If organizations are ever going to effectively manage cybersecurity risks, especially from modern APT-style attacks, security managers and analysts must be able to spot attackers lurking within the blind spots created by today's complex multi-cloud environments.
To do that, security pros must spot the telltale signs and detect how threat actors gain footholds and move throughout their environment.
The first thing attackers do is gain a foothold within the environment. This is typically through a malicious phishing email or social media message or the exploitation of an application, system, or device. Now the attackers have a foothold in an endpoint or cloud service.
Next, attackers try to get a sense of the organization. Bad actors infiltrate and survey the organization's technical environment so that they come to understand the network, port, protocols, the applications running, connected devices, and how well (or not) protected the environment is. This way, they learn who and what to target and what exploits and attack tools to employ. Essentially, attackers get a lay of the land. From there, they dig deeper.
Typically, before they launch their ransomware attack or begin exfiltrating data, they will entrench themselves within the environment and try to gain deeper persistence. This is achieved by digging into different areas within the network as clandestinely as possible. This way, if part of the attack is identified and wiped, another site, perhaps using different malware and exploit code, will be able to continue the attack. During this stage, attackers use "droppers" and remote access Trojans (RATs) to maintain persistent communications, command, and control.
Much of this persistence is made possible following lateral movement within the organization. And this is made easier for the attacker in today's increasingly complex hybrid environments that include multiple clouds and on-prem systems from endpoints to virtual workloads. Enterprises need deep visibility to detect these threat actor lateral movement techniques because once they're in and have established persistence, they usually become very targeted with their next hop. They silently move laterally using common ports and protocols, such as SMB, Remote Desktop Protocol, SAMBA and tools like PsExec.
As they continue to move laterally, they also carry their malware with them and target high-value data and systems. They will typically only move when they find their target, such as a file server, PII, intellectual property, or whatever they need. And then they'll deploy their ransomware capabilities. But before they trigger the ransomware, they will exfiltrate the data. Only when satisfied that they gathered the most valuable data they can find will they execute the ransomware encryption capabilities. They will use the stolen data to extort the organization or people within it and try to sell the data to bidders on the dark web.
How to defend
The only way for security teams to prevent damage is to identify these tools and tactics and intercept/disrupt the attack as early as possible. Doing so requires inspecting network traffic and spotting the network anomalies like lateral movements over common protocols, or exploitation of applications available inside but not necessarily on the outside, or hidden command-and-control traffic. Other telltale signs include pass the hash techniques over Kerberos. If they can escalate their privilege, it becomes challenging to ascertain what behavior is malicious and what is normal because they are using legitimate – but stolen – credentials.
Security companies like VMware have responded by taking sensor technology to the data itself, allowing customers to observe what is happening within the virtualized plane and hypervisor itself. This helps customers to scale security throughout their network without changing it. And this hypervisor visibility provides insights into every packet within the virtualized environment. The experience provides tapless network traffic analysis, network sandboxing, distributed intrusion detection, and powerful event correlation.
When security practitioners can see security events within every packet, and with those events correlated to the MITRE ATT&CK framework, defenders get a comprehensive timeline of exactly what that threat actor did and what he/she is trying to do within their organization.
In our next post, we'll examine these detection capabilities in more detail.