[ISN] How Lockheed Martin’s ‘Kill Chain’ Stopped SecurID Attack

http://www.darkreading.com/authentication/167901072/security/attacks-breaches/240148399/how-lockheed-martin-s-kill-chain-stopped-securid-attack.html By Kelly Jackson Higgins Dark Reading Feb 12, 2013 A few months after RSA had rocked the security world with news that it had been breached and its SecurID database exposed in a sophisticated attack, defense contractor Lockheed Martin discovered an intruder in its network using legitimate credentials. “We almost missed it,” says Steve Adegbite, director of cybersecurity for Lockheed Martin, of the intrusion sometime around May or early June 2011. “We thought at first it was a new person in the department … but then it became really interesting.” The poser was using valid credentials of one of Lockheed’s business partners, including the user’s SecurID token. Adegbite says it soon became obvious that this user wasn’t performing his or her normal operations. “They tripped a lot of alarms,” he says. “They were trying to pull data in stages,” and the attacker was going after data unrelated to the user’s work he or she was impersonating, he says. So Lockheed launched its homegrown Cyber Kill Chain framework, a process that basically tracks an intruder’s movements and throws barriers in the way of each attempt to siphon data out of the network. Adegbite detailed this multimillion-dollar framework for stopping advanced persistent threat (APT) attackers last week at the Kaspersky Security Analyst Summit in San Juan, Puerto Rico. The Kill Chain aims to stop the attackers who get inside from taking anything with them on the way out. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org