To better understand how to protect against advanced threats, let’s enter the mind of a cybercriminal to explore the five stages of a typical targeted attack campaign.
Stage 1: The initial compromise
Unlike cyberattacks from a decade ago, most targeted attacks begin with the exploitation of an end-user device. These days, most headline-making data breaches begin following receipt of a spear phishing email that tricks an unsuspecting user into clicking on a malware-embedded attachment or a link to a malicious website.
Stage 2: Establishing a foothold
Once a user’s endpoint device has been compromised, a remote administration tool/Trojan, or RAT, is executed behind the scenes. The RAT “phones home” by initiating an outbound connection between the infected host and a CnC server operated by the cybercriminal.
Sometimes the CnC protocol is sent in the clear while other times the command channel is encrypted. Once this is completed, the attacker has established full control over the infected host and a foothold on the network.
Stage 3: Escalating privileges
After establishing a foothold, the cybercriminal waits patiently until a user enters valid administrative credentials into the compromised host. All keystrokes are logged by the RAT using a keylogger function and uploaded to the CnC server for analysis.
In many instances, the stolen credentials are insufficient for compromising servers of interest. Thus, savvy threat actors target Active Directory servers (or other user directories) to exfiltrate usernames and password hashes for all user accounts for offline cracking. Passwords of eight characters or fewer can usually be revealed within a few hours (or sometimes minutes) using modern password cracking applications. Longer passwords are typically less vulnerable.
Stage 4: Moving laterally
With escalated privileges in hand, attackers move laterally across the network until they locate servers of interest. Lateral movement does not necessarily involve the use of tools other than those already supplied by the compromised host operating system, such as command shells, NetBIOS commands, VNC, or Windows Terminal Services used by network administrators to service remote hosts.
A common and easy way an attacker can move laterally in a Microsoft Windows environment is by using stock Windows commands, such as NET.EXE (to map a drive) and AT.EXE (to schedule a command). To move laterally, an attacker can map a drive to another Windows machine with NET.EXE, copy the malware to the drive, and then remote execute it with AT.EXE. Once the ultimate target has been identified and adequate logon credentials have been acquired, the attacker’s patience and determination begin to pay off.
Stage 5: Data theft
Once they have identified target servers, attackers determine the best course to steal data. Veteran cybercriminals typically exfiltrate data in “chunks” — perhaps in increments of 50-100 megabytes. Our attacker may decide to group files or records together into compressed, password-protected RAR files in case they’re discovered by IT personnel during transit. Or sometimes the attacker will use an XOR-byte encrypted outbound stream to evade signature based detection (as well as data loss prevention schemes).
Attackers cover their tracks
Both during and after the attack, the most advanced threat actors try to avoid leaving any clues that a data breach ever took place. Thus, they employ a variety of tactics to minimize the risk of post-breach detection, including:
- Planting malware or launching distributed denial of service (DDOS) attacks to distract the IT security staff and keep them busy doing other things.
- Accessing network file shares, which are relatively unprotected and completely wiped only in extreme circumstances.
- Deleting the compressed files after they’ve been extracted from the staging server.
- Deleting the staging server if it’s hosted in the cloud or taking it offline if under control of the attacker.
- Uninstalling malware at the initial point of entry.
- Using command line tools (WEVTUTIL.EXE, for example) to erase log traces.
Why Traditional Security Is Not Enough
As illustrated in this section, there are multiple reasons why traditional security defenses are inadequate for detecting advanced threats.
Bypassing signature-based defenses
Malware associated with targeted attacks is highly customized. Rudimentary IPS, AV, and other traditional, signature-based defenses can’t possibly detect newly created malware — because no signature exists to defeat it.
The dissolving network perimeter
The network perimeter has rapidly declined as an entry point for advanced threats for more than a decade — ever since laptops were used to access corporate applications and data. Today, workers are using mobile devices — such as tablets and smartphones — to gain unprecedented access to information, fueled by the adoption of well-intentioned BYOD policies. Unfortunately, mobile devices are now the “Wild West” for cyberattackers. Attackers are bypassing perimeter defenses each time a user carries an exploit right through the office front door.
Once compromised, the clock is ticking
Savvy security professionals know that despite all efforts to mitigate cyberthreats, their networks will ultimately be compromised. IT security teams are no longer judged solely on their ability to prevent threats, but also on their capacity to contain and remediate them. After all, once your network has been compromised, the clock is ticking. As you’ll discover in upcoming posts, network forensics technology has now achieved “must-have” status for every serious enterprise incident response team.
Introducing Advanced Threat Protection
At this point, you should now have a deeper appreciation of the challenges facing IT security professionals. Trying to combat today’s advanced threats using traditional security products is like showing up to a gunfight with a pocketknife.
You don’t stand a chance.
Fortunately, innovations in advanced threat protection technologies are affording IT security professionals new capabilities to detect, mitigate, and remediate advanced threats at all stages of the targeted attack life cycle — before, during, and after the attack.
Specifically, four advanced threat protection technologies are at the heart of this new strategy and are the combined focus of the following posts. These technologies are:
- Perimeter-based advanced threat protection
- Host-based advanced threat protection
- Endpoint behavior monitoring for insider threat protection
- Network forensics
So, stay tuned for the next edition to discover the first of these four technologies and learn how successful IT security organizations are dramatically improving their network security postures.
Want to engage with one of the top security teams in the world? Call or email us today for a free evaluation: firstname.lastname@example.org or (404) 316-0082