may be compromised at some point on. Given this reality, it is an integrated and tested programs should be regarded as a solid foundation for lasting, complex and ever-changing threat may not be able to do a perfect prevention. In order to reach the next level of effectiveness (ie, the system described below full recovery), the program must ensure that the task elastic - even once during the invasion and after should.
Manual techniques and methods are inadequate to cope with this serious threat. The speed of recovery is very important, will be reflected when we perform a time-consuming operation. This means that implementation of automatic recovery - the machine-to-machine interaction, while in the invasion threat can respond quickly. Databases (libraries of data, collected and saved data, does not refer to database tabular stored in a professional sense) assimilation (Assimilation, of existing data disaggregated finishing, to meet certain specifications and easy to manage) multi-source intelligence and network the combat data fusion, the action subject selection and implementation requires action across a global network of more advanced than existing automated command and control network. A method of automatic recovery is self-healing systems, software and hardware can repair or recovery to trusted status in the attack while also continuing to run.
The challenges are intensified to achieve 80% of the security program is not revolutionary. The techniques and methods in this regard already exist today. However, the effective realization of the need to culture change - which has been proved to be difficult to match. Our enemies are not smarter than us or more experienced, but to beat them, we must adopt a new method - how, when and where to deploy our resources to deal with them. The global network of friends and foes are kept space, we can not dig out the wide city to prevent the enemy invaded our gates. However, we can stop the enemy to achieve their goal - to ban the theft of our data and the destruction of our system. Complex advanced persistent threat to the remaining 20% of the combat victory in sight. We are a national laboratory, R & D team observed a demonstration of the modern disaster recovery system. We have summarized the kill chain process of reversal of asymmetric warfare to defend the advantage. If the industry can take advantage of the partnership, coupled with better information sharing, cooperation, defending to win the the (network war).
To this end, the defenders must implement integrated solutions to overcome the obstacles of the fragmented organization with powerful tools and systems. We must also recognize that the network defense - the challenges of the crisis management of the entire organization. The cyberspace defense called the great mission of the organization as a whole, decision-making and the impact of network defense resources deployed refraction (grim) reality. Commanders must lead this revolution. Is also important for mission commanders. What is the most important mission? What is our most valuable information? Stored in where? How long to maintain its value? And protect for how long?
In order to effectively combat the latest generation network enemy, we must expand our vision of the battlefield. We must take advantage of the invasion of the model, such as intelligence-driven approach to achieve new strategies, such as on the kill chain. We must develop new technologies and higher integration and deployment, so that those skilled in the analysis of master proven methods. Finally, we must be able to act according to circumstances, to adapt to the changing threat environment in order to achieve and maintain a degree of handy.
If like us and highly trained professionals to achieve enterprise-class vision with our enemies perseveres, we will be able to win the cyber war.