The Lifecycle of a Targeted Attack

 
 
To better understand how to protect against advanced threats, let’s enter the mind of a cybercriminal to explore the five stages of a typical targeted attack campaign.

Stage 1: The initial compromise

Unlike cyberattacks from a decade ago, most targeted attacks begin with the exploitation of an end-user device. These days, most headline-making data breaches begin following receipt of a spear phishing email that tricks an unsuspecting user into clicking on a malware-embedded attachment or a link to a malicious website.
 

 Stage 2: Establishing a foothold

Once a user’s endpoint device has been compromised, a remote administration tool/Trojan, or RAT, is executed behind the scenes. The RAT “phones home” by initiating an outbound connection between the infected host and a CnC server operated by the cybercriminal. 
 
Sometimes the CnC protocol is sent in the clear while other times the command channel is encrypted. Once this is completed, the attacker has established full control over the infected host and a foothold on the network.

Stage 3: Escalating privileges

After establishing a foothold, the cybercriminal waits patiently until a user enters valid administrative credentials into the compromised host. All keystrokes are logged by the RAT using a keylogger function and uploaded to the CnC server for analysis.
 
In many instances, the stolen credentials are insufficient for compromising servers of interest. Thus, savvy threat actors target Active Directory servers (or other user directories) to exfiltrate usernames and password hashes for all user accounts for offline cracking. Passwords of eight characters or fewer can usually be revealed within a few hours (or sometimes minutes) using modern password cracking applications. Longer passwords are typically less vulnerable.
 

Stage 4: Moving laterally

With escalated privileges in hand, attackers move laterally across the network until they locate servers of interest. Lateral movement does not necessarily involve the use of tools other than those already supplied by the compromised host operating system, such as command shells, NetBIOS commands, VNC, or Windows Terminal Services used by network administrators to service remote hosts.
 
A common and easy way an attacker can move laterally in a Microsoft Windows environment is by using stock Windows commands, such as NET.EXE (to map a drive) and AT.EXE (to schedule a command). To move laterally, an attacker can map a drive to another Windows machine with NET.EXE, copy the malware to the drive, and then remote execute it with AT.EXE. Once the ultimate target has been identified and adequate logon credentials have been acquired, the attacker’s patience and determination begin to pay off.
 

Stage 5: Data theft

Once they have identified target servers, attackers determine the best course to steal data. Veteran cybercriminals typically exfiltrate data in “chunks” — perhaps in increments of 50-100 megabytes. Our attacker may decide to group files or records together into compressed, password-protected RAR files in case they’re discovered by IT personnel during transit.  Or sometimes the attacker will use an XOR-byte encrypted outbound stream to evade signature based detection (as well as data loss prevention schemes).
 

Attackers cover their tracks

Both during and after the attack, the most advanced threat actors try to avoid leaving any clues that a data breach ever took place. Thus, they employ a variety of tactics to minimize the risk of post-breach detection, including:
 
  • Planting malware or launching distributed denial of service (DDOS) attacks to distract the IT security staff and keep them busy doing other things.
  • Accessing network file shares, which are relatively unprotected and completely wiped only in extreme circumstances.
  • Deleting the compressed files after they’ve been extracted from the staging server.
  • Deleting the staging server if it’s hosted in the cloud or taking it offline if under control of the attacker.
  • Uninstalling malware at the initial point of entry.
  • Using command line tools (WEVTUTIL.EXE, for example) to erase log traces.

 

 

Why Traditional Security Is Not Enough

As illustrated in this section, there are multiple reasons why traditional security defenses are inadequate for detecting advanced threats.
 

Bypassing signature-based defenses

Malware associated with targeted attacks is highly customized.  Rudimentary IPS, AV, and other traditional, signature-based defenses can’t possibly detect newly created malware — because no signature exists to defeat it.
 

The dissolving network perimeter

The network perimeter has rapidly declined as an entry point for advanced threats for more than a decade — ever since laptops were used to access corporate applications and data. Today, workers are using mobile devices — such as tablets and smartphones — to gain unprecedented access to information, fueled by the adoption of well-intentioned BYOD policies.  Unfortunately, mobile devices are now the “Wild West” for cyberattackers. Attackers are bypassing perimeter defenses each time a user carries an exploit right through the office front door.
 

Once compromised, the clock is ticking

Savvy security professionals know that despite all efforts to mitigate cyberthreats, their networks will ultimately be compromised. IT security teams are no longer judged solely on their ability to prevent threats, but also on their capacity to contain and remediate them. After all, once your network has been compromised, the clock is ticking.  As you’ll discover in upcoming posts, network forensics technology has now achieved “must-have” status for every serious enterprise incident response team.
 

Introducing Advanced Threat Protection

At this point, you should now have a deeper appreciation of the challenges facing IT security professionals. Trying to combat today’s advanced threats using traditional security products is like showing up to a gunfight with a pocketknife.
 
You don’t stand a chance.
 
