Carolyn Crandall from Attivo Networks explains how organisations can detect, contain and remove threat actors as quickly as possible.
The proverb “patience is a virtue” loses some of its meaning in the world of cyber security.
Cyber attackers can be patient in no small part due to the asymmetry in their relationship with the defenders of corporate networks. The average dwell time attackers spent inside a network in 2020 was 56 days. That has almost halved since, though opinions diverge as to why: It could point to detection and response improvements, but equally, it could result from more ransomware attackers who make their ransom demands as soon as they establish a presence and encrypt sensitive or critical data.
Once they’ve compromised a single endpoint, attackers can move around and increase their foothold by moving laterally, establishing connections, exploiting vulnerabilities, installing their malware, and gaining access to more systems. They can then establish backdoors and command and control, maintain persistence and escalate privileges.
The asymmetry of cyber security means defenders have little time for patience. They must detect, contain and remove threat actors as quickly as possible. Red-teamers and pen-testers know this; they usually set artificial testing deadlines for action to simulate this lack of time in attack situations.
There’s a pressing need to address this asymmetry. Defenders need more time to observe attackers and the tactics they use to move laterally and understand where they can mitigate architectural vulnerabilities to reduce the potential for repeat attacks.
Organisations increasingly deploy deception techniques to control threat actor attempts at lateral movement and attack escalation.
Unpacking lateral movement tactics, techniques, and procedures (TTPs)
Nearly every major breach now involves lateral movement – the attacker’s primary activity within the network after penetrating perimeter defences.
Understanding the specific tactics attackers use is critical to detect lateral movement. Knowing the tactics and strategies outlined above can give defenders a significant leg up to identify attackers and stop them in their tracks.
Lateral movement typically occurs in three stages.
First, attackers perform reconnaissance on the environment to understand the set-up and plan their movements. Understanding host naming conventions and network hierarchies, for example, can help them to locate valuable information and systems.
Second, they will try to steal and reuse valid credentials covertly obtained through phishing or other types of attacks to move within the network without setting off any alarms.
Finally, attackers move laterally by escalating privileges, often compromising and exploiting Active Directory (AD) to gain administrator status, allowing them to change security controls, encrypt or exfiltrate data, and ultimately to remain hidden.
Putting a stop to this behaviour is possible and becomes more manageable when organisations use technique-based detection. Frameworks like MITRE ATT&CK and MITRE Engage also provide valuable insight and support for enterprises.
Once one understands the tactics and techniques that attackers commonly use, it becomes possible to disrupt or prevent lateral attack propagation.
One way of doing this is by concealing the types of information on an endpoint that attackers typically seek, presenting them instead with realistic decoy systems and data objects that keep them busy while exposing their escalation and lateral movement attempts.
Endpoints typically contain useful information about the distributed file system (DFS) structure, network share drives, local folders and more. These include cloud storage mapped to an endpoint as a network drive, removable disks that attackers could use as a vector for spreading their malware or locally stored endpoint credentials. Additional data include AD information like domain administrator accounts, name server addresses, domain controllers, and the systems to which endpoint (and user) sessions are active.
Defenders can (and should) go a step further by obfuscating the entire attack surface. This tactic typically involves decoys and fake information that mirror-match what is on the endpoint but sits alongside the real credentials and systems in a non-disruptive way. Defenders can then conceal the production data and credentials so attackers can’t target them.
The idea is to turn every endpoint into a decoy. If attackers try to perform reconnaissance and discovery activities or steal credentials, they’re more likely to trip on a deception object and raise a notification instead of encountering a production asset.
When the decoys look authentic enough and respond the way as intended, attackers can unwittingly spend hours in an alternative environment that records everything they do. These decoys disrupt the attacker’s ability to move around the production environment while remaining undetected.
Time is of the essence
Ultimately, organisations should look for solutions that provide:
- Visibility to AD security hygiene issues and actionable alerting to key exposures at the domain, computer, and identity level.
- Real-time detection of AD privilege escalation and granularly restricting access to AD information without impacting business operations.
- Continuous visibility into identities and service account risk related to credentials, shadow administrators, stale accounts, shared credentials and identity attack paths.
- Identity entitlements and least privileges across on-premises and multi-cloud environments.
Today, it’s crucial for enterprises to employ proper cyber hygiene and prevention measures to detect and mitigate threats effectively. At the same time, organisations need to concentrate on their ability to preserve, coordinate and respond once they detect a breach. Time is indeed of the essence.
Carolyn Crandall is the chief security advocate at Attivo Networks.