- Email: [email protected]
Timeline of an attack
FEATURE
Timeline of an attack Phil Burdette, SecureWorks What can you accomplish in 314 days? That’s how long it took one intrepid pilgrim to walk from Bosnia to Mecca, while yachtsman Matt Rutherford completed a circumnavigation of the Americas in the same time. It’s also how long scientists expect the trip to Mars to take. Mankind can indeed achieve great things in a little over 10 months – but sadly, noticing a data breach is not among them, with most successful corporate attacks going unnoticed for an average of 314 days. What might attackers do once they have access? What could happen in that period of 10 months? What’s the battle plan for an organisation to try to stop adversaries getting access to every file, folder and piece of data a company owns? While cyber-attacks aren’t linear, the suggested timeline below outlines what’s possible in the days, weeks and months after an initial breach.
Timeline: days 0-10 Cyber-criminal’s battle plan: spread out across an organisation. Process: adversaries will want to be embedded as far as they can with as many access points as possible. They’ll often steal credentials to get additional access points and more privileges – ideally (for them) connected to the domain controller. This will be used to connect to other accounts – eg, on another site, or accessing a different range of information. It’s the equivalent of a skeleton key for the whole organisation, through which they can not only access information but control it.
“One way to destroy the adversary’s skeleton key is to conduct an organisationwide password reset. This can be costly and timeconsuming, but it’s a price worth paying” Defence strategy: the more access points, the more likely it is that adversaries will get caught. By ensuring that all accounts are audited or maintained, 16
Network Security
it will be easier to monitor abnormal access. It’s not enough to monitor one access point – all access points should be considered and controls applied to disrupt malicious users. One way to destroy the adversary’s skeleton key is to conduct an organisation-wide password reset. This can be costly and time-consuming, but it’s a price worth paying. Organisations can effectively prepare for this scenario, thus reducing the disruption and cost.
Timeline: days 10-20 Cyber-criminal’s battle plan: create a plan B and a plan C for access. Process: once inside a network, adversaries want to know they have alternative routes back in if they’re discovered. They will explore additional ways to break through a perimeter and gain access. Defence strategy: ideally, companies would catch adversaries where they get in, implement additional layers of security at that entry point, but also look at other places that need defence. Cybercriminals will quickly learn as and when they’re discovered and use different tactics. Companies need to be aware of this and, over time, evolve their defensive posture in response to adversarial changes. A real-world example would be that if a burglar broke in through the back door, the home owner shouldn’t spend his or her whole security budget securing the back door – he also needs to examine the front door, the patio doors and the windows. While this strategy is focused on defence, organisations should also be considering a Prevent – Detect – Respond strategy so that they
Phil Burdette
are proactively examining security across the entire IT ecosystem.
Timeline: days 20-40 Cyber-criminal’s battle plan: set up camp where the data is. What’s at risk? Most organisations have a flat architecture in terms of their IT set up: an adversary doesn’t need direct access to data, as long as he can connect to it through other routes. For example, he can get to finance through HR. Process: once they’re secure, have remote access and their re-entry plans, adversaries will identify and locate the ‘crown jewels’ of a company’s data. They use different tactics to do this – for example, compromising members of the security and IT team to gather network diagrams to identify high-value assets, or using social media to identify employees likely to have access to high-profile data. Once they’ve been identified and access has been gained, adversaries can run commands to determine what networks users have access to, which will indicate if they can see the targeted data.
“Apply the principle of least privilege, as not all users need access to all data. In addition – periodically review the privileges and create audit logs to see who is accessing and moderating high-value data” Defence strategy: network segmentation would help solve this issue by creating boundaries between different components in the organisation. Identify and ring-fence the high-value data and put in additional security layers around the company crown jewels.
September 2016
FEATURE
Timeline: Days 40-60 Cyber-criminal’s battle plan: discover relevant and valuable data and create a ‘shopping list’. Process: once an adversary has got access to a company’s files, he’ll create a recursive file listing of what information he thinks is valuable. Once this has been examined, the adversary will go back into the organisation and get more detail on specific information sets. Defence strategy: cyber-criminals who are intent on gaining access to an organisation will do so: it’s a case of ‘when’, not ‘if’. In order to protect their valuable information, security specialists need to make it as difficult as possible for the criminals to create their shopping lists. Apply the principle of least privilege, as not all users need access to all data. In addition, periodically review the privileges and create audit logs to see who is accessing and moderating high-value data.
