Is Your Enterprise Prepared for a Hack?
A static defensive security posture is deficient -
breach prevention by itself isn't enough.
By Scott Murphy
VP Strategic Business Development, Data Perceptions Inc.
Published December 22, 2019
The reality of cybersecurity today is everyone is getting constantly bombarded with automated attacks of various types that are each looking for network vulnerabilities. It seems just a matter of time until an organization is compromised. The challenge is no longer stopping the compromise but rather the speed and capabilities of an organization to notice the compromise and then respond effectively.
Threat actors or hackers are focusing on three primary methods of getting a foothold in an enterprise:
Of those three, the vast majority of the breach causes are human error. Once the threat actor gains a foothold in an organization, they have two goals: gain access to as much data as possible and to go unnoticed for as long as possible.
The Anatomy of an Attack
To protect themselves, enterprises need to develop capabilities that detect when a system has been compromised and then respond accordingly with a treatment plan. In order to do this, a high-level understanding of the techniques that adversaries are using to gain and escalate access to your organization is needed.
A hacker’s first step is to gain initial access to the organization. This is commonly done through phishing social engineering techniques to trick users into allowing the hacker basic access to the system. The hacker will typically attempt to remain unnoticed by keeping the compromise in only the memory of the system so that Antivirus (AV) and Endpoint Detection and Response (EDR) systems will not notice. The hacker may use some other social engineering techniques to determine the specific AV and EDR systems that your organization is using, and then customize their payloads and techniques to avoid detection.
The next step for the hacker is to establish local persistence of the compromise, usually by escalating local privileges on the compromised system and deploying a Remote Access Trojan (RAT) on to the system. They now have a solid foothold in your organization to start to escalate access to the organization’s data. The threat actor will look to move latterly within the organization, looking for data and information to further escalate their access to systems and files. They’ll continue to use social engineering, take advantage of unpatched systems, and exploit trust-chain issues within systems. The chain of trust in systems is a secure way of ensuring that someone cannot modify systems easily. If the system contains a bug, hackers can exploit the bug and cause the execution of untrusted code or scripts.
While they are there.....
As the threat actor moves latterly within the organization and gains escalated privileges and access to data, they begin to exfiltrate data offsite for further analysis, keeping their backdoor open to go back for more data. Data is often encrypted and compressed (zipped) for sending offsite to avoid detection.
They will analyze the data looking to further escalate their privileges, often by finding passwords embedded in code, files, databases, and even offsite systems.
They will analyze the data looking to further escalate their privileges, often by finding passwords embedded in code, files, databases, and even offsite systems. Hackers will often find re-used usernames and passwords in test systems or cloud-based systems that will allow them to gain even more access. Onsite regular users are often admins for cloud-based systems.
Threat actors don’t necessarily have a plan or a specific target. They’re opportunistic and take advantage of the information that they glean from the “low-hanging fruit” available and use it to exploit an organization for profit.
How to Respond?
The challenge for organizations is to first notice that there is something unusual happening, discern if it’s a compromise, and then find a way to stop it as soon as possible. This requires a layered approach to security that is overlapping, holistic and uses both tools and processes.
There are no silver bullets!
However, there are some common capabilities that organizations can develop to enable detection and treatment, including:
Security awareness training of users can enable early identification that a mistake has been made.
Enable log monitoring on systems and software (especially cloud systems) and develop alerts and reports to identify atypical behavior. Have someone responsible for reviewing them regularly.
Reduce the attack surface of internal and external systems by patching systems and disabling unnecessary services. This makes the hacker’s job harder.
Enable multi-factor authentication on all externally facing and cloud systems to make escalating privileges and lateral movement more difficult.
Develop response and treatment plans for common security issues such as corporate workstation and laptop compromises.
Having a static defensive security posture is deficient – breach prevention by itself isn’t enough. Organizations of all sizes must have capabilities to detect compromises, react and treat effectively.