A “How To” Guide for SecurityCenter

Breaking Kill Chains
• The “cyber kill chain®” framework was originally created by Lockheed Martin to describe the process of exploitation of information systems o
Based on the military concept of a “kill chain,” the model details each step of a cybercriminal’s operation, from reconnaissance through delivery to command and control and ultimately action o
If a link in the chain can be eliminated, the path is destroyed

Identifying Weakest Links
• To simplify the work of isolating and stopping kill chains, an organization must first track metrics that identify the most vulnerable points —the weakest links —in the chains o
Armed with this data, the organization can identify the weakest exploitable links and prioritize the critical vulnerabilities to be plugged, patched, and mitigated o
Breaking just one link in the chain kills the attack!

Identifying Weakest Links
• As Ron Gula explains in his blog post,
“Identifying the Weakest Links in Cyber Kill Chains®” , there are three metrics that are important to monitor to simplify breaking kill chains:
1.
2.
3.
Identify exploitable Internet-facing systems
Identify systems that access the Internet with exploitable web clients (vulnerable or unsupported browsers, etc.)
Identify exploitable systems that have internal trusted connections to other systems on the network

Identifying Weakest Links
• Tenable’s SecurityCenter Research Team has created three new dashboards to assist organizations in monitoring these three metrics:
1.
2.
3.
Internet Facing Exploits
Breaking Kill Chains Clients
Exploiting Internal Trust
• These new dashboards make use of assets; the purpose of this presentation is to describe how to set up these assets and dashboards

Adding an Asset
• To add an asset from the
SecurityCenter app store feed, within SecurityCenter select Support > Assets
• Click the “Add” button
• Select the desired asset and click “Add It Now”;
Repeat to add more assets
• Click the “Finished” button

Add Assets
• Add the following dynamic assets: o
Internet Facing Assets o
Internet Browsing Systems o
Exploitable (Generic)
• Add the following Device Behavior dynamic assets: o
Hosts with Internal Connections FROM Other Hosts o
Hosts with Internal Connections TO Other Hosts o
Social Network Activity o
YouTube Access

Add Assets
• Add the following Client Applications dynamic assets: o
Client FTP o
Client HTTP o
Client IMAP o
Client IRC o
Client P2P o
Chrome Web Browsers o
Firefox Web Browsers o
Internet Explorer o
Opera Web Browsers o
Safari Web Browsers o
Skype

Combination Assets
• Combination assets (assets of assets) are used to locate systems that belong to both one group
AND another group, or that belong to one group
OR another group o
For example, the “Internet Browsing Systems” asset could be combined with the “Hosts with Internal Connections TO Other
Hosts” asset to find systems that both browse the Internet and also connect to other internal hosts
• Combination assets are dynamically updated, so any new vulnerabilities or network changes will be immediately reflected

Create Combination Assets
• To create a Combination
Asset, within SecurityCenter select Support > Assets
• Click the “Add” button
• Click “Create Custom Asset”
• Set Type to “Combination”
• Add existing assets combined using logical operators in
Combination Parameters…

Create Combination Assets
• Create Attacker Entry Points combination asset: o
All systems that connect to Internet, have exploitable vulnerabilities, and connect to other systems

Create Combination Assets
• Create Exploitable Servers combination asset: o
All systems that have exploitable vulnerabilities and other systems connect to them

Create Combination Assets
• Create Breaking Kill Chains Clients combination asset: o
All systems that have web client applications

Consider DMZ Systems Assets
• Consider also creating static asset(s) that enumerate those systems on the network known to interact with the Internet or be Internet-facing, such as systems in the DMZ o
This enables identification of outward facing systems even if PVS is not available to scan for such systems o
Add these asset(s) to the created combination assets

Internet Facing Exploits Dashboard
• Internet Facing Exploits dashboard is located in the
SecurityCenter feed under
Security Industry Trends
• Click “Add It Now”
• “Add It Now” will change to “Configure Now” for about 10 seconds before the dashboard is added
• Click “Configure Now”…

Internet Facing Exploits Dashboard
• …and select the asset
Internet Facing Assets
• Click the “Save” button
• Click the “Finished” button to add the dashboard
• The asset will be added to all the dashboard components

Internet Facing Exploits Dashboard
• Note that this dashboard uses a pre-defined dynamic asset, not a created combination asset
• Therefore, if using a static DMZ Systems asset as described earlier is desired, then a combination asset combining “Internet Facing
Systems” and DMZ Systems asset(s) will need to be created and applied to this dashboard

Internet Facing Exploits Dashboard
• Note: By default, dashboard components update daily; to achieve more continuous monitoring, consider setting them to update every few hours or even hourly
• Edit each component by clicking the drop menu arrow on the top right of the component and selecting
“Edit Component”
• Set the “Update Frequency”
• Click the “Submit” button to finish editing the component

Internet Facing Exploits Dashboard
• For matrix components, the update frequency is set in each column of the matrix
• Note: If desired, the update frequency can be adjusted for the components in the following dashboards as well.

Breaking Kill Chains Clients Dashboard
• Breaking Kill Chains Clients dashboard is located in the
SecurityCenter feed under
Security Industry Trends
• Click “Add It Now”
• “Add It Now” will change to “Configure Now” for about 10 seconds before the dashboard is added
• Click “Configure Now”…

Breaking Kill Chains Clients Dashboard
• …and select the asset
Breaking Kill Chains Clients
• Click the “Save” button
• Click the “Finished” button to add the dashboard
• The asset will be added to all the dashboard components

Exploiting Internal Trust Dashboard
• Exploiting Internal Trust dashboard is located in the
SecurityCenter feed under
Security Industry Trends
• Click “Add It Now”
• Note: This dashboard uses two different assets, so it cannot be configured using
“Configure Now”, as done previously; each dashboard component will need to be configured individually.

Exploiting Internal Trust Dashboard
• The four dashboard components on the left require the Attacker Entry Points asset: o
Attacker Entry Points o
Attacker Entry Points with Most Connections to Other Hosts o
Top Remediations for Attacker Entry Points o
Attacker Entry Point Vulnerabilities by Asset Group
• The four dashboard components on the right require the Exploitable Servers asset: o
Exploitable Servers o
Exploitable Servers with Most Connections from Other Hosts o
Top Remediations for Exploitable Servers o
Exploitable Server Vulnerabilities by Asset Group

Exploiting Internal Trust Dashboard
• Edit each component by clicking the drop menu arrow on the top right of the component and selecting
“Edit Component”
• Click the “Edit Filters” button
• Under Target Filters, select the proper asset
• Click the “Apply Filters” button
• Click the “Submit” button to finish editing the component

Conclusion
• Now that these assets and dashboards have been properly set up, they can be used to continuously monitor for the weakest links and prioritize the critical vulnerabilities to be mitigated
• Breaking just one link in the chain kills the attack!

Tenable Customer Support Portal