Timeline: Days 60-80 Cyber-criminal’s battle plan: getting data out of an organisation. Process: adversaries are likely to compress data for convenience and to avoid detection when they exfiltrate it. With elevated privileges, attackers can use tactics that mean that an organisation will never find out what they were looking for, or, what they took – for example bypassing data loss prevention tools or manipulating logs. One example of a defensive evasion method that we have observed is gaining remote access to copy and paste data onto a remote machine. Another is creating a draft email within the company’s network, accessing it remotely to get the data, then deleting the draft. Because the email was never sent, there’s no record of it anywhere so an organisation may never know what was taken. Defence strategy: this is an area that is difficult to defend against – shadow IT is still creeping into organisations and remote working is on the rise. These trends mean employees take risks and use personal devices to access work documents. The cyber-criminals are always evolving their tactics. Understanding the
September 2016
risks in the context of the threats is a significant defensive tactic. Organisations need to be constantly vigilant in monitoring, responding to and defending against data exfiltration.
Timeline: Days 80-314 Cyber-criminal’s battle plan: maintain a surveillance operation and avoid detection. Process: if adversaries want to keep monitoring interesting information they’ll do what they can to avoid detection. They may check every few months to see what files have changed and examine the changes. Cyber-criminals learn fast and change tactics, move around in a network and create new and cunning ways to remain undetected.
“If you set up layers of network and endpoint tripwires, the attacker will hit one: it’s only a matter of time. An adversary will behave in a completely different way from a ‘normal’ user, meaning that their activity can be spotted” Defence strategy: companies need to examine perimeter security, but also look at how they detect anomalous adversary activity internally inside a network. If you set up layers of network and endpoint tripwires, the attacker will hit one: it’s only a matter of time. An adversary will behave in a completely different way from a ‘normal’ user, meaning that his activity can be spotted. A high volume of tripwires increases the chance of detection – meaning the dwell time could be much lower than the average 314 days.
Stopping them sooner It’s key to note that adversaries don’t need 314 days to conduct malicious activity or access sensitive information. This timeline could be as short as five days or even a matter of hours. Attacks don’t follow a linear route such as the above timeline and a cyber-criminal could access
a company’s entire infrastructure from high-privilege credentials obtained with one simple spear-phishing email, achieve his goal and leave. A trace that adversaries were there may be discovered 314 days, or even years, after the event. Even if an adversary is evicted, organisations must maintain vigilance when looking for re-entry attempts. An adversary’s job is to keep getting in and the security team’s job is to keep on keeping him out. If the security team don’t catch the re-entry attempt, it probably means they missed it. Cyber-criminals will target the weakest link because it’s an easy way in. Unfortunately, it’s possible for the most nefarious threats to maintain access undetected for years. They only need a little bit of time, a little user error and some cunning to navigate IT systems and hide from detection. There isn’t one tactic that will work to evade modern cyber-criminals – they’re persistent, underhanded and will keep trying until they get what they want. Companies need to consider that they could be fighting on several fronts and stay aware of attacks from different sources. Many companies think in terms of winning a battle when they need to consider winning the war. To defend against these adversaries, organisations need to be as adaptable, determined and tenacious as the cybercriminals they’re facing. By constantly being vigilant and changing tactics, it is possible for an organisation to prevent an adversary from maintaining access for the average dwell time of 314 days.
About the author Phil Burdette is a senior security researcher in the SecureWorks Counter Threat Unit research team. He leads targeted threat hunting and response engagements and performs intrusion analysis to create threat intelligence assessments on nation state entities. His research interests include model-based threat actor behavioural analysis, adversary responses to stimuli and threat group disruption tactics. He holds a BS in Computer Science from Allegheny College and an MS from Carnegie Mellon University in Information Systems Management.
