In the military, the term “attack chain” or “kill chain” is used to describe how an attack is structured and executed, from identification of a target to selection of an appropriate weapon to the use of that weapon on the target. Reconnaissance operations are employed throughout the chain to monitor the movement and defense capabilities of the target and evaluate the impact of the attack.
It’s called a “chain” because the disruption of any step in the process can disrupt the entire process. Thus, the preemptive “breaking” of an attack chain is an effective form of defense.
These concepts have been embraced by the cybersecurity community. A typical cyberattack chain involvesphishing or social engineering to obtain user credentials, lateral movement through the network, privilege escalation to obtain domain admin credentials, and execution of the mission to steal data, destroy systems or cause other harm. In many cases, hackers are able to remain undetected for weeks or even months in an advanced persistent attack.
Breaking the cyberattack chain is clearly preferable to cleaning up after a security breach. However, many organizations are unprepared to defend against today’s attack methods, which are constantly evolving and multiplying. Traditional signature-based defenses are still needed, but no longer provide adequate protection.
User and entity behavior analytics (UEBA) can detect threats that elude traditional security tools. UEBA analyzes the behavior of users and devices to establish a baseline of normal activity so that suspicious behavior can be identified. Instead of simply blocking outsiders attempting to access the network, UEBA identifies insider threats and compromised user credentials by looking at the servers, files and other resources that a user or device accesses.
Microsoft Advanced Threat Analytics (ATA) is a UEBA tool that not only learns user and entity behavior but automatically adjusts to changes in the enterprise and the rapidly evolving threat environment. It lists suspicious activities as soon as they are detected, creating an attack timeline with specific recommendations for each alert. ATA’s Organizational Security Graph puts these activities in context by mapping interactions among users, devices and IT resources. ATA also integrates seamlessly with security information and event management (SIEM) systems to weave security data from across the enterprise into the attack timeline.
ATA works in concert with other Microsoft security tools to break the attack chain:
- Windows Defender Advanced Threat Protection is an agentless tool built into the Windows 10 operating system. Using behavior analytics and machine learning, it detects and responds to attacks, including zero-day exploits, by quickly deploying new defenses and orchestrating remediation.
- Office 365 Advanced Threat Protection is an email security service that detects suspicious links and attachments and moves them to a sandbox for further analysis. If a user clicks on a suspicious link, the URL is analyzed in real time and blocked if it’s found to be malicious. This add-on service is available under certain Office 365 and Exchange Online plans for $2 per user per month.
- Office 365 Threat Intelligence uses billions of data points from across the Microsoft ecosystem to gain actionable insight on cyberattack trends. It provides a set of interactive tools for analyzing the severity of threats by correlating this data in near real time.
Breaking the cyberattack chain requires more than signature-based defenses. Let’s discuss how behavioral analytics, threat intelligence, threat detection and sandboxing can improve your security posture and prevent a costly and disruptive breach.
Written and composed by one of our Senior Managing Partner, Michael Oda