Most businesses are surprised by how long a single cyberattack can take to carry out, from beginning to end. When the average dwell time of an intruder in an IT ecosystem has increased to more than 9 months; why malicious actors seem to be given the luxury of time.
To better understand how this all works, here is a brief review the five stages of a cyberattack.
- Getting to know the victim: Adversaries start by identifying target organizations and collecting information about them. Key focuses include what valuable data they might be able to steal, how big a payoff they could get from a ransomware attack, and how difficult the mission is likely to be. Reconnaissance can be passive, which involves using public sources such as tax records, job postings and social media to discover what systems and applications the organization uses, the names of its employees, and so on. Reconnaissance can also involve active techniques like network and port scanning to understand the target organization’s network architecture, firewalls and intrusion detection programs, operating systems and applications, and the services hosted on its ports.
- Planning: The attacker determines which attack method to use. Examples include exploiting a zero-day vulnerability, launching a phishing campaign, or bribing an employee to provide log in details or deploy malware.
- Initial Breach: The adversary then uses the chosen attack method to attempt to breach the organization’s network. For instance, the adversary might succeed in guessing an employee’s user ID and password, gain entry through an unpatched or misconfigured system, or trick an employee into launching malware hidden in a malicious attachment to a phishing email.
- Choosing the Attack Path: Once inside the network, the adversary will seek to escalate their privileges and compromise additional systems to locate sensitive data or reach other critical resources. They also want to maintain their access. To achieve this, they might create new user accounts, modify settings or even install backdoors.
This is where attack paths come into play. By leveraging an attack path, an adversary can escalate their privileges from ordinary user to administrator and even to Domain Admin, which gives them unlimited power in the domain.
By compromising any authorized user and admin accounts, adversaries can make their activity difficult to spot. And once they have claimed sufficient privileges, they can further evade detection by causing systems to falsely report that everything is working normally.
- Cleaning Up: The adversary steals or encrypts the organization’s data, or perhaps corrupts systems to disrupt business operations. In addition, they often also try to cover their tracks in order to thwart investigations and keep the organization from enhancing their defenses against future attacks. Techniques include uninstalling programs used in the attack, deleting any folders or accounts that they created, and modifying or deleting any trace they were there.
The 5-stage process noted above offers several opportunities for defenders to disrupt the attack. It is important/critical to ensure that the initial intrusion is prevented in the first place. This is why the services of cyber threat notification services should be a part your organizations cyber threat defenses. This is not the entire answer to all breach activity, but it is a start.
Attack paths are a chain of actions that could enable an attacker who compromises a user account to gain administrative privileges, or even full control of the IT environment. It can start with something as simple as a phishing attack. When looking at attack paths, there is no code-based vulnerability or a single misconfiguration that can be mitigated by the established methods of patching and vulnerability management. The problem is most acute for Microsoft Active Directory (AD), for several reasons. AD is by far the most widely used directory service: it is reported that 95 percent of Fortune 1000 companies use AD. Cyber threat actors who focus on understanding and exploiting attack paths in Active Directory have a large universe of targets on a global basis.
Another factor that makes AD vulnerable to having attack paths is its complexity and lack of transparency. AD administrators have a wide range of options for granting permissions to accounts, with thousands of settings. At the same time, it is nearly impossible to accurately audit permissions. AD has been in use for more than two decades, plenty of time for many organizations to build up confusing policies/procedures that would be difficult to chart and verify. For strong AD security, attack path management is needed. Instead of looking at vulnerabilities or configuration errors in isolation, attack path management can help identify the sequences of steps an adversary can take from compromising an ordinary user account to gaining control over critical assets or even Active Directory itself.
An attack path management tool will identify the choke points that are shared by multiple attack paths. A choke point is the last segment in the chain of events for many attack paths. By remediating a choke point, you eliminate all the attack paths that rely on it. It is crucial to combine attack path identification with attack path monitoring, continuously watching to see if any attack paths are actually being leveraged. This may allow you to take action promptly instead of allowing the intruder the luxury of extra time to advance along the attack path towards your critical IT assets.
It is important to remember that attack path management is not a “once and done” task. Modern computing environments are complex and highly dynamic. As a result, new attack paths are emerging all the time, so you need to actively look for them on a regular basis and promptly take steps to remediate or at least monitor them.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1
• Reporting: https://www.redskyalliance.org/
• Website: https://www.wapacklabs.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
PDF here: TR-22-304-002.pdf
Comments