COMMENTARY: Modern cyberattacks don't happen in a single wave. When attackers infiltrate organizations, they perform a series of steps prior to launching an attack. This preliminary period serves as a window of opportunity for defenders to detect and block attackers before they spread too much harm.
Initial access or infiltration has become relatively easy for cybercriminals. Attackers purchase ready-to-use access from initial access brokers and conduct brute-force attacks on perimeter devices. They also exploit known or zero-day vulnerabilities, or they simply phish employees into revealing their access credentials.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Upon successful infiltration, cyber adversaries will leverage a range of tactics to reach their end goals. Attack techniques and procedures include:
- Persistence: Once attackers infiltrate, they aim to maintain access to the organization. Attackers might create new accounts, change passwords of existing accounts, create scheduled tasks, deploy remote access tools (Teamviewer, Anydesk) or use tunneling software (OpenVPN, WireGuard, OpenSSH, PuTTY) to sustain their presence in the victim environment.
- Reconnaissance and discovery: Where bad actors gather information about the victim’s internal systems, identify privileged users, orient themselves and explore the lay of the land. For example, attackers will use publicly-available network scanners and port scanners to obtain information about the network layout and open ports. They will use web interfaces to learn about applications, users and their role assignments.
- Defense evasion and living-off-the-land: To stay under the radar, attackers use living-off-the-land (LOTL) techniques such as the use of built-in utilities like PowerShell, Windows Management Instrumentation (WMI), and other command-line utilities. They can disable cybersecurity tools like endpoint protection and response (EDR) to avoid or bypass cybersecurity defenses.
- Credential access and lateral movement: Threat actors acquire legitimate user credentials on dark web marketplaces to gain initial access to systems, make themselves undetectable, conduct lateral movements across the network, then reach their target systems and files.
- Exfiltration: Attackers typically do not require advanced technology to steal or exfiltrate data. They use simple techniques and tools (HTTP/HTTPS, SMTP, DNS, Cloud Storage) that are already permitted in the organization, allowing them to hide in plain sight amid legitimate traffic.
Five ways to set up early detection of compromise
Organizations can leverage tools and processes to achieve early detection of compromise. Here are five ways to get started:
- Layered security: Think about home security. Locking the front door is not the only solution. People need to bolt windows, install fencing, deploy alarms and surveillance cameras, and lock the garage door. The same holds true for cybersecurity: one needs to apply layers of cybersecurity controls to have the best chance of deterring a threat, even if the system fails to protect the enterprise.
- Least privilege permissions: Adopt zero-trust principles and the principle of least privilege to prevent attackers from accessing sensitive systems and data even if the organization is breached. For example, KnowBe4 was able to detect a North Korean IT worker masquerading as a legitimate employee because its HR policy limits permissions during the onboarding process.
- Network segmentation: Comprehensive network segmentation makes it difficult for hackers to conduct lateral movement and it’s helpful for detecting intrusions, especially in scenarios like SQL injections, or the compromise of employee workstations, servers, and internet-facing applications. Security teams should consider setting up VLANs to create smaller groups of networks, deploy firewalls to protect different segments, and implement software-defined networking to create microsegments of virtual machines, services, and containers.
- Human risk management: Employees play an important role in detecting infiltration and responding to unusual activity. Human risk management is complementary to security awareness training and can enrich a security culture via the practice of vigilance – but only if employees are taught to identify signs of system intrusion: files or folders suddenly renamed or becoming inaccessible, strange requests from senior executives, sudden degradation of system performance, large files being copied or transferred, unrecognized devices or users on the network, unauthorized access attempts, or unusual MFA push requests.
- Obfuscation and decoys: Organizations can use obfuscation methods to make it difficult for bad actors to understand the underlying logic and structure of systems. This also buys security teams extra time to detect an attacker’s presence. Tools can also monitor and flag anomalies in access patterns as signs of intrusion. Security teams can deploy honeypots, drawing attackers away from critical assets. When threat actors interact with these honeypots or decoys, the system can trigger security alarms and log their username and IP address.
While the primary goal is to prevent initial access, it’s also important to install defenses and detection strategies that anticipate a breach. By applying layered defenses, deploying obfuscation and decoys, training staff to recognize signs of intrusion, employing network segmentation, and restricting user permissions and access, organizations can improve the accuracy and speed of post-compromise detection.
Erich Kron, security awareness advocate, KnowBe4
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