Network Security
17
Timeline of an attack Phil Burdette, SecureWorks What can you accomplish in 314 days? That’s how long it took one intrepid pilgrim to walk from Bosnia to Mecca, while yachtsman Matt Rutherford completed a circumnavigation of the Americas in the same time. It’s also how long scientists expect the trip to Mars to take. Mankind can indeed achieve great things in a little over 10 months – but sadly, noticing a data breach is not among them, with most successful corporate attacks going unnoticed for an average of 314 days. What might attackers do once they have access? What could happen in that period of 10 months? What’s the battle plan for an organisation to try to stop adversaries getting access to every file, folder and piece of data a company owns? While cyber-attacks aren’t linear, the suggested timeline below outlines what’s possible in the days, weeks and months after an initial breach.
Timeline: days 0-10 Cyber-criminal’s battle plan: spread out across an organisation. Process: adversaries will want to be embedded as far as they can with as many access points as possible. They’ll often steal credentials to get additional access points and more privileges – ideally (for them) connected to the domain controller. This will be used to connect to other accounts – eg, on another site, or accessing a different range of information. It’s the equivalent of a skeleton key for the whole organisation, through which they can not only access information but control it.
“One way to destroy the adversary’s skeleton key is to conduct an organisationwide password reset. This can be costly and timeconsuming, but it’s a price worth paying” Defence strategy: the more access points, the more likely it is that adversaries will get caught. By ensuring that all accounts are audited or maintained, 16
Network Security
it will be easier to monitor abnormal access. It’s not enough to monitor one access point – all access points should be considered and controls applied to disrupt malicious users. One way to destroy the adversary’s skeleton key is to conduct an organisation-wide password reset. This can be costly and time-consuming, but it’s a price worth paying. Organisations can effectively prepare for this scenario, thus reducing the disruption and cost.
Timeline: days 10-20 Cyber-criminal’s battle plan: create a plan B and a plan C for access. Process: once inside a network, adversaries want to know they have alternative routes back in if they’re discovered. They will explore additional ways to break through a perimeter and gain access. Defence strategy: ideally, companies would catch adversaries where they get in, implement additional layers of security at that entry point, but also look at other places that need defence. Cybercriminals will quickly learn as and when they’re discovered and use different tactics. Companies need to be aware of this and, over time, evolve their defensive posture in response to adversarial changes. A real-world example would be that if a burglar broke in through the back door, the home owner shouldn’t spend his or her whole security budget securing the back door – he also needs to examine the front door, the patio doors and the windows. While this strategy is focused on defence, organisations should also be considering a Prevent – Detect – Respond strategy so that they
Phil Burdette
are proactively examining security across the entire IT ecosystem.
Timeline: days 20-40 Cyber-criminal’s battle plan: set up camp where the data is. What’s at risk? Most organisations have a flat architecture in terms of their IT set up: an adversary doesn’t need direct access to data, as long as he can connect to it through other routes. For example, he can get to finance through HR. Process: once they’re secure, have remote access and their re-entry plans, adversaries will identify and locate the ‘crown jewels’ of a company’s data. They use different tactics to do this – for example, compromising members of the security and IT team to gather network diagrams to identify high-value assets, or using social media to identify employees likely to have access to high-profile data. Once they’ve been identified and access has been gained, adversaries can run commands to determine what networks users have access to, which will indicate if they can see the targeted data.
“Apply the principle of least privilege, as not all users need access to all data. In addition – periodically review the privileges and create audit logs to see who is accessing and moderating high-value data” Defence strategy: network segmentation would help solve this issue by creating boundaries between different components in the organisation. Identify and ring-fence the high-value data and put in additional security layers around the company crown jewels.
September 2016
FEATURE
Timeline: Days 40-60 Cyber-criminal’s battle plan: discover relevant and valuable data and create a ‘shopping list’. Process: once an adversary has got access to a company’s files, he’ll create a recursive file listing of what information he thinks is valuable. Once this has been examined, the adversary will go back into the organisation and get more detail on specific information sets. Defence strategy: cyber-criminals who are intent on gaining access to an organisation will do so: it’s a case of ‘when’, not ‘if’. In order to protect their valuable information, security specialists need to make it as difficult as possible for the criminals to create their shopping lists. Apply the principle of least privilege, as not all users need access to all data. In addition, periodically review the privileges and create audit logs to see who is accessing and moderating high-value data.
