Inside the Mind of a Threat Actor: Tactics, Techniques, and Procedures Explained

4 min read

They lure their victims with the bait of a seemingly innocent email or landing page in an attempt to steal their user credentials.  And they only need to succeed once to get in.

Once they have hooked their victim, a cybercriminal can literally take over an entire network in a matter of minutes. Or worse yet, they can lurk quietly on a connected device for months, unbeknownst to the IT team, plotting how to extract the most profit and/or cause disruption from the now compromised network.

We care about these seemingly inconsequential phishing lures because once a hacker has a foothold on your network, they can exploit it to infiltrate deeper into your systems and cause significant harm.

Using a variety of Tactics, Techniques, and Procedures (TTP), the hacker will succeed – whether it’s ransom, theft, or a more sinister type of attack – it’s only a matter of time before they will get exactly what they want.

Phishing Is the Entry Point

You may think of phishing as some old-timey Nigerian Prince scam that only works on your grandma, but the attack vector has become wildly sophisticated and widely successful since its inception in the 1990s.

While certainly not the only tactic in the cyber criminal’s toolkit, phishing scams are the easiest and most effective way to gain access to a network or obtain personal information.

In fact, the FBI recently warned of a 270 percent increase in identified victims and exposed loss from the business e-mail compromise scams. According to the data collected, law enforcement received reports from 17,642 victims in every U.S. state and in at least 79 countries, which amounted to more than $2.3 billion in losses between October 2013 and February 2016.

Clearly it’s not just grandmas falling for the things.

VIPs Are Walking Targets for Spearphishing

Let’s just start with spearphishing. If an attacker is spearphishing you, it’s a targeted attack that’s looking for something you have. Your login credentials, your HR privileges, your bank account number, whatever. Spearphishers aren’t just spraying untargeted Nigerian Prince scams out to some email list they bought—they’re looking for something specific you have and tailoring the message to you. And when crafted with skill, the emails they send will appear much more authentic than whatever lands in your spam box on the daily.

Whale phishing, or whaling, is the practice of marking CEOs and other high-value targets. Board members — with high levels of trust and names that carry weight inside their respective orgs — are increasingly targeted.

Regardless of the target (or lack thereof), hackers will often disguise malware inside of Office documents (macros), encrypted zips, or even “password reset pages.”

There are gobs of pre-built phishing kits available on the dark web, so even relatively unskilled threat actors can look like pros.

The Syrian Electronic Army spoofed The Washington Post’s internal email login page and successfully gain access from one of their sports writers in 2013.

Tactics, Techniques, and Procedures (TTP) Executed after the Breach

So, who cares if someone got the email login creds for Jeff from Accounting, or Admin privileges to the printer on Floor 6, you might ask.

We care about these phishing incidents because once a hacker obtains credentials, there is nothing to stand in the way of the threat actor. Access from an unprivileged account is sufficient to begin the job of getting administrative access, after which  he/she will have full clearance to do their worst to get your best, most valuable, assets and data. Furthermore, the actor can lurk for months, exploring internal systems, and then carefully extracting valuable treasures residing deep within the network.

The potential consequences for the victim of a hacked PC are significant.

Here are just a few post-breach TTPs:

Attackers can use beaconing to get back into a compromised computer. The installed beacon will “call out” to the internet and check for commands from the attacker.

With a logged-in user’s credentials, attackers can use reconnaissance to gather useful information to further compromise other systems. Often the goal is access to local admin and/or domain admin accounts.

Continued Phishing
Once attackers have compromised Jeff from Accounting’s email account (Damn it, Jeff!), they can use it to send further phishing emails, this time from within the organization’s own email server.

Long-Term Persistence
Hackers can perform beaconing stretched out over long periods. Since the activity occurs so infrequently, it’s harder to detect. This allows hackers to harvest data over weeks, months, and sometimes years.

Destruction or Denials of Service
In the case of a total compromise, hackers can alter and/or destroy access. The most effective attacks begin weeks or months before leading to more overt and destructive activities.

Phishing Tactics Continue to Evolve

But no one is going to fall for the old Nigerian Prince scam anymore, right?

Wrong. As soon as the old tricks quit working, cyber criminals get creative, and employ a new trick to get the same, predictable outcome. One upcoming escalation is the implementation of artificial intelligence by threat actors for the purpose of more surgical targeting, and crafting better “bait”.

The numbers can be murky because companies aren’t required to report such compromises, and therefore have no incentive to broadcast to the world when a malicious actor gets into their systems. And while it’s best to scrutinize stats offered by orgs that peddle anti-phishing solutions, it’s also best to recognize that the problem is real and take steps to shore up your defenses.

The truth is that as long as humans are opening emails, phishing will continue to be an effective tactic for the foreseeable future.

How to Protect Your Business from Phishing Attacks

Wondering how to protect your business against all this nastiness? The FBI offers this handy shortlist of best practices for businesses who want to fend off phishing attacks:

  • Be wary of email-only wire transfer requests and requests involving urgency
  • Pick up the phone and verify legitimate business partners
  • Be cautious of mimicked email addresses
  • Practice multi-factor authentication

If you want to get even more serious than the FBI, check out our previous post from Director of Offensive Security Jeremy Johnson on the best practices for reducing the risk of this surprisingly common breach.

Lastly, note that many of the TTPs employed will create signal on the network, which can be teased out of the aggregated intrusion detection, log, and other events, using analytics that employ statistical, frequency, signature, reputation, and other methods. We all have to assume that periodic compromises will occur, and that to the greatest extent, they will be caused by user action. If you detect and put out the stove fire quickly, the house will not be engulfed and your records, finances, and critical services will have no impact.

Then go speak with that user.