SecureWorks CTO Jon Ramsey described this process as starting with "reconnaissance" on who to attack through study of factors such as the target's family, the technology used, and the target's browser history to build a profile.
The next steps involve: identifying the target's weak underbelly (vulnerability) in order to create the most appropriate distribution and delivery mechanism for the attack (the right email phishing pitch, for example); exploitation, or execution of the attack package when it arrives on the target machine; the installation of code to maintain control and attacks on adjacent systems; communications to maintain command and control of compromised targets, "action" based on the threat agent's objectives (to steal information, intellectual property or money); and finally, exfiltration of the data, code or personal information into the arms of the adversary.
argued, the security industry focuses on "indicators of compromise" - the last four steps in the Kill Chain process (steps 5-8); however, the point is to intercept the threat before it reaches the stage of compromise.
"What we do in the Threat Intelligence Service," Ramsey
explained, "is we look for 'threat indicators' that you can use any time to detect what a threat actor is doing in any one of these steps in the process." The SecureWorks
counter threat team can provide, Ramsey
claimed, "all the information you need to defend yourself at each step in the Kill Chain in your environment" - and as a result, initiate a shift from remediation to preventative action.
Jon Ramsey, CTO, Dell SecureWorks
Jon Ramsey, CTO, Dell SecureWorks
According to Ramsey
, threats at each of these stages are difficult to detect, especially for the typical client organization, and it is in threat identification that the team dons the real cloak and dagger.
For example, to identify 'reconnaisance' threats, the team essentially assumes the role of the threat actor, carrying out this activity through "executive and brand surveillance" in order to build reports on what is the likely target and attack mode, or researchers troll the underground to identify and build relationships with malware brokers in order to understand vulnerabilities and weaponization.
At each stage in the Kill Chain process, SecureWorks researchers employ different intelligence gathering techniques, assembling a threat profile that often takes advantage of link analysis of various threat indicators.
As it is virtually impossible to know with certainty who and how many 'bad guys' are out there - or indeed what the latest techniques are, SecureWorks
, as do other security vendors rely heavily on the application of heuristics and analytics to organizational, hacker or even individual employee behaviours.
"We have made huge investments in machine learning," Ramsey
"The problem essentially is that the whole security industry approach until now assumes that you can know how many bad guys are out there and what their malware is.
But when you don't know, you simply infer, based on behaviour in the history of the organization.
You look for anomalies, put in a probability inference engine and can find some things with some degree of confidence that are malicious based on prior knowledge of the tactics, techniques and procedures of the threat actors." Or at least SecureWorks can: "We have been working on this problem for a really long time, and we're getting pretty good at it," Ramsey
Armed with this intelligence on tactics and threat procedures, the client, in theory at least, can take appropriate measures to defend their systems - including contract for managed security services with SecureWorks'
Security Operations Command, which is provided with the same threat information.
For its part, SecureWorks
is looking to focus on the creation and integration of this type of approach in other solution categories.
In its recently announced Advanced End Point Threat Detection Services, for example, SecureWorks
is relying on developing intelligence on end point systems.
explained: "What's happening from a threat perspective is that as we study the tools, techniques and procedures we see that the threat actor assumes you're going to have an IBS system or a next generation firewall.