Fortunately, innovations in advanced threat protection technologies are affording IT security professionals new capabilities to detect, mitigate, and remediate advanced threats at all stages of the targeted attack life cycle — before, during, and after the attack.
 
Specifically, four advanced threat protection technologies are at the heart of this new strategy and are the combined focus of the following posts. These technologies are:
  1. Perimeter-based advanced threat protection
  2. Host-based advanced threat protection
  3. Endpoint behavior monitoring for insider threat protection
  4. Network forensics

 

 
So, stay tuned for the next edition to discover the first of these four technologies and learn how successful IT security organizations are dramatically improving their network security postures.
 
Want to engage with one of the top security teams in the world?  Call or email us today for a free evaluation:  hello@myincloud.com or (404) 316-0082

Is Your Organization Capable of Competing in a Data Driven World? – Part 3



Getting Teams Equipped to Share Everything Not Just Some Things.

Technology has been both a cause for the challenges companies experience and the tools for success.  But it is the change in culture in the organization that allow leaders to leverage data driven decisions properly.

At the core of this journey to adaptability lay a yin-and-yang symmetry of shared consciousness, achieved through strict, centralized forums for communication and extreme transparency, and empowered execution, which involves the decentralization of managerial authority.  Together, these power the evolution of a data driven enterprise to use it properly.

Your transformation is reflective of the new generation of mental models we must adopt in order to make sense of the twenty-first century.  If we do manage to embrace this change, we can unlock tremendous potential for human progress.

So here are some of the principles we’ve developed over the years to enable and protect a healthy data driven culture.  I know that when you distill a complex idea into a T-shirt slogan, you risk giving the illusion of understanding – and, in the process, of sapping the idea of its power.  An adage worth repeating is also halfway to being irrelevant.  You end up with something that is easy to say but not connected to behavior.  But while I have been dismissive of reductive truths throughout this series, I do have a point of view, and I thought it might be helpful to share some of the principles that I have found to be most effective in developing a new culture.  

“The trick is to think of each statement as a starting point, as a prompt toward deeper inquiry, and not as a conclusion.”


  • Give a good idea to a mediocre team, and they will screw it up.  Give a mediocre idea to a great team, and they will either fix it or come up with something better.  If you get the team right, chances are that they’ll get the ideas right.


  • If there are people in your organization who feel they are not free to suggest ideas, you lose.  Do not discount that ideas come from anywhere in the organization.


  • It isn’t enough merely to be open to ideas from others.  Engaging the collective brainpower of the people you work with is an active, ongoing process.  As a manager, you must coax your staff and constantly push them to contribute.


  • Do not fall for the illusion that by preventing errors, you won’t have errors to fix.  The truth is, the cost of preventing errors is often far greater than the cost of fixing them.


  • Change and uncertainty are part of life.  Our job is not to resist them but to build the capability to recover when unexpected events occur.  If you don’t alway try to uncover what is unseen and understand its nature, you will be ill prepared to lead.


  • Similarly, it is not the manager’s job to prevent risk.  It is the manager’s job to make it safe to take them.


  • Failure isn’t a necessary evil.  In fact, it isn’t evil at all.  It is a necessary consequence of doing something new.


  • The people ultimately responsible for implementing a plan must be empowered to make decisions when things go wrong, even before getting approval.  Finding and fixing problems is everybody’s job.  Anyone should be able to stop the production line.


  • A company’s communication structure should not mirror its organizational structure.  Everybody should be able to talk to anybody.


  • An organization, as a whole, is more conservative and resistant to change than the individuals who comprise it.  Do not assume that general agreement will lead to change – it take substantial energy to move a group, even when all are on board.


  • Do not confuse the process with the goal.  Working on our processes to make them better, easier, and more efficient is an indispensable activity and something we should continually work on – but it is not the goal.  Making the product great is the goal.


The path to a data driven company is one that is achieved through the balance of technology and culture.  The “dark data” that your organization has accumulated over the years is where we have focused our attention.  Illuminating that data and making it useable for your people to make decisions is the goal that comes from building a culture of trust and shared consciousness.

If you would like to learn more about how InCloud Control has helped other companies on this journey please feel free to send us a note at: 

