Cyberattacks are hitting the headlines around the world and there seems to be no end to the noise that these attacks are making. Worse than the noise is of course the damage these attacks are causing to the impacted organisations who evidently need to change some of their behaviours and strategies to help close the gap.
With that in mind, and to better understand what an organisation should do to stay breached, I’ve put together some thoughts:
- Focus on increasing your complex environments with new types of endpoints and cloud connections. Where does your network start? Where does it end? Who can connect to it? Bring your own device (BYOD)? Variety of devices. COVID-19. There are numerous entry points along with cloud and SaaS services where data is exchanged.
- More sophisticated hackers driven by monetary incentives from organised crime syndicates, political motivated hacktivism, nation state-sponsored intellectual property stealing. How do you protect against state-sponsored attackers with unlimited time and resources? They will get in!
- Low intensity, highly skilled attacks are notoriously hard to detect. Using different obscuring of the malware transport mechanism and source of attack makes it difficult to see the complete picture. Do you have a holistic view to your security posture?
- Trying to decipher malware in retrospect and attempting to learn new patterns of attacks is reactive. Even sandbox and log analytics require a known pattern and instructions of what to look for. We’ve seen groundbreaking new types of attacks like SolarWinds/SunBurst, Hafnium, Sodinikibi, stuxnet with a whole new approach, spanning on-prem, cloud and SaaS environments.
- Badly written/vulnerable code, undisclosed backdoors and stolen/cracked signing certificates. Root certificates have been stolen and used to sign malware as legit packages. Even Windows update has been corrupted.
Getting into the mind of an attacker
Consider this scenario: An attacker lands on a random endpoint in your organisation. What is their first objective? First, they’ll need to identify where they are in the organization and then scrape the endpoint for cached information. This could include:
- Credentials temporary stored in memory and saved in browser
- Connected file shares
- Connected domain controllers
- Browsing history to SharePoint resources (which may include saved credentials)
- Vulnerabilities to exploit in order to become local admin
Before they make their next move, they’ll of course need to avoid setting off antivirus or leaving any kind of trace.
Stealth is the name of the game, but where to next?
They need to establish multiple ways to stay inside the corporate network in order to move laterally. It’s also worth noting that attacking network and hybrid cloud infrastructures can be very effective to staying persistent. Once this has been established, it’s game on! They’ll be able to:
- Harvest credentials—especially administrative credentials
- Try and connect to services the user leverages
- Avoid scanning, especially between segments with firewalls
- Find accessible vulnerable services to exploit
- Use stolen credentials to move with regular IT tools—think remote desktop, SSH, PowerShell, etc. Brute force credentials offline and online such as Azure AD, etc.
Now, reconnaissance through watching and learning, but what are the main objectives for the attacker?
- Gain privileged access to the infrastructure, on-prem network, cloud and SaaS. This could provide opportunities to launch phishing or social engineering scams and even allow them to establish access to other employees or partners.
- Expand across the infrastructure, which could mean spreading malware, gaining elevated access and establishing further control of the compromised accounts.
- Execute on the objective and steal or destroy key assets. In addition to locating key assets, they’ll work to aggregate data, steal intellectual property, transfer funds or even disrupt the business continuity by launching DDoS or ransomware attacks. And, before they tunnel out of the network, they might even mine some Bitcoin if the opportunity allows.
I know, that’s a lot of damage in the final step. But the good news is that if we can detect and stop an attacker before this point, we have a really good chance that no actual damage will occur.
But, what if the attacker is undetected or has accomplished their goals?
Well, they can erase their evidence, backups, logs and malicious files. Keep in mind that ransomware is effective to divert attention and encrypt evidence. Not only that, but future access can also be sold on the dark web.
As we’ve all seen across the headlines, often it’s “too little too late” and all you’re left with are a lot of questions.
- What was the entry point?
- Were they out to steal, sabotage or extort?
- Who is attacking me, what resources do they have and what drives them?
- Can I improve my protections, detections, routines or user awareness to avoid this?
So, what do you need?
Security operations needs to start building the next generation security operations centre (SOC), or SOC v2.0 if you will. The rationale behind the SOC v2.0 concept, is that current measures—and how SecOps is built with a continuous churn of key resources, information overload and siloed technology tooling—is a security risk, even if some of the tooling is adequate.
Building a SOC v2.0 means an approach that is more affordable, less reliant on large numbers of people, detects attacks faster, introduces automation, new analytical techniques and is ready for the battle against the never-before-seen-attacks.
