Lucas Zaichkowsky, Enterprise Defense Architect, Resolution1 Security, provides insights into attacks and addresses how to detect targeted attacks in progress and respond before major damage occurs.
With Christmas around the corner, the shopping frenzy will begin as consumers find good deals and retailers increase their sales revenues, but they’re not the only ones that benefit from the shopping craze. Financial criminals are well aware that this is the best time of the year to steal credit cards and maximise their own earnings. Now is the most critical time for retailers and online businesses to be vigilant. I’ll explain how and why advanced targeted attacks work.
Although news stories on large scale data breaches often focus on malware and how the attackers got in, what goes on behind the scenes is much more elaborate. There’s much that can be learned by studying the full attack lifecycle to identify an intrusion in progress and put a stop to it. Although there are well-established phases of an attack in the data forensics and incident response world, I’m going to focus on a simplified version with three: initial infiltration, lateral movement, and data exfiltration.
Initial infiltration is the point of entry where an attacker gains unauthorised access to your network. Most legacy security investments attempt to prevent any and all systems from being compromised. Although this may have worked 15 years ago when self-replicating viruses and worms were all the rage, those days are gone. Time has proven that preventative defenses amount to barriers with limitations. Additionally, organisations can only secure what’s under their administrative control which makes things tough in an age of BYOD, remote workers, contractors, third party service providers, and connections to trusted partners. Initial infiltration can be anything from a backdoor delivered by spear phishing to a web application exploit to compromised user credentials.
Lateral movement is what an attacker does once they’ve accomplished initial infiltration. If security today is failing miserably, this is the stage where it’s happening. Attackers perform reconnaissance inside the network. They steal passwords for users, administrators, and service accounts. They create their own accounts. They access the network using VPN or another normal mode of access to blend in. They plant various backdoors on dozens or hundreds of systems to ensure persistent access. They snake their way to the data they’re after. Even in the most secure environments using two-factor authentication and tightly limited access, attackers will find overlooked paths, systems they can pivot from, and even modify network device configurations if they have to.
Meanwhile, companies secure and monitor servers housing sensitive data. They tend to forget that regular workstations and non-critical servers are a paradise for hackers to work from, avoiding detection. The data that attackers are after is accessible through means other than compromising specific servers. There’s always a data flow to and from servers with access mechanisms. Advanced attackers excel at uncovering and exploiting access to data flows. Sometimes they plant specialised software for RAM scraping, network sniffing, and keystroke recording. Other times, they modify production code to make copies of the data as it passes through. Sometimes they can simply connect to a server using stolen credentials and send the right commands to retrieve data.
Data exfiltration is what the attacker does to transport data from the point it’s being stolen from to a location outside the corporate environment. They’ll often move stolen data inside the network to a seemingly random system used as a staging ground, then upload it from there to a server on the Internet. This goes undetected by obfuscating or encrypting the data, then blending in with normal web traffic. If the attacker made it this far unnoticed, there’s a good chance they’ll continue to steal data unnoticed until you either get lucky and self-discover the compromise or until they start selling the stolen card data on the black market. Statistically, you’ve got about a 1 in 3 chance of self-discovering at best.
How to detect targeted attacks in progress and respond before major damage occurs
Kill chain, intelligence, and analytics are officially in fashion, hot on the heels of Advanced Persistent Threats (APTs). Bonus points if they’re in the cloud with the Internet of Things. Here’s how organisations can proactively hunt for attacks into their networks.
Kill chain analysis and attacking the kill chain are a part of intelligence-driven defense, popularised by the smart people at Lockheed Martin. The kill chain is based on the core premise that attacks follow a lifecycle or sequence of progressive steps committed by the threat actor during an intrusion. By cataloging and studying the tactics, techniques, and procedures of threat actors, you can effectively prioritise preventative defences and detect an attack in progress. After all, attackers are human and predictable. They’ll reuse hacking tools and repeat what’s worked for them in the past. Even personal habits such as naming conventions tend to get repeated.
In the case of targeted financial crimes, initial entry is usually accomplished by exploiting a web application or compromising the credentials of a vendor that has access into your environment. Knowing that, you can focus on those two points of entry for system hardening and access control while increasing additional monitoring mechanisms to be on the lookout for suspicious activity coming from those sources should they become compromised.
Access to immediate information on recent threats, cybercrime syndicates and industry resources provide up-to-date intelligence on APT and their attackers. Open source intelligence resources name off hacking tools commonly encountered during the lifecycle of an attack such as specific families of RATs and credential stealers. Poison Ivy, Gh0st RAT, Windows Credential Editor, pwdump are just a few tools still commonly used. Samples of other tools such as RAM scrapers are available from places like KernelMode.info and Contagio. Once gathered, incident responders can analyse all these nasty binaries in a lab environment to identify key observable traits: what they look like in memory, network traffic patterns, endpoint changes, and logged activity.
Next, take the data and transform it into indicators of compromise, documented using standards like CybOX, YARA, or OpenIOC. Monitor as many endpoints as possible, network traffic, logfiles, and application data for matches against your indicators.
Follow the kill chain model by gathering intelligence on their attack methodology such as targeting domain controllers and servers where many users authenticate in order to harvest user credentials en masse. Attackers like to use scheduled tasks to execute commands against remote systems. They use well known staging directories like the Windows help folder and the root of Recycler. As you better understand the attacker methodology, you can perform the same steps in your lab environment, document indicators, then monitor everywhere possible.
During the process, you may identify places to harden your system and network configurations to slow an attacker down and frustrate them. You can set up tripwires to detect attempted hacking activity that aligns with their methodology. One good trick is to have emails sent to administrators whenever their admin accounts are being used.
Authoring indicators and putting them to good use may seem like a lot of work, but it puts you in a position where you’re able to detect a real world attack while it’s still in progress. This provides the ability to contain, scope, and remediate before major damage is done.
Analytics on the other hand means mining datasets, pivoting, and correlating to identify patterns and outliers. By searching for outliers (aka Frequency analysis), you can find unknowns that might not belong. Creative thinking skills are very important for performing analytics. Marketing teams have been doing it for years to study consumers. Security practitioners need to do the same, but in their own context.
One of the most effective ways to identify compromise is to perform analytics with the goal of identifying persistence mechanisms (backdoors). Pull back autoruns from every system and sort by frequency of occurrence from least to most, then focus on the uncommon entries in your environment. In fact, if you’ve got limited time to look for compromise, I’d recommend doing this before developing and chasing down indicators of compromise. There will be a lot of noise the first time, but it’s worth the energy. You’ll create a baseline useful for making auto-runs frequency analysis a less painful regular activity, effectively focusing only on what’s changed since the prior search.
If you don’t have an enterprise tool to do auto-runs frequency analysis, you can still squeak by with a hack job involving Sysinternals Autoruns, Trend Micro HiJackThis, or Mandiant Redline. Execute those tools remotely against systems, piping the results out to text files then merge and mine it with the help of a decent programmer or DBA. Be careful to protect the privileged account you use to connect to systems remotely.
Whether you’re a retailer, online business or enterprise this holiday season, increase your proactive scans and hunts for suspicious activities. Happy holidays and good luck in your quest to find an attack in progress!