In the 2nd of our Security Blog series, Graham breaks down some of the most common ways that cyber-attackers stay undetected while performing malicious activities inside your network. Can you see everything that’s happening in your own network?
In a previous blog, I highlighted the importance of full network visibility for effective Cyber Security. Given that it has unfortunately (but not surprisingly) been another busy few weeks of headline worthy attack activity, it seems timely to now explore some common evasion techniques cyber-attackers use to fly under the radar of even the most modern of security controls. If the US Army, US Government, a prominent cyber security vendor and those we trust to keep our credentials secure can’t keep attacker out, clearly any organisation is potentially at risk.
It is important to realise that much of an attacker’s evasive maneuvering doesn’t involve malware and even if observed, could be mistaken for legitimate activity without further context. Lets take a look at some examples:
User account hijack
Whether it be through the usage of rainbow tables, “pass-the-hash”, mimikatz or old fashioned social engineering, there are many ways an attacker can hijack a user account. After doing so, they are highly likely to take the next step of acquiring domain admin credentials, the equivalent to getting the keys to the kingdom.
But cyber-attackers will rarely be content with just that, and increasingly seek to also obtain VPN access so they can connect remotely on-demand, rather than have to rely on covert backdoor channels (e.g. VNC, reverse SSH) which may be a single point of failure for them. This enables them to be more persistent, methodical, cautious and impactful in conducting their activities.
Going native to move laterally
In order to reach high-value assets (file servers, databases, domain controllers), attackers figured out long ago that built-in Windows capabilities give them much of what they need to get their job done. While attackers previously leveraged Windows commands such as net and at, they’re increasingly migrating to more modern, powerful and flexible alternatives such as WMI and Powershell, which enable them to remotely execute code without writing to disk, perform searches and manipulate audit logs. An extended set of freely and readily available tools (such as PsExec, Nmap and Metasploit) may also be utilised.
Grab and go
Using ill-gotten privileged access and their ability to connect to in-house databases or shared document repositories, attackers can fetch data of interest, accumulate it in a staging area, encrypt it and then exfiltrate it over a covert channel to an external server, using methods such as DNS tunnelling, FTP and HTTPS. These techniques are carefully selected since attackers know they’ll likely allow them passage out through the perimeter firewalls.
What do all the above techniques have in common? They all involve network communication at some point. Even though we can fully expect attack techniques will continue to evolve and change, network communication will remain a critical element. Of course, effective information security is multifaceted. It is about people, process and technology combining to deliver in-depth defense. In short, there is no silver bullet solution. The game is really about how much you can stack the odds in your favour. Many companies recognise this and are increasing investment and strategic focus on their ability to detect and respond to attacks.
We believe full visibility into network data, in real time and retrospect, can dramatically change the odds and enable security incident investigators to more rapidly detect and piece together the bigger picture of evasive attack activity. Here are key reasons full network visibility makes for such an advantage:
Cyber-attackers continue to remain resident within company networks for extended periods before being discovered. This reminds us that you can’t detect what you don’t know to look for - the unknown unknowns. A historic record of all network traffic is critical in the form of statistics, decoded messages and full packet data. This enables investigators to spot deviations from baseline norms and retrospectively piece together the bigger picture of attack activity, including through a user-centric lens.
Authoritative source of truth
If a cyber-attacker has compromised hosts within your network, can you really trust what the operating system and agents on those hosts are telling you? Network data is an independent, authoritative source of truth, providing rich detail on the machine-to-machine “conversations” occurring within your environment.
Zero performance impact
Domain Controllers, Network Attached Storage and Databases have native auditing capabilities but can be basic and are rarely enabled, since they can degrade performance. Full network visibility can provide superior auditing (based on decoded messages and packet capture) by simply listening to “conversations”, passively. This approach has the added bonus of providing a centralised, single, vendor independent audit log of all network activity.
Achieving full network visibility is not trivial - it involves technology that can reliably capture and decode high volume traffic, present it in a way that is actionable and integrates with your existing infrastructure and workflows. There is certainly a cost associated but the ROI far outweighs this - bottom line is given the potential cost of a data breach, can you afford to not have full network visibility?