Editor's Note: This is Part 2 in a series covering tactics and techniques used by a threat actor. Check out Part 1 for a discussion on "Which Breaches Should Dirty Your Breeches?" by Garrett Silver, CEO.
Let's walk through an incredibly common, yet devastatingly effective, playbook that an attacker might use.
This playbook is common because it is easy to execute and often successful. In fact, it is so common that we sometimes counsel our clients to skip the phishing phase of an engagement and assume breach, where a user has executed a phishing payload (this is called a "white card").
“60% of the time, it works every time.” – Brian Fantana, Anchorman
Targeted attacks and untargeted attacks often use differing tactics, techniques, and procedures (TTPs) to carry out their objectives. I will largely cover targeted attacks in this post, though the sophistication of untargeted attacks is vastly increasing.
- Untargeted Attackers:
- When you get a random email about that shipment delivery, breach notification, or password change, it's probably from an untargeted attacker spraying phishing emails all over the internet in hopes of getting a "bite".
- They'll purchase lists of emails from shady web sites, or even less-shady data harvesters. Anyone is the target.
- Targeted Attackers:
- These are more likely to be highly customized and will use your company headers on their documents, proper salutations, email signatures, and anything else to look legitimate.
- YOU are the target, and they want something only you have access to.
- Payloads aka Malware:
- Depending on whether this is a targeted or untargeted campaign, the final payloads might be a little different.
- The payload may be a ransomware file-encryptor, or it might be an initial staging script that pulls down the rest of its payload for full command and control over the victim computer.
- The payloads can come dressed up inside of Office documents as macros, links to downloads, encrypted zips, or as simple as a "password reset" web page hosted by the attacker to capture valid user credentials.
Code Execution on the Remote Computer
“Your things are now my things through my actions.” – Mooninites, Aqua Teen Hunger Force
If a payload successfully executes on the victim’s machine, the attacker will then install persistence or a way to get back into the computer if it's temporarily disconnected from the internet or rebooted. Persistence payloads often take the form of a "beacon" that pseudo-randomly "calls" out to the internet and a Command & Control (C2) server. The beacon checks for commands to run on the victim machine. Depending on the motives and sophistication of the attacker, this beaconing may happen as frequently as every five seconds or be spread out over hours, days, or weeks.
Reconnaissance is then run from the victim machine using the currently logged-in user's credentials. Even a normal, unprivileged domain user has access to an incredible amount of information that is useful to an attacker. Sometimes the user is a local administrator or has local administrator privileges on many workstations or servers.
Tools like BloodHound might be run to discover paths to becoming a Domain Administrator on the network. There are a number other techniques used to find this same information.
Privilege Escalation and Lateral Movement
“I hunt SysAdmins.” – @harmj0y
A targeted attacker is often looking for ways to completely take over your system and have guaranteed access to the information they're seeking. There are many ways to perform this, but generally an attacker is looking for local admin accounts and domain admin accounts that they can somehow compromise. This may involve pivoting through the network seeking out credentials of high-integrity or privileged accounts. Trust relationships throughout the network are targeted and exploited.
Depending on the attacker motives and capabilities, a compromised email account (even originating from the original phishing victim) may be used to send further phishing emails from within the organizations own email server.
Once a higher-level access is gained, the attacker will seek to accomplish their goals whether it's stealing patient data, trade secrets, or denial of services (destruction).
The Post-Compromise Gift that Keeps on Giving
“All your base are belong to us.” – CATS, Zero Wing
If you're facing a long-term operation from a targeted attacker, they're likely going to install some form of long-term persistence that will call out to their C2 over very long intervals. In some recorded cases this beaconing has been 2-4 weeks. These long-term pseudo-random intervals can prevent incident responders from identifying suspicious network traffic as the activity occurs so infrequently as to be almost invisible.
It has also been proposed that some targeted operations sell access to victim networks post-compromise. The initial attacker accomplishes their goals, such as stealing data, and then sells access to a crime-ware organization who may leverage that access to install ransomware.
In a long-term persistence mode, the attacker may be harvesting data over weeks, months, and sometimes years—it’s the gift that keeps on giving.
Some cases, such as Sony, destruction or denials of service is the ultimate goal. Once the network has been totally and completely compromised, the attacker begins altering and/or destroying data. The most effective attacks begin this malicious activity weeks or months before performing more overt activities as to ensure their destructive actions are recorded in recent backups.
Take Back Control and Shore Up Defense
Inoculate Yourself against Dormant Cyber-Pathogens
Let’s look at the chain of events that lead from “everything is ok”, to “everything is on fire”.
This is a “back of the napkin over beers” list of fixes. Almost none of these are easy, but each one does mitigate your risk.
The kill chain:
- User executes untrusted, unsigned code from the untrusted internet.
- STOP running unknown and untrusted code.
- Use an application whitelisting solution like AppLocker, Device Guard, or a 3rd party solution to prevent untrusted code and executables from running on workstations without explicit administrator action.
- From an attacker perspective, targets that do this well are extremely and frustratingly difficult to compromise and perform lateral movement against.
- Next up is privilege escalation and lateral movement.
- Users should almost never (read: never) be running as local administrators in their day to day activity, let alone as domain administrators. Not even you IT folk. Especially your IT folk.
- Elevate your privileges when and as needed only. Only use the Domain Admin account to login to the Domain Controller(s).
- Turn on your Windows Firewall and prevent logins from local accounts over the network (local admin).
- While you’re at it, disable those old network protocols like SMBv1, LLMNR, and NBNS.
- Ensure Your SIEM Is Enabled and Staff is Ready
- Many attacker TTPs light up a SIEM (Security Incident and Event Monitor) like Clark Griswold’s house on Christmas, assuming you’ve configured it right ;)
- Make sure you can detect a breadth-first password spray, network session enumeration, or SMB poisoning.
- Does your team know what those attacks are? If not, relevant training is also on the "to-do" list.
- Speaking of SIEMs, send all your logs to it.
- Generate relevant logs. The default log level on many systems isn’t enough.
- Make sure your team knows what they’re looking for.
- Some TTPs generate some very particular events that don’t normally occur, but are rarely part of a default alert package.
- Finally, have an Incident Response Plan.
- Figuring out your incident response “plan” in the middle of an incident is a recipe for missed opportunities, poor decision-making, and greater overall harm to your organization.
Risk can be significantly reduced by actualizing the preceding steps. As an investment in improving your system's security posture, these steps are requisite for any healthy network.