Cyber Security Fundamentals: Finding The Proverbial Needle In A Haystack
The Covid19 pandemic has presented significant challenges for businesses across the globe, with many having to significantly change their established business operating models.
This disruption has proven to be extremely beneficial to the opportunist attackers that have pounced on any vulnerabilities that have been presented to them. Consequently, a marked increase in cyber attacks have been observed with the latest research from Carbon Black highlighting:
85% of chief information officers (CIOs), chief technology officers (CTOs), and chief information security officers (CISOs) felt that their workforce had not been properly equipped to work from home, with 28% citing “severe and significant gaps” in security.
29% cited an inability to implement multi-factor authentication as the biggest threat facing their organisation, rising to 50% for financial services organisations, and 46% for companies with 251-500 employees.
90% of security professionals had already witnessed a growing volume of attacks over the previous 12 months.
Of those surveyed, a whopping 94% had suffered a data breach resulting from a cyber-attack.
Manufacturing and engineering companies suffered more cyber-attacks and data breaches than any other sector.
To make matters worse, new research from IBM has highlighted how throwing money indiscriminately at security doesn’t always improve an organisation's ability to detect and respond to ABNORMAL activities.
Consequently, it is essential that organisations ensure that their security tools are integrated so that compliment one another other and so that they align with the attack attributes of a threat actor (e.g. Cyber Kill Chain, Cognitive Attack Loop, Attack Life-cycle, etc.).
Mandiant FireEye Attack Life-cycle
Often shorted to recon, the adversary gathers information using a variety of techniques, passive or active, which may include:
a. Passive: i. Sniffing network traffic. ii. Using open source discovery of organisational information (news groups; company postings on IT design and IT architecture) iii. Google hacking. b. Active: i. Scanning the network perimeter ii. Social engineering (fake phone calls, low-level phishing)
2. Initial Compromise
The adversary procures or crafts the mechanisms to successfully execute malicious code on systems.
Common paths include:
a. Social engineering (e.g., spear phishing) b. Directly exploiting a known device or system vulnerability c. Leveraging supply chain weaknesses
3. Establish Foothold
Footholds enable attackers a means of persistent access using back-doors or other malware.
4. Escalate Privileges
During this phase, an adversary seeks greater access by escalating their privileges. Privilege escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network.
Examples of elevated access include:
a. System/root level b. Local administrator c. User account with admin-like access d. User accounts with access to specific system or perform specific function
5. Internal Recon
The adversary is gaining situational awareness of the environment to include the types and location of data of possible interest. MITRE ATT&CK framework refers to this as discovery, which entails using techniques that enable adversaries to explore and re-orient as necessary to fulfil their objectives.
Example discovery techniques include:
a. Account discovery b. Cloud service discovery c. Domain trust discovery d. Remote system discovery
6. Move Laterally
Often referred to as pivoting, an adversary uses their access to traverse the compromised environment. Here, adversaries may leverage any gained legitimate credentials or install their own remote access tools in their quest to gather and steal information.
Common lateral movement techniques include:
a. Internal spearphishing b. Pass the Hash (PtH) c. Pass the Ticket (PtT) d. SSH hijacking
7. Maintain Presence
The adversary maintains continued access to the compromised environment through some
sort of backdoor that allows the adversary to return at a later time. When communication is established, it is referred to as command and control (C2) which enables data exfiltration, network disruption, or denial of service.
8. Complete Mission
When an adversary completes their objective, they typically try to cover their tracks and transfer the data away to some server in such a way as to avoid detection. Data may be exfiltrated using any number of techniques that include compression or encryption of data and transmitted over alternate protocols or networks.
Using your array of security tools, are you able to identify such activities occurring within your environment?
Many traditional cyber security strategies look at their environment from the inside out and find it difficult to identify the external-facing vulnerabilities and can sometimes miss seeing what the attacker might be seeing, during stages 1 and 2 of the attack life-cycles.
As a consequence, they struggle to prioritise their remediation efforts against their own and their supply chain vulnerabilities. Consequently, their attackers are gifted longer windows of opportunity and thus provided them a greater chance of success.
The impact of a cyber attack on business can be extensive. However, through an understanding of the cyber attackers' 'Modus Operandi', will help to ensure that your security tools are better placed to detect and interpret hostile activities through the application of a 360 degrees lens.
Timely intervention can significantly increase your ability to intercept a threat actors malicious intentions and reduce the potential that your risk and resilience score identifies you as being an easy victim.
It is important to remember that the criminals are opportunists, who are constantly on the prowl seeking an easy victim to prey upon.