hello@myincloud.com or call us at (404) 316-0082 

Is Your Organization Capable of Competing in a Data Driven World? – Part 2


The Assembly Line of Information Sharing is Broken – There is one main critical flaw in the way companies have been structured and managed over the past 100 years.  What once worked for as a proven methodology to improve efficiencies in American assembly line environments is no longer a viable organizational structure in today’s constantly changing world.
The traditional top down leadership styles are creating two very important gaps in an enterprises ability to adapt:
  1. Information captured at the operator level (point of production) takes too long to get to the leadership that is both analyzing the data and making decisions based on that data.
  2. Decisions made at the top trickle down creating old and irrelevant intelligence for the operators.
The shift in organizational structure must move from assembly line mentality to that of a living organism.  Let me explain.
When operators on a plant floor are faced with data that provides them insight into a specific asset failure, the optimal decision for action should be made by the individual closest to the action.  However, in an assembly line organizational structure, the information travels through the chain of command up the food chain.  The result is an operator with the ability to make a decision – but a structure that is not set up in a way that they can impact immediate change.
So the information travels down the conveyor belt to your analysts and managers that look at multiple options and arrive at the best possible solution that creates the lowest amount of impact on the production schedule and outstanding orders in the pipeline.  Oftentimes we see the scenario where by the time a decision is delivered back down the assembly line the machine has already deteriorated into a fail state or a faulty part has been shipped and a costly recall needs to be initiated.
The Solution is Simple but not Easy – In an assembly line organization – leadership looks at each functional station as an independent part of the process that flows with a predictable rhythm and governance.  The problem with this is that the further the information flows away from the operator – the less accurate and impactful it becomes.
When we describe the organizational shift to that of a living being our customers are able to understand the disconnect and can now begin taking the proper steps to support that structure.  Think of your enterprise structure as a human body.  The leadership is the head, the maintenance team are the legs, the production team are the arms, and the assembly line operators are the hands.  When we touch a hot surface – immediately our head knows that something is not right – our arms are connected directly to the the hands so they know what’s up immediately – and if it’s a fire and we need to get the heck out of the building our legs are quick to take us away from danger.  We don’t have to wait for each part of our body to analyze the fact that we just touched something hot.  The head doesn’t have to check with the arms or legs to know if they should react and respond to the hand’s discovery.  No – the body is completely connected.  It is interdependent throughout.
The shift from disconnected and long feedback cycles to interdependent shared experiences is where we will focus our next post.  Part 3 is the most difficult part of getting this process started…
Getting Teams Equipped to Share Everything Not Just Some Things.
If you have any questions or would like to engage with us to help your organization execute on the challenges of a massive change in structure give us call (404) 316-0082 or email us at info@myincloud.com

Is Your Organization Capable of Competing In The Data Driven World? Part 1



The impact big and fast data has made on organizations has never been more critical.  There is no shortage of data sources or credible insights to help organizations to take action.  So the question we asked ourselves at our latest contract with a major manufacturing company was this:


“Why is the compressor that our predictive analytics platform identified as a 90% assurance that complete failure would occur in 6 weeks not on any maintenance team’s list 4 weeks after the first alert was announced?”


The answer to this led us on a six-month journey through an introspection of the organizational structure that would change our client and our perspective forever.

Silo Walls Must Come Down
What once was an organizational structure that worked in 1952 when this company first began manufacturing parts for the automotive industry – was no longer viable in an era of fast moving data and changes by competition and customers.

Operations, Maintenance, Reliability, Accounting, Safety, and Sales Teams were all functioning in isolated units.  Each had been created in this fashion to derive efficiency and cost cutting measures.  In addition the historical relevance of each independent unit had been created as a vertical distribution of information – mostly in the form of specific instruction from the top down.  This is no anomaly in the broad overview of American companies.  Without exception manufacturing organizations have been functioning under this model for over 100 years.

The reason this model had been adopted throughout the modernization of manufacturing dates back to the inception of the assembly line and the methodology deployed around improving efficiency and cutting costs.  By limiting the view of the assembly line worker to a short list of tasks, companies were able to measure specific movements down to the second.  This created a hierarchal approach to managing workers, performance, and above all information.

By employing a “Need-To-Know” mentality around information – these units within the organization had become highly competitive around performance, innovation, efficiency, and control.  By most accounts during our discovery phase – managers were incentivized by their individual units “efficiency rating” vs. all other units within the organization.

This culture of competition and lack of sharing and collaboration had created very thick and high walls around and more importantly between the other units.

Introducing Data Exposes The Interface Breakdown
When InCloud Control was first contracted to deliver a predictive failure analytics platform to this client we attacked the problem as we always had – as a system integrator with a focus on the IT function.  We understood the manufacturing process.  Our platform had already been integrated with the historian that was aggregating all of the machine sensor data.  We integrated nicely with their maintenance platform.  We had established push notifications to the maintenance team when a failure signature was discovered.  We had provided everything a company needed to react to the data.

The problem as we soon discovered was not with the data and information we were providing.  The problem was in how that data was being acted upon.

Operations was unwilling to take a machine out of production because that would affect the VP over operations bonus.  The maintenance team had an ever growing list of repairs that needed to be completed so that the VP of maintenance didn’t miss her bonus.  The reliability team didn’t want to disrupt the efficiency of the performance and longevity of the equipment by taking it out of production because…  Yep the VP of reliability would take a hit against his bonus.  Why would anyone want to work together to fix a very expensive machine when it would be taking money out their collective pockets?

There was the problem and we needed to first understand the problem before we could figure out how to fix it.

In part 2 we will discuss how we transformed this organization into the data driven team they have become today.

If you would like to learn more about InCloud Control and how we can help your company integrate our great predictive analytics solutions into your organization give us a call at 

(404) 316-0082 or email us at hello@myincloud.com