The Centripetal Blog

Zero Days and Cyber Threat Intelligence

Posted by Jess Parnell on April 11, 2016

While there is no silver bullet for zero day detection, threat intelligence can help in reducing the opportunities for exposure. The RuleGate® appliance using Cyber Threat Intelligence can detect/block the exploit from reaching the client, as well as detect/block its command and control communication if the exploit is installed. During the life cycle of Lockheed Martin's 'Cyber Kill Chain' the RuleGate can detect/block at four of the seven stages, namely 4, 5, 6 and 7.

Cyber Kill Chain

4: Exploitation: Here traditional hardening measures add resiliency, but custom capabilities are necessary to stop zero-day exploits at this stage.

EG: Block compromised domains with The Media Trust threat intelligence

5: Installation: Endpoint instrumentation to detect and log installation activity. Analyze installation phase during malware analysis to create new endpoint mitigations.

EG: Block the transmittal of malware from its source with Symantec Malware Sources.

6: Command and Control: The defender’s last best chance to block the operation: by blocking the C2 channel. If adversaries cannot issue commands, defenders can prevent impact.

EG: Block C2 communication with Proofpoint ET CNC Indicators.

7: Actions on Objectives: The longer an adversary has CKC7 access, the greater the impact. Defenders must detect this stage as quickly as possible by using forensic evidence – including network packet captures, for damage assessment.

EG: Apply CrowdStrike Threat Intelligence to the Network.

Summary: Although RuleGate cannot detect the zero day exploit itself in stage 4, RuleGate can protect users in the following ways:

  1. From getting the exploit from the site that serves up the exploit.
  2. Preventing the exploits transmission to the host.
  3. Detecting/blocking the exploits communication to Command and Control.
  4. Detect existing infiltrations with new intelligence.

Threat Intelligence can be applied at multiple stages in the cyber kill chain to protect against zero days exploits.

Reference: http://cyber.lockheedmartin.com/solutions/cyber-kill-chain

For more information, MITRE provides an excellent summary on the Cyber Kill Chain and Threat-based Defense http://www.mitre.org/capabilities/cybersecurity/threat-based-defense

 

Tags: Best Practice