Timeline: Days 60-80 Cyber-criminal’s battle plan: getting data out of an organisation. Process: adversaries are likely to compress data for convenience and to avoid detection when they exfiltrate it. With elevated privileges, attackers can use tactics that mean that an organisation will never find out what they were looking for, or, what they took – for example bypassing data loss prevention tools or manipulating logs. One example of a defensive evasion method that we have observed is gaining remote access to copy and paste data onto a remote machine. Another is creating a draft email within the company’s network, accessing it remotely to get the data, then deleting the draft. Because the email was never sent, there’s no record of it anywhere so an organisation may never know what was taken. Defence strategy: this is an area that is difficult to defend against – shadow IT is still creeping into organisations and remote working is on the rise. These trends mean employees take risks and use personal devices to access work documents. The cyber-criminals are always evolving their tactics. Understanding the
September 2016
risks in the context of the threats is a significant defensive tactic. Organisations need to be constantly vigilant in monitoring, responding to and defending against data exfiltration.
Timeline: Days 80-314 Cyber-criminal’s battle plan: maintain a surveillance operation and avoid detection. Process: if adversaries want to keep monitoring interesting information they’ll do what they can to avoid detection. They may check every few months to see what files have changed and examine the changes. Cyber-criminals learn fast and change tactics, move around in a network and create new and cunning ways to remain undetected.
“If you set up layers of network and endpoint tripwires, the attacker will hit one: it’s only a matter of time. An adversary will behave in a completely different way from a ‘normal’ user, meaning that their activity can be spotted” Defence strategy: companies need to examine perimeter security, but also look at how they detect anomalous adversary activity internally inside a network. If you set up layers of network and endpoint tripwires, the attacker will hit one: it’s only a matter of time. An adversary will behave in a completely different way from a ‘normal’ user, meaning that his activity can be spotted. A high volume of tripwires increases the chance of detection – meaning the dwell time could be much lower than the average 314 days.
Stopping them sooner It’s key to note that adversaries don’t need 314 days to conduct malicious activity or access sensitive information. This timeline could be as short as five days or even a matter of hours. Attacks don’t follow a linear route such as the above timeline and a cyber-criminal could access
a company’s entire infrastructure from high-privilege credentials obtained with one simple spear-phishing email, achieve his goal and leave. A trace that adversaries were there may be discovered 314 days, or even years, after the event. Even if an adversary is evicted, organisations must maintain vigilance when looking for re-entry attempts. An adversary’s job is to keep getting in and the security team’s job is to keep on keeping him out. If the security team don’t catch the re-entry attempt, it probably means they missed it. Cyber-criminals will target the weakest link because it’s an easy way in. Unfortunately, it’s possible for the most nefarious threats to maintain access undetected for years. They only need a little bit of time, a little user error and some cunning to navigate IT systems and hide from detection. There isn’t one tactic that will work to evade modern cyber-criminals – they’re persistent, underhanded and will keep trying until they get what they want. Companies need to consider that they could be fighting on several fronts and stay aware of attacks from different sources. Many companies think in terms of winning a battle when they need to consider winning the war. To defend against these adversaries, organisations need to be as adaptable, determined and tenacious as the cybercriminals they’re facing. By constantly being vigilant and changing tactics, it is possible for an organisation to prevent an adversary from maintaining access for the average dwell time of 314 days.
About the author Phil Burdette is a senior security researcher in the SecureWorks Counter Threat Unit research team. He leads targeted threat hunting and response engagements and performs intrusion analysis to create threat intelligence assessments on nation state entities. His research interests include model-based threat actor behavioural analysis, adversary responses to stimuli and threat group disruption tactics. He holds a BS in Computer Science from Allegheny College and an MS from Carnegie Mellon University in Information Systems Management.
Network Security
17